geode-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kl...@apache.org
Subject [22/40] geode git commit: GEODE-2632: consolidate different types of SecurityService
Date Thu, 15 Jun 2017 21:54:55 GMT
GEODE-2632: consolidate different types of SecurityService

* combine EnabledSecurityService and CustomSecurityService into IntegratedSecurityService
* combine DisabledSecurityService and LegacySecurityService
* combine ConfigInitializer and RealmInitializer
* provide default impelementations of SecurityService
* consolidate SecurityService creation.


Project: http://git-wip-us.apache.org/repos/asf/geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/geode/commit/5546a873
Tree: http://git-wip-us.apache.org/repos/asf/geode/tree/5546a873
Diff: http://git-wip-us.apache.org/repos/asf/geode/diff/5546a873

Branch: refs/heads/feature/GEODE-2980
Commit: 5546a8732203baec09fd3922a8e4cb86e5048492
Parents: dd90c71
Author: Jinmei Liao <jiliao@pivotal.io>
Authored: Fri Jun 9 12:29:10 2017 -0700
Committer: Jinmei Liao <jiliao@pivotal.io>
Committed: Thu Jun 15 11:32:30 2017 -0700

----------------------------------------------------------------------
 .../internal/InternalDistributedSystem.java     |  62 +--
 .../geode/internal/cache/GemFireCacheImpl.java  |   2 -
 .../internal/security/CallbackInstantiator.java |  28 ++
 .../security/CustomSecurityService.java         | 346 ----------------
 .../security/DisabledSecurityService.java       | 221 -----------
 .../security/EnabledSecurityService.java        | 393 -------------------
 .../security/IntegratedSecurityService.java     | 374 ++++++++++++++++++
 .../security/LegacySecurityService.java         | 186 +--------
 .../internal/security/SecurityService.java      |  99 +++--
 .../security/SecurityServiceFactory.java        | 188 +++------
 .../internal/security/SecurityServiceType.java  |  28 --
 .../security/shiro/ConfigInitializer.java       |  43 --
 .../security/shiro/CustomAuthRealm.java         |  19 +-
 .../security/shiro/RealmInitializer.java        |  54 ---
 .../security/shiro/SecurityManagerProvider.java |  83 ++++
 .../membership/MembershipJUnitTest.java         |   3 -
 .../security/DisabledSecurityServiceTest.java   | 164 --------
 .../security/EnabledSecurityServiceTest.java    | 184 ---------
 .../internal/security/FakePostProcessor.java    | 103 -----
 .../internal/security/FakeSecurityManager.java  | 103 -----
 ...ntegratedSecurityServiceConstructorTest.java |  93 +++++
 .../security/IntegratedSecurityServiceTest.java | 166 ++++++++
 .../security/LegacySecurityServiceTest.java     |  58 +++
 ...urityServiceFactoryShiroIntegrationTest.java |  38 +-
 .../security/SecurityServiceFactoryTest.java    | 314 ++++++---------
 .../internal/security/SecurityServiceTest.java  |  21 +-
 .../shiro/ConfigInitializerIntegrationTest.java |  91 -----
 ...tyServiceWithCustomRealmIntegrationTest.java |   2 +-
 ...urityServiceWithShiroIniIntegrationTest.java |   2 +-
 .../CacheFactoryWithSecurityObjectTest.java     |  68 +++-
 ...SecurityManagerLifecycleDistributedTest.java |   4 +-
 .../apache/geode/tools/pulse/tests/Server.java  |  19 +-
 .../tools/pulse/tests/rules/ServerRule.java     |   6 +-
 33 files changed, 1161 insertions(+), 2404 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalDistributedSystem.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalDistributedSystem.java b/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalDistributedSystem.java
index 22edb6f..85f9146 100644
--- a/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalDistributedSystem.java
+++ b/geode-core/src/main/java/org/apache/geode/distributed/internal/InternalDistributedSystem.java
@@ -15,35 +15,8 @@
 
 package org.apache.geode.distributed.internal;
 
-import static org.apache.geode.distributed.ConfigurationProperties.*;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.Reader;
-import java.lang.reflect.Array;
-import java.net.InetAddress;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.LinkedHashSet;
-import java.util.List;
-import java.util.Properties;
-import java.util.Set;
-import java.util.SortedSet;
-import java.util.StringTokenizer;
-import java.util.TreeSet;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.CopyOnWriteArrayList;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.atomic.AtomicLong;
-import java.util.concurrent.atomic.AtomicReference;
-
-import org.apache.geode.cache.CacheXmlException;
-import org.apache.geode.internal.security.SecurityService;
-import org.apache.geode.internal.security.SecurityServiceFactory;
-import org.apache.geode.security.PostProcessor;
-import org.apache.logging.log4j.Logger;
+import static org.apache.geode.distributed.ConfigurationProperties.LOCATORS;
+import static org.apache.geode.distributed.ConfigurationProperties.MCAST_PORT;
 
 import org.apache.geode.CancelCriterion;
 import org.apache.geode.CancelException;
@@ -60,6 +33,7 @@ import org.apache.geode.SystemFailure;
 import org.apache.geode.admin.AlertLevel;
 import org.apache.geode.cache.CacheClosedException;
 import org.apache.geode.cache.CacheFactory;
+import org.apache.geode.cache.CacheXmlException;
 import org.apache.geode.cache.execute.internal.FunctionServiceManager;
 import org.apache.geode.cache.server.CacheServer;
 import org.apache.geode.distributed.DistributedMember;
@@ -100,6 +74,8 @@ import org.apache.geode.internal.logging.log4j.LogWriterAppenders;
 import org.apache.geode.internal.net.SocketCreatorFactory;
 import org.apache.geode.internal.offheap.MemoryAllocator;
 import org.apache.geode.internal.offheap.OffHeapStorage;
+import org.apache.geode.internal.security.SecurityService;
+import org.apache.geode.internal.security.SecurityServiceFactory;
 import org.apache.geode.internal.statistics.DummyStatisticsImpl;
 import org.apache.geode.internal.statistics.GemFireStatSampler;
 import org.apache.geode.internal.statistics.LocalStatisticsImpl;
@@ -111,7 +87,31 @@ import org.apache.geode.internal.statistics.platform.OsStatisticsFactory;
 import org.apache.geode.internal.tcp.ConnectionTable;
 import org.apache.geode.management.ManagementException;
 import org.apache.geode.security.GemFireSecurityException;
+import org.apache.geode.security.PostProcessor;
 import org.apache.geode.security.SecurityManager;
+import org.apache.logging.log4j.Logger;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.Reader;
+import java.lang.reflect.Array;
+import java.net.InetAddress;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Set;
+import java.util.SortedSet;
+import java.util.StringTokenizer;
+import java.util.TreeSet;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicLong;
+import java.util.concurrent.atomic.AtomicReference;
 
 /**
  * The concrete implementation of {@link DistributedSystem} that provides internal-only
@@ -586,8 +586,8 @@ public class InternalDistributedSystem extends DistributedSystem
 
     this.config = new RuntimeDistributionConfigImpl(this);
 
-    this.securityService =
-        SecurityServiceFactory.create(this.config, securityManager, postProcessor);
+    this.securityService = SecurityServiceFactory.create(this.config.getSecurityProps(),
+        securityManager, postProcessor);
 
     if (!this.isLoner) {
       this.attemptingToReconnect = (reconnectAttemptCounter > 0);

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/cache/GemFireCacheImpl.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/cache/GemFireCacheImpl.java b/geode-core/src/main/java/org/apache/geode/internal/cache/GemFireCacheImpl.java
index 40df0c7..5eaa5a4 100755
--- a/geode-core/src/main/java/org/apache/geode/internal/cache/GemFireCacheImpl.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/cache/GemFireCacheImpl.java
@@ -126,7 +126,6 @@ import org.apache.geode.cache.client.PoolFactory;
 import org.apache.geode.cache.client.PoolManager;
 import org.apache.geode.cache.client.internal.ClientMetadataService;
 import org.apache.geode.cache.client.internal.ClientRegionFactoryImpl;
-import org.apache.geode.cache.client.internal.ConnectionImpl;
 import org.apache.geode.cache.client.internal.InternalClientCache;
 import org.apache.geode.cache.client.internal.PoolImpl;
 import org.apache.geode.cache.control.ResourceManager;
@@ -213,7 +212,6 @@ import org.apache.geode.internal.net.SocketCreator;
 import org.apache.geode.internal.offheap.MemoryAllocator;
 import org.apache.geode.internal.process.ClusterConfigurationNotAvailableException;
 import org.apache.geode.internal.security.SecurityService;
-import org.apache.geode.internal.security.SecurityServiceFactory;
 import org.apache.geode.internal.sequencelog.SequenceLoggerImpl;
 import org.apache.geode.internal.tcp.ConnectionTable;
 import org.apache.geode.internal.util.concurrent.FutureResult;

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/CallbackInstantiator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/CallbackInstantiator.java b/geode-core/src/main/java/org/apache/geode/internal/security/CallbackInstantiator.java
index 3ff632d..2cb8d08 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/security/CallbackInstantiator.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/CallbackInstantiator.java
@@ -14,12 +14,18 @@
  */
 package org.apache.geode.internal.security;
 
+import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_MANAGER;
+import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_POST_PROCESSOR;
 import static org.apache.geode.internal.ClassLoadUtil.classFromName;
 import static org.apache.geode.internal.ClassLoadUtil.methodFromName;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.geode.security.GemFireSecurityException;
+import org.apache.geode.security.PostProcessor;
+import org.apache.geode.security.SecurityManager;
 
 import java.lang.reflect.Method;
+import java.util.Properties;
 
 /**
  * Utility methods for instantiating security callback objects by reflection.
@@ -50,6 +56,28 @@ public class CallbackInstantiator {
     }
   }
 
+  public static SecurityManager getSecurityManager(Properties properties) {
+    String securityManagerConfig = properties.getProperty(SECURITY_MANAGER);
+    if (StringUtils.isBlank(securityManagerConfig)) {
+      return null;
+    }
+    SecurityManager securityManager =
+        getObjectOfTypeFromClassName(securityManagerConfig, SecurityManager.class);
+    securityManager.init(properties);
+    return securityManager;
+  }
+
+  public static PostProcessor getPostProcessor(Properties properties) {
+    String postProcessorConfig = properties.getProperty(SECURITY_POST_PROCESSOR);
+    if (StringUtils.isBlank(postProcessorConfig)) {
+      return null;
+    }
+    PostProcessor postProcessor =
+        getObjectOfTypeFromClassName(postProcessorConfig, PostProcessor.class);
+    postProcessor.init(properties);
+    return postProcessor;
+  }
+
   /**
    * this method would never return null, it either throws an exception or returns an object
    */

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/CustomSecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/CustomSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/CustomSecurityService.java
deleted file mode 100644
index 0ba1cb6..0000000
--- a/geode-core/src/main/java/org/apache/geode/internal/security/CustomSecurityService.java
+++ /dev/null
@@ -1,346 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.internal.security;
-
-import org.apache.commons.lang.SerializationException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.geode.GemFireIOException;
-import org.apache.geode.internal.cache.EntryEventImpl;
-import org.apache.geode.internal.logging.LogService;
-import org.apache.geode.internal.security.shiro.GeodeAuthenticationToken;
-import org.apache.geode.internal.security.shiro.ShiroPrincipal;
-import org.apache.geode.internal.util.BlobHelper;
-import org.apache.geode.security.AuthenticationFailedException;
-import org.apache.geode.security.GemFireSecurityException;
-import org.apache.geode.security.NotAuthorizedException;
-import org.apache.geode.security.PostProcessor;
-import org.apache.geode.security.ResourcePermission;
-import org.apache.geode.security.ResourcePermission.Operation;
-import org.apache.geode.security.ResourcePermission.Resource;
-import org.apache.geode.security.ResourcePermission.Target;
-import org.apache.geode.security.SecurityManager;
-import org.apache.logging.log4j.Logger;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.subject.support.SubjectThreadState;
-import org.apache.shiro.util.ThreadContext;
-import org.apache.shiro.util.ThreadState;
-
-import java.io.IOException;
-import java.io.Serializable;
-import java.security.AccessController;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.Callable;
-
-public class CustomSecurityService implements SecurityService {
-  private static Logger logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME);
-
-  private final PostProcessor postProcessor;
-
-  CustomSecurityService(PostProcessor postProcessor) {
-    this.postProcessor = postProcessor;
-  }
-
-  @Override
-  public void initSecurity(final Properties securityProps) {
-    if (this.postProcessor != null) {
-      this.postProcessor.init(securityProps);
-    }
-  }
-
-  @Override
-  public ThreadState bindSubject(final Subject subject) {
-    if (subject == null) {
-      return null;
-    }
-
-    ThreadState threadState = new SubjectThreadState(subject);
-    threadState.bind();
-    return threadState;
-  }
-
-  @Override
-  public Subject getSubject() {
-    Subject currentUser;
-
-    // First try get the principal out of AccessControlContext instead of Shiro's Thread context
-    // since threads can be shared between JMX clients.
-    javax.security.auth.Subject jmxSubject =
-        javax.security.auth.Subject.getSubject(AccessController.getContext());
-
-    if (jmxSubject != null) {
-      Set<ShiroPrincipal> principals = jmxSubject.getPrincipals(ShiroPrincipal.class);
-      if (principals.size() > 0) {
-        ShiroPrincipal principal = principals.iterator().next();
-        currentUser = principal.getSubject();
-        ThreadContext.bind(currentUser);
-        return currentUser;
-      }
-    }
-
-    // in other cases like rest call, client operations, we get it from the current thread
-    currentUser = SecurityUtils.getSubject();
-
-    if (currentUser == null || currentUser.getPrincipal() == null) {
-      throw new GemFireSecurityException("Error: Anonymous User");
-    }
-
-    return currentUser;
-  }
-
-  @Override
-  public Subject login(final Properties credentials) {
-    if (credentials == null) {
-      return null;
-    }
-
-    // this makes sure it starts with a clean user object
-    ThreadContext.remove();
-
-    Subject currentUser = SecurityUtils.getSubject();
-    GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials);
-    try {
-      logger.debug("Logging in " + token.getPrincipal());
-      currentUser.login(token);
-    } catch (ShiroException e) {
-      logger.info(e.getMessage(), e);
-      throw new AuthenticationFailedException(
-          "Authentication error. Please check your credentials.", e);
-    }
-
-    return currentUser;
-  }
-
-  @Override
-  public void logout() {
-    Subject currentUser = getSubject();
-    if (currentUser == null) {
-      return;
-    }
-
-    try {
-      logger.debug("Logging out " + currentUser.getPrincipal());
-      currentUser.logout();
-    } catch (ShiroException e) {
-      logger.info(e.getMessage(), e);
-      throw new GemFireSecurityException(e.getMessage(), e);
-    }
-    // clean out Shiro's thread local content
-    ThreadContext.remove();
-  }
-
-  @Override
-  public Callable associateWith(final Callable callable) {
-    Subject currentUser = getSubject();
-    if (currentUser == null) {
-      return callable;
-    }
-
-    return currentUser.associateWith(callable);
-  }
-
-  public void authorizeClusterManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeClusterWrite() {
-    authorize(Resource.CLUSTER, Operation.WRITE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeClusterRead() {
-    authorize(Resource.CLUSTER, Operation.READ, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDataManage() {
-    authorize(Resource.DATA, Operation.MANAGE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDataWrite() {
-    authorize(Resource.DATA, Operation.WRITE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDataRead() {
-    authorize(Resource.DATA, Operation.READ, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDiskManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.DISK, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeGatewayManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.GATEWAY, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeJarManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.JAR, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeQueryManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName) {
-    authorize(Resource.DATA, Operation.MANAGE, regionName, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName, final String key) {
-    authorize(Resource.DATA, Operation.MANAGE, regionName, key);
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName) {
-    authorize(Resource.DATA, Operation.WRITE, regionName, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName, final String key) {
-    authorize(Resource.DATA, Operation.WRITE, regionName, key);
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName) {
-    authorize(Resource.DATA, Operation.READ, regionName, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName, final String key) {
-    authorize(Resource.DATA, Operation.READ, regionName, key);
-  }
-
-  public void authorize(Resource resource, Operation operation, ResourcePermission.Target target,
-      String key) {
-    authorize(resource, operation, target.getName(), key);
-  }
-
-  public void authorize(Resource resource, Operation operation, ResourcePermission.Target target) {
-    authorize(resource, operation, target, ResourcePermission.ALL);
-  }
-
-  public void authorize(Resource resource, Operation operation, String target, String key) {
-    authorize(new ResourcePermission(resource, operation, target, key));
-  }
-
-  @Override
-  public void authorize(final ResourcePermission context) {
-    Subject currentUser = getSubject();
-    if (currentUser == null) {
-      return;
-    }
-    if (context == null) {
-      return;
-    }
-    if (context.getResource() == Resource.NULL && context.getOperation() == Operation.NULL) {
-      return;
-    }
-
-    try {
-      currentUser.checkPermission(context);
-    } catch (ShiroException e) {
-      String msg = currentUser.getPrincipal() + " not authorized for " + context;
-      logger.info(msg);
-      throw new NotAuthorizedException(msg, e);
-    }
-  }
-
-  @Override
-  public void close() {
-    ThreadContext.remove();
-    SecurityUtils.setSecurityManager(null);
-  }
-
-  @Override
-  public boolean needPostProcess() {
-    return this.postProcessor != null;
-  }
-
-  @Override
-  public Object postProcess(final String regionPath, final Object key, final Object value,
-      final boolean valueIsSerialized) {
-    return postProcess(null, regionPath, key, value, valueIsSerialized);
-  }
-
-  @Override
-  public Object postProcess(Object principal, final String regionPath, final Object key,
-      final Object value, final boolean valueIsSerialized) {
-    if (!needPostProcess()) {
-      return value;
-    }
-
-    if (principal == null) {
-      Subject subject = getSubject();
-      if (subject == null) {
-        return value;
-      }
-      principal = (Serializable) subject.getPrincipal();
-    }
-
-    String regionName = StringUtils.stripStart(regionPath, "/");
-    Object newValue;
-
-    // if the data is a byte array, but the data itself is supposed to be an object, we need to
-    // deserialize it before we pass it to the callback.
-    if (valueIsSerialized && value instanceof byte[]) {
-      try {
-        Object oldObj = EntryEventImpl.deserialize((byte[]) value);
-        Object newObj = this.postProcessor.processRegionValue(principal, regionName, key, oldObj);
-        newValue = BlobHelper.serializeToBlob(newObj);
-      } catch (IOException | SerializationException e) {
-        throw new GemFireIOException("Exception de/serializing entry value", e);
-      }
-    } else {
-      newValue = this.postProcessor.processRegionValue(principal, regionName, key, value);
-    }
-
-    return newValue;
-  }
-
-  @Override
-  public boolean isClientSecurityRequired() {
-    return true;
-  }
-
-  @Override
-  public boolean isIntegratedSecurity() {
-    return true;
-  }
-
-  @Override
-  public boolean isPeerSecurityRequired() {
-    return true;
-  }
-
-  @Override
-  public SecurityManager getSecurityManager() {
-    return null;
-  }
-
-  @Override
-  public PostProcessor getPostProcessor() {
-    return this.postProcessor;
-  }
-}

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/DisabledSecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/DisabledSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/DisabledSecurityService.java
deleted file mode 100644
index b505690..0000000
--- a/geode-core/src/main/java/org/apache/geode/internal/security/DisabledSecurityService.java
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.internal.security;
-
-import org.apache.geode.security.PostProcessor;
-import org.apache.geode.security.ResourcePermission;
-import org.apache.geode.security.SecurityManager;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.subject.support.SubjectThreadState;
-import org.apache.shiro.util.ThreadState;
-
-import java.util.Properties;
-import java.util.concurrent.Callable;
-
-/**
- * No-op security service that does nothing.
- */
-public class DisabledSecurityService implements SecurityService {
-
-  public DisabledSecurityService() {
-    // nothing
-  }
-
-  @Override
-  public void initSecurity(final Properties securityProps) {
-    // nothing
-  }
-
-  @Override
-  public ThreadState bindSubject(final Subject subject) {
-    if (subject == null) {
-      return null;
-    }
-
-    ThreadState threadState = new SubjectThreadState(subject);
-    threadState.bind();
-    return threadState;
-  }
-
-  @Override
-  public Subject getSubject() {
-    return null;
-  }
-
-  @Override
-  public Subject login(final Properties credentials) {
-    return null;
-  }
-
-  @Override
-  public void logout() {
-    // nothing
-  }
-
-  @Override
-  public Callable associateWith(final Callable callable) {
-    return callable;
-  }
-
-  @Override
-  public void authorize(ResourcePermission.Resource resource,
-      ResourcePermission.Operation operation, String target, String key) {
-
-  }
-
-  @Override
-  public void authorize(ResourcePermission.Resource resource,
-      ResourcePermission.Operation operation, ResourcePermission.Target target, String key) {
-
-  }
-
-  @Override
-  public void authorize(ResourcePermission.Resource resource,
-      ResourcePermission.Operation operation, ResourcePermission.Target target) {
-
-  }
-
-  @Override
-  public void authorizeClusterManage() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeClusterWrite() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeClusterRead() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDataManage() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDataWrite() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDataRead() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDiskManage() {
-
-  }
-
-  @Override
-  public void authorizeGatewayManage() {
-
-  }
-
-  @Override
-  public void authorizeJarManage() {
-
-  }
-
-  @Override
-  public void authorizeQueryManage() {
-
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName, final String key) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName, final String key) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName, final String key) {
-    // nothing
-  }
-
-  @Override
-  public void authorize(final ResourcePermission context) {
-    // nothing
-  }
-
-  @Override
-  public void close() {
-    // nothing
-  }
-
-  @Override
-  public boolean needPostProcess() {
-    return false;
-  }
-
-  @Override
-  public Object postProcess(final String regionPath, final Object key, final Object value,
-      final boolean valueIsSerialized) {
-    return value;
-  }
-
-  @Override
-  public Object postProcess(final Object principal, final String regionPath, final Object key,
-      final Object value, final boolean valueIsSerialized) {
-    return value;
-  }
-
-  @Override
-  public boolean isClientSecurityRequired() {
-    return false;
-  }
-
-  @Override
-  public boolean isIntegratedSecurity() {
-    return false;
-  }
-
-  @Override
-  public boolean isPeerSecurityRequired() {
-    return false;
-  }
-
-  @Override
-  public SecurityManager getSecurityManager() {
-    return null;
-  }
-
-  @Override
-  public PostProcessor getPostProcessor() {
-    return null;
-  }
-}

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/EnabledSecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/EnabledSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/EnabledSecurityService.java
deleted file mode 100644
index f0568c0..0000000
--- a/geode-core/src/main/java/org/apache/geode/internal/security/EnabledSecurityService.java
+++ /dev/null
@@ -1,393 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.internal.security;
-
-import org.apache.commons.lang.SerializationException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.geode.GemFireIOException;
-import org.apache.geode.internal.cache.EntryEventImpl;
-import org.apache.geode.internal.logging.LogService;
-import org.apache.geode.internal.security.shiro.GeodeAuthenticationToken;
-import org.apache.geode.internal.security.shiro.RealmInitializer;
-import org.apache.geode.internal.security.shiro.ShiroPrincipal;
-import org.apache.geode.internal.util.BlobHelper;
-import org.apache.geode.management.internal.security.ResourceOperation;
-import org.apache.geode.security.AuthenticationFailedException;
-import org.apache.geode.security.GemFireSecurityException;
-import org.apache.geode.security.NotAuthorizedException;
-import org.apache.geode.security.PostProcessor;
-import org.apache.geode.security.ResourcePermission;
-import org.apache.geode.security.ResourcePermission.Operation;
-import org.apache.geode.security.ResourcePermission.Resource;
-import org.apache.geode.security.ResourcePermission.Target;
-import org.apache.geode.security.SecurityManager;
-import org.apache.logging.log4j.Logger;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.ShiroException;
-import org.apache.shiro.subject.Subject;
-import org.apache.shiro.subject.support.SubjectThreadState;
-import org.apache.shiro.util.ThreadContext;
-import org.apache.shiro.util.ThreadState;
-
-import java.io.IOException;
-import java.io.Serializable;
-import java.security.AccessController;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.Callable;
-
-/**
- * Security service with SecurityManager and an optional PostProcessor.
- */
-public class EnabledSecurityService implements SecurityService {
-  private static Logger logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME);
-
-  private final SecurityManager securityManager;
-
-  private final PostProcessor postProcessor;
-
-  EnabledSecurityService(final SecurityManager securityManager, final PostProcessor postProcessor,
-      final RealmInitializer realmInitializer) {
-    this.securityManager = securityManager;
-    this.postProcessor = postProcessor;
-    realmInitializer.initialize(this.securityManager);
-  }
-
-  @Override
-  public void initSecurity(final Properties securityProps) {
-    this.securityManager.init(securityProps);
-    if (this.postProcessor != null) {
-      this.postProcessor.init(securityProps);
-    }
-  }
-
-  /**
-   * It first looks the shiro subject in AccessControlContext since JMX will use multiple threads to
-   * process operations from the same client, then it looks into Shiro's thead context.
-   *
-   * @return the shiro subject, null if security is not enabled
-   */
-  @Override
-  public Subject getSubject() {
-    Subject currentUser;
-
-    // First try get the principal out of AccessControlContext instead of Shiro's Thread context
-    // since threads can be shared between JMX clients.
-    javax.security.auth.Subject jmxSubject =
-        javax.security.auth.Subject.getSubject(AccessController.getContext());
-
-    if (jmxSubject != null) {
-      Set<ShiroPrincipal> principals = jmxSubject.getPrincipals(ShiroPrincipal.class);
-      if (!principals.isEmpty()) {
-        ShiroPrincipal principal = principals.iterator().next();
-        currentUser = principal.getSubject();
-        ThreadContext.bind(currentUser);
-        return currentUser;
-      }
-    }
-
-    // in other cases like rest call, client operations, we get it from the current thread
-    currentUser = SecurityUtils.getSubject();
-
-    if (currentUser == null || currentUser.getPrincipal() == null) {
-      throw new GemFireSecurityException("Error: Anonymous User");
-    }
-
-    return currentUser;
-  }
-
-  /**
-   * @return null if security is not enabled, otherwise return a shiro subject
-   */
-  @Override
-  public Subject login(final Properties credentials) {
-    if (credentials == null) {
-      return null;
-    }
-
-    // this makes sure it starts with a clean user object
-    ThreadContext.remove();
-
-    Subject currentUser = SecurityUtils.getSubject();
-    GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials);
-    try {
-      logger.info("Logging in " + token.getPrincipal());
-      currentUser.login(token);
-    } catch (ShiroException e) {
-      logger.info(e.getMessage(), e);
-      throw new AuthenticationFailedException(
-          "Authentication error. Please check your credentials.", e);
-    }
-
-    return currentUser;
-  }
-
-  @Override
-  public void logout() {
-    Subject currentUser = getSubject();
-    if (currentUser == null) {
-      return;
-    }
-
-    try {
-      logger.info("Logging out " + currentUser.getPrincipal());
-      currentUser.logout();
-    } catch (ShiroException e) {
-      logger.info(e.getMessage(), e);
-      throw new GemFireSecurityException(e.getMessage(), e);
-    }
-
-    // clean out Shiro's thread local content
-    ThreadContext.remove();
-  }
-
-  @Override
-  public Callable associateWith(final Callable callable) {
-    Subject currentUser = getSubject();
-    if (currentUser == null) {
-      return callable;
-    }
-
-    return currentUser.associateWith(callable);
-  }
-
-  /**
-   * Binds the passed-in subject to the executing thread. Usage:
-   *
-   * <pre>
-   * ThreadState state = null;
-   * try {
-   *   state = securityService.bindSubject(subject);
-   *   // do the rest of the work as this subject
-   * } finally {
-   *   if (state != null)
-   *     state.clear();
-   * }
-   * </pre>
-   */
-  @Override
-  public ThreadState bindSubject(final Subject subject) {
-    if (subject == null) {
-      return null;
-    }
-
-    ThreadState threadState = new SubjectThreadState(subject);
-    threadState.bind();
-    return threadState;
-  }
-
-  public void authorizeClusterManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeClusterWrite() {
-    authorize(Resource.CLUSTER, Operation.WRITE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeClusterRead() {
-    authorize(Resource.CLUSTER, Operation.READ, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDataManage() {
-    authorize(Resource.DATA, Operation.MANAGE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDataWrite() {
-    authorize(Resource.DATA, Operation.WRITE, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDataRead() {
-    authorize(Resource.DATA, Operation.READ, Target.ALL, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeDiskManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.DISK, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeGatewayManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.GATEWAY, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeJarManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.JAR, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeQueryManage() {
-    authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName) {
-    authorize(Resource.DATA, Operation.MANAGE, regionName, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName, final String key) {
-    authorize(Resource.DATA, Operation.MANAGE, regionName, key);
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName) {
-    authorize(Resource.DATA, Operation.WRITE, regionName, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName, final String key) {
-    authorize(Resource.DATA, Operation.WRITE, regionName, key);
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName) {
-    authorize(Resource.DATA, Operation.READ, regionName, ResourcePermission.ALL);
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName, final String key) {
-    authorize(Resource.DATA, Operation.READ, regionName, key);
-  }
-
-  public void authorize(Resource resource, Operation operation, Target target, String key) {
-    authorize(resource, operation, target.getName(), key);
-  }
-
-  public void authorize(Resource resource, Operation operation, Target target) {
-    authorize(resource, operation, target, ResourcePermission.ALL);
-  }
-
-  public void authorize(Resource resource, Operation operation, String target, String key) {
-    authorize(new ResourcePermission(resource, operation, target, key));
-  }
-
-  @Override
-  public void authorize(final ResourcePermission context) {
-    if (context == null) {
-      return;
-    }
-    if (context.getResource() == Resource.NULL && context.getOperation() == Operation.NULL) {
-      return;
-    }
-
-    // if currentUser is null, let it throw NPE, since in a EnabledSecurityService,
-    // user can not be null
-    Subject currentUser = getSubject();
-
-    try {
-      currentUser.checkPermission(context);
-    } catch (ShiroException e) {
-      String msg = currentUser.getPrincipal() + " not authorized for " + context;
-      logger.info(msg);
-      throw new NotAuthorizedException(msg, e);
-    }
-  }
-
-  @Override
-  public void close() {
-    if (this.securityManager != null) {
-      this.securityManager.close();
-    }
-
-    if (this.postProcessor != null) {
-      this.postProcessor.close();
-    }
-
-    ThreadContext.remove();
-    SecurityUtils.setSecurityManager(null);
-  }
-
-  /**
-   * postProcess call already has this logic built in, you don't need to call this everytime you
-   * call postProcess. But if your postProcess is pretty involved with preparations and you need to
-   * bypass it entirely, call this first.
-   */
-  @Override
-  public boolean needPostProcess() {
-    return this.postProcessor != null;
-  }
-
-  @Override
-  public Object postProcess(final String regionPath, final Object key, final Object value,
-      final boolean valueIsSerialized) {
-    return postProcess(null, regionPath, key, value, valueIsSerialized);
-  }
-
-  @Override
-  public Object postProcess(Object principal, final String regionPath, final Object key,
-      final Object value, final boolean valueIsSerialized) {
-    if (!needPostProcess()) {
-      return value;
-    }
-
-    if (principal == null) {
-      Subject subject = getSubject();
-      if (subject == null) {
-        return value;
-      }
-      principal = (Serializable) subject.getPrincipal();
-    }
-
-    String regionName = StringUtils.stripStart(regionPath, "/");
-    Object newValue;
-
-    // if the data is a byte array, but the data itself is supposed to be an object, we need to
-    // deserialize it before we pass it to the callback.
-    if (valueIsSerialized && value instanceof byte[]) {
-      try {
-        Object oldObj = EntryEventImpl.deserialize((byte[]) value);
-        Object newObj = this.postProcessor.processRegionValue(principal, regionName, key, oldObj);
-        newValue = BlobHelper.serializeToBlob(newObj);
-      } catch (IOException | SerializationException e) {
-        throw new GemFireIOException("Exception de/serializing entry value", e);
-      }
-    } else {
-      newValue = this.postProcessor.processRegionValue(principal, regionName, key, value);
-    }
-
-    return newValue;
-  }
-
-  @Override
-  public SecurityManager getSecurityManager() {
-    return this.securityManager;
-  }
-
-  @Override
-  public PostProcessor getPostProcessor() {
-    return this.postProcessor;
-  }
-
-  @Override
-  public boolean isIntegratedSecurity() {
-    return true;
-  }
-
-  @Override
-  public boolean isClientSecurityRequired() {
-    return true;
-  }
-
-  @Override
-  public boolean isPeerSecurityRequired() {
-    return true;
-  }
-}

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
new file mode 100644
index 0000000..171cfb7
--- /dev/null
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
@@ -0,0 +1,374 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.geode.internal.security;
+
+import java.io.IOException;
+import java.security.AccessController;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.Callable;
+
+import org.apache.commons.lang.SerializationException;
+import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.Logger;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.ShiroException;
+import org.apache.shiro.subject.Subject;
+import org.apache.shiro.subject.support.SubjectThreadState;
+import org.apache.shiro.util.ThreadContext;
+import org.apache.shiro.util.ThreadState;
+
+import org.apache.geode.GemFireIOException;
+import org.apache.geode.internal.cache.EntryEventImpl;
+import org.apache.geode.internal.logging.LogService;
+import org.apache.geode.internal.security.shiro.GeodeAuthenticationToken;
+import org.apache.geode.internal.security.shiro.SecurityManagerProvider;
+import org.apache.geode.internal.security.shiro.ShiroPrincipal;
+import org.apache.geode.internal.util.BlobHelper;
+import org.apache.geode.security.AuthenticationFailedException;
+import org.apache.geode.security.AuthenticationRequiredException;
+import org.apache.geode.security.GemFireSecurityException;
+import org.apache.geode.security.NotAuthorizedException;
+import org.apache.geode.security.PostProcessor;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.ResourcePermission.Operation;
+import org.apache.geode.security.ResourcePermission.Resource;
+import org.apache.geode.security.ResourcePermission.Target;
+
+/**
+ * Security service with SecurityManager and an optional PostProcessor.
+ */
+public class IntegratedSecurityService implements SecurityService {
+  private static Logger logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME);
+
+  private final PostProcessor postProcessor;
+  private final org.apache.geode.security.SecurityManager securityManager;
+
+  /**
+   * this creates a security service using a SecurityManager
+   * 
+   * @param provider this provides shiro security manager
+   * @param postProcessor this can be null
+   */
+  IntegratedSecurityService(SecurityManagerProvider provider, PostProcessor postProcessor) {
+    // provider must provide a shiro security manager, otherwise, this is not integrated security
+    // service at all.
+    assert provider.getShiroSecurityManager() != null;
+    SecurityUtils.setSecurityManager(provider.getShiroSecurityManager());
+
+    this.securityManager = provider.getSecurityManager();
+    this.postProcessor = postProcessor;
+  }
+
+  public PostProcessor getPostProcessor() {
+    return this.postProcessor;
+  }
+
+  public org.apache.geode.security.SecurityManager getSecurityManager() {
+    return this.securityManager;
+  }
+
+  /**
+   * It first looks the shiro subject in AccessControlContext since JMX will use multiple threads to
+   * process operations from the same client, then it looks into Shiro's thead context.
+   *
+   * @return the shiro subject, null if security is not enabled
+   */
+  @Override
+  public Subject getSubject() {
+    Subject currentUser;
+
+    // First try get the principal out of AccessControlContext instead of Shiro's Thread context
+    // since threads can be shared between JMX clients.
+    javax.security.auth.Subject jmxSubject =
+        javax.security.auth.Subject.getSubject(AccessController.getContext());
+
+    if (jmxSubject != null) {
+      Set<ShiroPrincipal> principals = jmxSubject.getPrincipals(ShiroPrincipal.class);
+      if (!principals.isEmpty()) {
+        ShiroPrincipal principal = principals.iterator().next();
+        currentUser = principal.getSubject();
+        ThreadContext.bind(currentUser);
+        return currentUser;
+      }
+    }
+
+    // in other cases like rest call, client operations, we get it from the current thread
+    currentUser = SecurityUtils.getSubject();
+
+    if (currentUser == null || currentUser.getPrincipal() == null) {
+      throw new GemFireSecurityException("Error: Anonymous User");
+    }
+
+    return currentUser;
+  }
+
+  /**
+   * @return return a shiro subject
+   */
+  @Override
+  public Subject login(final Properties credentials) {
+    if (credentials == null) {
+      throw new AuthenticationRequiredException("credentials are null");
+    }
+
+    // this makes sure it starts with a clean user object
+    ThreadContext.remove();
+
+    Subject currentUser = SecurityUtils.getSubject();
+    GeodeAuthenticationToken token = new GeodeAuthenticationToken(credentials);
+    try {
+      logger.debug("Logging in " + token.getPrincipal());
+      currentUser.login(token);
+    } catch (ShiroException e) {
+      logger.info(e.getMessage(), e);
+      throw new AuthenticationFailedException(
+          "Authentication error. Please check your credentials.", e);
+    }
+
+    return currentUser;
+  }
+
+  @Override
+  public void logout() {
+    Subject currentUser = getSubject();
+    try {
+      logger.debug("Logging out " + currentUser.getPrincipal());
+      currentUser.logout();
+    } catch (ShiroException e) {
+      logger.info(e.getMessage(), e);
+      throw new GemFireSecurityException(e.getMessage(), e);
+    }
+
+    // clean out Shiro's thread local content
+    ThreadContext.remove();
+  }
+
+  @Override
+  public Callable associateWith(final Callable callable) {
+    Subject currentUser = getSubject();
+    return currentUser.associateWith(callable);
+  }
+
+  /**
+   * Binds the passed-in subject to the executing thread. Usage:
+   *
+   * <pre>
+   * ThreadState state = null;
+   * try {
+   *   state = securityService.bindSubject(subject);
+   *   // do the rest of the work as this subject
+   * } finally {
+   *   if (state != null)
+   *     state.clear();
+   * }
+   * </pre>
+   */
+  @Override
+  public ThreadState bindSubject(final Subject subject) {
+    if (subject == null) {
+      throw new GemFireSecurityException("Error: Anonymous User");
+    }
+
+    ThreadState threadState = new SubjectThreadState(subject);
+    threadState.bind();
+    return threadState;
+  }
+
+  public void authorizeClusterManage() {
+    authorize(Resource.CLUSTER, Operation.MANAGE, Target.ALL, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeClusterWrite() {
+    authorize(Resource.CLUSTER, Operation.WRITE, Target.ALL, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeClusterRead() {
+    authorize(Resource.CLUSTER, Operation.READ, Target.ALL, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeDataManage() {
+    authorize(Resource.DATA, Operation.MANAGE, Target.ALL, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeDataWrite() {
+    authorize(Resource.DATA, Operation.WRITE, Target.ALL, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeDataRead() {
+    authorize(Resource.DATA, Operation.READ, Target.ALL, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeDiskManage() {
+    authorize(Resource.CLUSTER, Operation.MANAGE, Target.DISK, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeGatewayManage() {
+    authorize(Resource.CLUSTER, Operation.MANAGE, Target.GATEWAY, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeJarManage() {
+    authorize(Resource.CLUSTER, Operation.MANAGE, Target.JAR, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeQueryManage() {
+    authorize(Resource.CLUSTER, Operation.MANAGE, Target.QUERY, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeRegionManage(final String regionName) {
+    authorize(Resource.DATA, Operation.MANAGE, regionName, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeRegionManage(final String regionName, final String key) {
+    authorize(Resource.DATA, Operation.MANAGE, regionName, key);
+  }
+
+  @Override
+  public void authorizeRegionWrite(final String regionName) {
+    authorize(Resource.DATA, Operation.WRITE, regionName, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeRegionWrite(final String regionName, final String key) {
+    authorize(Resource.DATA, Operation.WRITE, regionName, key);
+  }
+
+  @Override
+  public void authorizeRegionRead(final String regionName) {
+    authorize(Resource.DATA, Operation.READ, regionName, ResourcePermission.ALL);
+  }
+
+  @Override
+  public void authorizeRegionRead(final String regionName, final String key) {
+    authorize(Resource.DATA, Operation.READ, regionName, key);
+  }
+
+  public void authorize(Resource resource, Operation operation, Target target, String key) {
+    authorize(resource, operation, target.getName(), key);
+  }
+
+  public void authorize(Resource resource, Operation operation, Target target) {
+    authorize(resource, operation, target, ResourcePermission.ALL);
+  }
+
+  public void authorize(Resource resource, Operation operation, String target, String key) {
+    authorize(new ResourcePermission(resource, operation, target, key));
+  }
+
+  @Override
+  public void authorize(final ResourcePermission context) {
+    if (context == null) {
+      return;
+    }
+    if (context.getResource() == Resource.NULL && context.getOperation() == Operation.NULL) {
+      return;
+    }
+
+    Subject currentUser = getSubject();
+    try {
+      currentUser.checkPermission(context);
+    } catch (ShiroException e) {
+      String msg = currentUser.getPrincipal() + " not authorized for " + context;
+      logger.info(msg);
+      throw new NotAuthorizedException(msg, e);
+    }
+  }
+
+  @Override
+  public void close() {
+    if (this.securityManager != null) {
+      securityManager.close();
+    }
+    if (this.postProcessor != null) {
+      this.postProcessor.close();
+    }
+
+    ThreadContext.remove();
+    SecurityUtils.setSecurityManager(null);
+  }
+
+  /**
+   * postProcess call already has this logic built in, you don't need to call this everytime you
+   * call postProcess. But if your postProcess is pretty involved with preparations and you need to
+   * bypass it entirely, call this first.
+   */
+  @Override
+  public boolean needPostProcess() {
+    return this.postProcessor != null;
+  }
+
+  @Override
+  public Object postProcess(final String regionPath, final Object key, final Object value,
+      final boolean valueIsSerialized) {
+    return postProcess(null, regionPath, key, value, valueIsSerialized);
+  }
+
+  @Override
+  public Object postProcess(Object principal, final String regionPath, final Object key,
+      final Object value, final boolean valueIsSerialized) {
+    if (!needPostProcess()) {
+      return value;
+    }
+
+    if (principal == null) {
+      principal = getSubject().getPrincipal();
+    }
+
+    String regionName = StringUtils.stripStart(regionPath, "/");
+    Object newValue;
+
+    // if the data is a byte array, but the data itself is supposed to be an object, we need to
+    // deserialize it before we pass it to the callback.
+    if (valueIsSerialized && value instanceof byte[]) {
+      try {
+        Object oldObj = EntryEventImpl.deserialize((byte[]) value);
+        Object newObj = this.postProcessor.processRegionValue(principal, regionName, key, oldObj);
+        newValue = BlobHelper.serializeToBlob(newObj);
+      } catch (IOException | SerializationException e) {
+        throw new GemFireIOException("Exception de/serializing entry value", e);
+      }
+    } else {
+      newValue = this.postProcessor.processRegionValue(principal, regionName, key, value);
+    }
+
+    return newValue;
+  }
+
+  @Override
+  public boolean isIntegratedSecurity() {
+    return true;
+  }
+
+  @Override
+  public boolean isClientSecurityRequired() {
+    return true;
+  }
+
+  @Override
+  public boolean isPeerSecurityRequired() {
+    return true;
+  }
+}

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/LegacySecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/LegacySecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/LegacySecurityService.java
index 4456253..c594bf9 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/security/LegacySecurityService.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/LegacySecurityService.java
@@ -14,17 +14,20 @@
  */
 package org.apache.geode.internal.security;
 
-import org.apache.geode.security.PostProcessor;
-import org.apache.geode.security.ResourcePermission;
-import org.apache.geode.security.SecurityManager;
+import java.util.Properties;
+import java.util.concurrent.Callable;
+
+import org.apache.commons.lang.StringUtils;
 import org.apache.shiro.subject.Subject;
 import org.apache.shiro.util.ThreadState;
 
-import java.util.Properties;
-import java.util.concurrent.Callable;
+import org.apache.geode.management.internal.security.ResourceOperation;
+import org.apache.geode.security.PostProcessor;
+import org.apache.geode.security.ResourcePermission;
+import org.apache.geode.security.SecurityManager;
 
 /**
- * Legacy security service with ClientAuthenticator and/or PeerAuthenticator.
+ * implementing SecurityService when only legacy authenticators are specified
  */
 public class LegacySecurityService implements SecurityService {
 
@@ -32,164 +35,14 @@ public class LegacySecurityService implements SecurityService {
 
   private final boolean hasPeerAuthenticator;
 
-  LegacySecurityService(final String clientAuthenticator, final String peerAuthenticator) {
-    this.hasClientAuthenticator = clientAuthenticator != null;
-    this.hasPeerAuthenticator = peerAuthenticator != null;
-  }
-
-  @Override
-  public void initSecurity(final Properties securityProps) {
-    // nothing
-  }
-
-  @Override
-  public ThreadState bindSubject(final Subject subject) {
-    return null;
-  }
-
-  @Override
-  public Subject getSubject() {
-    return null;
-  }
-
-  @Override
-  public Subject login(final Properties credentials) {
-    return null;
-  }
-
-  @Override
-  public void logout() {
-    // nothing
-  }
-
-  @Override
-  public Callable associateWith(final Callable callable) {
-    return null;
-  }
-
-  @Override
-  public void authorize(ResourcePermission.Resource resource,
-      ResourcePermission.Operation operation, String target, String key) {
-
-  }
-
-  @Override
-  public void authorize(ResourcePermission.Resource resource,
-      ResourcePermission.Operation operation, ResourcePermission.Target target, String key) {
-
-  }
-
-  @Override
-  public void authorize(ResourcePermission.Resource resource,
-      ResourcePermission.Operation operation, ResourcePermission.Target target) {
-
-  }
-
-  @Override
-  public void authorizeClusterManage() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeClusterWrite() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeClusterRead() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDataManage() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDataWrite() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDataRead() {
-    // nothing
-  }
-
-  @Override
-  public void authorizeDiskManage() {
-
-  }
-
-  @Override
-  public void authorizeGatewayManage() {
-
-  }
-
-  @Override
-  public void authorizeJarManage() {
-
+  LegacySecurityService() {
+    hasClientAuthenticator = false;
+    hasPeerAuthenticator = false;
   }
 
-  @Override
-  public void authorizeQueryManage() {
-
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionManage(final String regionName, final String key) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionWrite(final String regionName, final String key) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName) {
-    // nothing
-  }
-
-  @Override
-  public void authorizeRegionRead(final String regionName, final String key) {
-    // nothing
-  }
-
-  @Override
-  public void authorize(final ResourcePermission context) {
-    // nothing
-  }
-
-  @Override
-  public void close() {
-    // nothing
-  }
-
-  @Override
-  public boolean needPostProcess() {
-    return false;
-  }
-
-  @Override
-  public Object postProcess(final String regionPath, final Object key, final Object value,
-      final boolean valueIsSerialized) {
-    return value;
-  }
-
-  @Override
-  public Object postProcess(final Object principal, final String regionPath, final Object key,
-      final Object value, final boolean valueIsSerialized) {
-    return value;
+  LegacySecurityService(final String clientAuthenticator, final String peerAuthenticator) {
+    this.hasClientAuthenticator = StringUtils.isNotBlank(clientAuthenticator);
+    this.hasPeerAuthenticator = StringUtils.isNotBlank(peerAuthenticator);
   }
 
   @Override
@@ -207,13 +60,4 @@ public class LegacySecurityService implements SecurityService {
     return this.hasPeerAuthenticator;
   }
 
-  @Override
-  public SecurityManager getSecurityManager() {
-    return null;
-  }
-
-  @Override
-  public PostProcessor getPostProcessor() {
-    return null;
-  }
 }

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/SecurityService.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityService.java b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityService.java
index a4041e1..feea899 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityService.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityService.java
@@ -28,76 +28,97 @@ import java.util.Properties;
 import java.util.concurrent.Callable;
 
 public interface SecurityService {
+  default ThreadState bindSubject(Subject subject) {
+    return null;
+  }
 
-  void initSecurity(Properties securityProps);
+  default Subject getSubject() {
+    return null;
+  }
 
-  ThreadState bindSubject(Subject subject);
+  default Subject login(Properties credentials) {
+    return null;
+  }
 
-  Subject getSubject();
+  default void logout() {};
 
-  Subject login(Properties credentials);
+  default Callable associateWith(Callable callable) {
+    return callable;
+  }
 
-  void logout();
+  default void authorize(Resource resource, Operation operation, String target, String key) {};
 
-  Callable associateWith(Callable callable);
+  default void authorize(Resource resource, Operation operation, Target target, String key) {};
 
-  void authorize(Resource resource, Operation operation, String target, String key);
+  default void authorize(Resource resource, Operation operation, Target target) {};
 
-  void authorize(Resource resource, Operation operation, Target target, String key);
+  default void authorizeClusterManage() {};
 
-  void authorize(Resource resource, Operation operation, Target target);
+  default void authorizeClusterWrite() {};
 
-  void authorizeClusterManage();
+  default void authorizeClusterRead() {};
 
-  void authorizeClusterWrite();
+  default void authorizeDataManage() {};
 
-  void authorizeClusterRead();
+  default void authorizeDataWrite() {};
 
-  void authorizeDataManage();
+  default void authorizeDataRead() {};
 
-  void authorizeDataWrite();
+  default void authorizeDiskManage() {};
 
-  void authorizeDataRead();
+  default void authorizeGatewayManage() {};
 
-  void authorizeDiskManage();
+  default void authorizeJarManage() {};
 
-  void authorizeGatewayManage();
+  default void authorizeQueryManage() {};
 
-  void authorizeJarManage();
+  default void authorizeRegionManage(String regionName) {};
 
-  void authorizeQueryManage();
+  default void authorizeRegionManage(String regionName, String key) {};
 
-  void authorizeRegionManage(String regionName);
+  default void authorizeRegionWrite(String regionName) {};
 
-  void authorizeRegionManage(String regionName, String key);
+  default void authorizeRegionWrite(String regionName, String key) {};
 
-  void authorizeRegionWrite(String regionName);
+  default void authorizeRegionRead(String regionName) {};
 
-  void authorizeRegionWrite(String regionName, String key);
+  default void authorizeRegionRead(String regionName, String key) {};
 
-  void authorizeRegionRead(String regionName);
+  default void authorize(ResourcePermission context) {};
 
-  void authorizeRegionRead(String regionName, String key);
+  default void close() {};
 
-  void authorize(ResourcePermission context);
+  default boolean needPostProcess() {
+    return false;
+  };
 
-  void close();
+  default Object postProcess(String regionPath, Object key, Object value,
+      boolean valueIsSerialized) {
+    return value;
+  }
 
-  boolean needPostProcess();
+  default Object postProcess(Object principal, String regionPath, Object key, Object value,
+      boolean valueIsSerialized) {
+    return value;
+  }
 
-  Object postProcess(String regionPath, Object key, Object value, boolean valueIsSerialized);
+  default boolean isClientSecurityRequired() {
+    return false;
+  }
 
-  Object postProcess(Object principal, String regionPath, Object key, Object value,
-      boolean valueIsSerialized);
+  default boolean isIntegratedSecurity() {
+    return false;
+  }
 
-  boolean isClientSecurityRequired();
+  default boolean isPeerSecurityRequired() {
+    return false;
+  }
 
-  boolean isIntegratedSecurity();
-
-  boolean isPeerSecurityRequired();
-
-  SecurityManager getSecurityManager();
-
-  PostProcessor getPostProcessor();
+  default SecurityManager getSecurityManager() {
+    return null;
+  }
 
+  default PostProcessor getPostProcessor() {
+    return null;
+  }
 }

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
index 02f34f1..2e0ad95 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceFactory.java
@@ -14,25 +14,22 @@
  */
 package org.apache.geode.internal.security;
 
-import static org.apache.commons.lang.StringUtils.isNotBlank;
 import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_CLIENT_AUTHENTICATOR;
-import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_MANAGER;
 import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_PEER_AUTHENTICATOR;
-import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_POST_PROCESSOR;
 import static org.apache.geode.distributed.ConfigurationProperties.SECURITY_SHIRO_INIT;
 
-import org.apache.geode.distributed.internal.DistributionConfig;
+import java.util.Properties;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.UnavailableSecurityManagerException;
+
 import org.apache.geode.internal.cache.CacheConfig;
 import org.apache.geode.internal.cache.GemFireCacheImpl;
 import org.apache.geode.internal.cache.InternalCache;
-import org.apache.geode.internal.security.shiro.ConfigInitializer;
-import org.apache.geode.internal.security.shiro.RealmInitializer;
+import org.apache.geode.internal.security.shiro.SecurityManagerProvider;
 import org.apache.geode.security.PostProcessor;
 import org.apache.geode.security.SecurityManager;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.UnavailableSecurityManagerException;
-
-import java.util.Properties;
 
 public class SecurityServiceFactory {
 
@@ -40,119 +37,65 @@ public class SecurityServiceFactory {
     // do not instantiate
   }
 
-  public static SecurityService create(CacheConfig cacheConfig,
-      DistributionConfig distributionConfig) {
-    Properties securityConfig = getSecurityConfig(distributionConfig);
-    SecurityManager securityManager =
-        getSecurityManager(getSecurityManagerFromConfig(cacheConfig), securityConfig);
-    PostProcessor postProcessor =
-        getPostProcessor(getPostProcessorFromConfig(cacheConfig), securityConfig);
-    return create(distributionConfig, securityManager, postProcessor);
-  }
-
-  /**
-   * Creates and initializes SecurityService. Initialization will invoke init on both
-   * SecurityManager and PostProcessor if they are specified.
-   */
-  public static SecurityService create(DistributionConfig distributionConfig,
-      SecurityManager securityManager, PostProcessor postProcessor) {
-    Properties securityConfig = getSecurityConfig(distributionConfig);
-
-    securityManager = getSecurityManager(securityManager, securityConfig);
-    postProcessor = getPostProcessor(postProcessor, securityConfig);
-
-    SecurityService securityService = create(securityConfig, securityManager, postProcessor);
-    initialize(securityService, distributionConfig);
-    return securityService;
-  }
-
   public static SecurityService create() {
-    return new DisabledSecurityService();
+    return new LegacySecurityService();
   }
 
-  public static SecurityService create(Properties securityConfig, SecurityManager securityManager,
-      PostProcessor postProcessor) {
-    SecurityServiceType type = determineType(securityConfig, securityManager, postProcessor);
-    switch (type) {
-      case CUSTOM:
-        String shiroConfig = getProperty(securityConfig, SECURITY_SHIRO_INIT);
-        if (isNotBlank(shiroConfig)) {
-          new ConfigInitializer().initialize(shiroConfig);
-        }
-        return new CustomSecurityService(postProcessor);
-      case ENABLED:
-        return new EnabledSecurityService(securityManager, postProcessor, new RealmInitializer());
-      case LEGACY:
-        String clientAuthenticator = getProperty(securityConfig, SECURITY_CLIENT_AUTHENTICATOR);
-        String peerAuthenticator = getProperty(securityConfig, SECURITY_PEER_AUTHENTICATOR);
-        return new LegacySecurityService(clientAuthenticator, peerAuthenticator);
-      default:
-        return new DisabledSecurityService();
-    }
+  public static SecurityService create(Properties securityProps) {
+    return create(securityProps, null, null);
   }
 
-  public static SecurityService findSecurityService() {
-    InternalCache cache = GemFireCacheImpl.getInstance();
-    if (cache != null) {
-      return cache.getSecurityService();
+  public static SecurityService create(Properties securityProps, CacheConfig cacheConfig) {
+    if (cacheConfig == null) {
+      return create(securityProps, null, null);
     }
-    return SecurityServiceFactory.create();
-  }
 
-  static SecurityServiceType determineType(Properties securityConfig,
-      SecurityManager securityManager, PostProcessor postProcessor) {
-    boolean hasShiroConfig = hasProperty(securityConfig, SECURITY_SHIRO_INIT);
-    if (hasShiroConfig) {
-      return SecurityServiceType.CUSTOM;
-    }
+    return create(securityProps, cacheConfig.getSecurityManager(), cacheConfig.getPostProcessor());
+  }
 
-    boolean hasSecurityManager =
-        securityManager != null || hasProperty(securityConfig, SECURITY_MANAGER);
-    if (hasSecurityManager) {
-      return SecurityServiceType.ENABLED;
+  public static SecurityService create(Properties securityProps,
+      SecurityManager preferredSecurityManager, PostProcessor preferredPostProcessor) {
+    if (securityProps == null) {
+      // avoid NPE, and we can stil use preferredSecurityManager to create the service
+      securityProps = new Properties();
     }
 
-    boolean hasClientAuthenticator = hasProperty(securityConfig, SECURITY_CLIENT_AUTHENTICATOR);
-    boolean hasPeerAuthenticator = hasProperty(securityConfig, SECURITY_PEER_AUTHENTICATOR);
-    if (hasClientAuthenticator || hasPeerAuthenticator) {
-      return SecurityServiceType.LEGACY;
-    }
+    String shiroConfig = securityProps.getProperty(SECURITY_SHIRO_INIT);
+    SecurityManager securityManager = CallbackInstantiator.getSecurityManager(securityProps);
+    PostProcessor postProcessor = CallbackInstantiator.getPostProcessor(securityProps);
 
-    boolean isShiroInUse = isShiroInUse();
-    if (isShiroInUse) {
-      return SecurityServiceType.CUSTOM;
+    // cacheConfig's securityManager/postprocessor takes precedence over those defined in
+    // securityProps
+    if (preferredSecurityManager != null) {
+      // cacheConfig's security manager will override property's shiro.ini settings
+      shiroConfig = null;
+      securityManager = preferredSecurityManager;
     }
-
-    return SecurityServiceType.DISABLED;
-  }
-
-  static SecurityManager getSecurityManager(SecurityManager securityManager,
-      Properties securityConfig) {
-    if (securityManager != null) {
-      return securityManager;
+    if (preferredPostProcessor != null) {
+      postProcessor = preferredPostProcessor;
     }
 
-    String securityManagerConfig = getProperty(securityConfig, SECURITY_MANAGER);
-    if (isNotBlank(securityManagerConfig)) {
-      securityManager = CallbackInstantiator.getObjectOfTypeFromClassName(securityManagerConfig,
-          SecurityManager.class);
+    if (StringUtils.isNotBlank(shiroConfig)) {
+      return new IntegratedSecurityService(new SecurityManagerProvider(shiroConfig), postProcessor);
+    } else if (securityManager != null) {
+      return new IntegratedSecurityService(new SecurityManagerProvider(securityManager),
+          postProcessor);
+    } else if (isShiroInUse()) {
+      return new IntegratedSecurityService(new SecurityManagerProvider(), postProcessor);
     }
 
-    return securityManager;
+    // if not return legacy security service
+    String clientAuthenticatorConfig = securityProps.getProperty(SECURITY_CLIENT_AUTHENTICATOR);
+    String peerAuthenticatorConfig = securityProps.getProperty(SECURITY_PEER_AUTHENTICATOR);
+    return new LegacySecurityService(clientAuthenticatorConfig, peerAuthenticatorConfig);
   }
 
-  static PostProcessor getPostProcessor(PostProcessor postProcessor, Properties securityConfig) {
-    if (postProcessor != null) {
-      return postProcessor;
-    }
-
-    String postProcessorConfig = getProperty(securityConfig, SECURITY_POST_PROCESSOR);
-    if (isNotBlank(postProcessorConfig)) {
-      postProcessor = CallbackInstantiator.getObjectOfTypeFromClassName(postProcessorConfig,
-          PostProcessor.class);
+  public static SecurityService findSecurityService() {
+    InternalCache cache = GemFireCacheImpl.getInstance();
+    if (cache != null) {
+      return cache.getSecurityService();
     }
-
-    return postProcessor;
+    return SecurityServiceFactory.create();
   }
 
   private static boolean isShiroInUse() {
@@ -163,42 +106,5 @@ public class SecurityServiceFactory {
     }
   }
 
-  private static Properties getSecurityConfig(DistributionConfig distributionConfig) {
-    if (distributionConfig == null) {
-      return new Properties();
-    }
-    return distributionConfig.getSecurityProps();
-  }
 
-  private static SecurityManager getSecurityManagerFromConfig(CacheConfig cacheConfig) {
-    if (cacheConfig == null) {
-      return null;
-    }
-    return cacheConfig.getSecurityManager();
-  }
-
-  private static PostProcessor getPostProcessorFromConfig(CacheConfig cacheConfig) {
-    if (cacheConfig == null) {
-      return null;
-    }
-    return cacheConfig.getPostProcessor();
-  }
-
-  private static boolean hasProperty(Properties securityConfig, String key) {
-    return securityConfig != null && getProperty(securityConfig, key) != null;
-  }
-
-  private static String getProperty(Properties securityConfig, String key) {
-    if (securityConfig == null) {
-      return null;
-    }
-    return securityConfig.getProperty(key);
-  }
-
-  private static void initialize(SecurityService securityService,
-      DistributionConfig distributionConfig) {
-    if (securityService != null && distributionConfig != null) {
-      securityService.initSecurity(distributionConfig.getSecurityProps());
-    }
-  }
 }

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceType.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceType.java b/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceType.java
deleted file mode 100644
index 8ae76d2..0000000
--- a/geode-core/src/main/java/org/apache/geode/internal/security/SecurityServiceType.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.internal.security;
-
-public enum SecurityServiceType {
-  /** Integrated Security is Enabled */
-  ENABLED,
-  /** Security is Disabled */
-  DISABLED,
-  /** Legacy Security is Enabled */
-  LEGACY,
-  /** Shiro Config is specified */
-  CUSTOM,
-  /** Shiro is already configured with SecurityManager */
-  EXTERNAL
-}

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/shiro/ConfigInitializer.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/ConfigInitializer.java b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/ConfigInitializer.java
deleted file mode 100644
index 60f014b..0000000
--- a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/ConfigInitializer.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.internal.security.shiro;
-
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.config.Ini.Section;
-import org.apache.shiro.config.IniSecurityManagerFactory;
-import org.apache.shiro.mgt.SecurityManager;
-
-public class ConfigInitializer {
-
-  public ConfigInitializer() {
-    // nothing
-  }
-
-  public void initialize(String shiroConfig) {
-    IniSecurityManagerFactory factory = new IniSecurityManagerFactory("classpath:" + shiroConfig);
-
-    // we will need to make sure that shiro uses a case sensitive permission resolver
-    Section main = factory.getIni().addSection("main");
-    main.put("geodePermissionResolver", GeodePermissionResolver.class.getName());
-    if (!main.containsKey("iniRealm.permissionResolver")) {
-      main.put("iniRealm.permissionResolver", "$geodePermissionResolver");
-    }
-
-    // logs "Users or Roles are already populated. Configured Ini instance will be ignored."
-    SecurityManager securityManager = factory.getInstance();
-    SecurityUtils.setSecurityManager(securityManager);
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/shiro/CustomAuthRealm.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/CustomAuthRealm.java b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/CustomAuthRealm.java
index 51449fd..0e5029b 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/CustomAuthRealm.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/CustomAuthRealm.java
@@ -14,10 +14,6 @@
  */
 package org.apache.geode.internal.security.shiro;
 
-import java.io.Serializable;
-import java.util.Properties;
-
-import org.apache.geode.internal.security.CallbackInstantiator;
 import org.apache.geode.security.ResourcePermission;
 import org.apache.geode.security.SecurityManager;
 import org.apache.shiro.authc.AuthenticationException;
@@ -29,6 +25,9 @@ import org.apache.shiro.authz.Permission;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 
+import java.io.Serializable;
+import java.util.Properties;
+
 public class CustomAuthRealm extends AuthorizingRealm {
 
   private static final String REALM_NAME = "CUSTOMAUTHREALM";
@@ -46,18 +45,6 @@ public class CustomAuthRealm extends AuthorizingRealm {
     setAuthenticationTokenClass(GeodeAuthenticationToken.class);
   }
 
-  /**
-   * SecurityManager will be constructed and initialized with the provided security properties.
-   *
-   * @param authenticatorFactory name of the SecurityManager implementation to construct
-   * @param securityProperties the security properties to initialize SecurityManager with
-   */
-  public CustomAuthRealm(String authenticatorFactory, Properties securityProperties) {
-    this.securityManager = CallbackInstantiator.getObjectOfTypeFromClassName(authenticatorFactory,
-        SecurityManager.class);
-    this.securityManager.init(securityProperties);
-  }
-
   @Override
   protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
       throws AuthenticationException {

http://git-wip-us.apache.org/repos/asf/geode/blob/5546a873/geode-core/src/main/java/org/apache/geode/internal/security/shiro/RealmInitializer.java
----------------------------------------------------------------------
diff --git a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/RealmInitializer.java b/geode-core/src/main/java/org/apache/geode/internal/security/shiro/RealmInitializer.java
deleted file mode 100644
index 978c4dd..0000000
--- a/geode-core/src/main/java/org/apache/geode/internal/security/shiro/RealmInitializer.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
- * agreements. See the NOTICE file distributed with this work for additional information regarding
- * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance with the License. You may obtain a
- * copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
-package org.apache.geode.internal.security.shiro;
-
-import org.apache.geode.internal.logging.LogService;
-import org.apache.geode.security.SecurityManager;
-import org.apache.logging.log4j.Logger;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.mgt.DefaultSecurityManager;
-import org.apache.shiro.realm.Realm;
-import org.apache.shiro.session.mgt.DefaultSessionManager;
-import org.apache.shiro.session.mgt.SessionManager;
-
-public class RealmInitializer {
-  private static Logger logger = LogService.getLogger(LogService.SECURITY_LOGGER_NAME);
-
-  public RealmInitializer() {
-    // nothing
-  }
-
-  public void initialize(final SecurityManager securityManager) {
-    Realm realm = new CustomAuthRealm(securityManager);
-    DefaultSecurityManager shiroManager = new DefaultSecurityManager(realm);
-    SecurityUtils.setSecurityManager(shiroManager);
-    increaseShiroGlobalSessionTimeout(shiroManager);
-  }
-
-  private void increaseShiroGlobalSessionTimeout(final DefaultSecurityManager shiroManager) {
-    SessionManager sessionManager = shiroManager.getSessionManager();
-    if (DefaultSessionManager.class.isInstance(sessionManager)) {
-      DefaultSessionManager defaultSessionManager = (DefaultSessionManager) sessionManager;
-      defaultSessionManager.setGlobalSessionTimeout(Long.MAX_VALUE);
-      long value = defaultSessionManager.getGlobalSessionTimeout();
-      if (value != Long.MAX_VALUE) {
-        logger.error("Unable to set Shiro Global Session Timeout. Current value is '{}'.", value);
-      }
-    } else {
-      logger.error("Unable to set Shiro Global Session Timeout. Current SessionManager is '{}'.",
-          sessionManager == null ? "null" : sessionManager.getClass());
-    }
-  }
-}


Mime
View raw message