You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by je...@apache.org on 2016/03/21 21:40:14 UTC
[43/54] [abbrv] incubator-geode git commit: GEODE-949: refactor and
repackage security test code
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSAuthInit.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/PKCSAuthInit.java b/geode-core/src/test/java/templates/security/PKCSAuthInit.java
deleted file mode 100755
index f4004f3..0000000
--- a/geode-core/src/test/java/templates/security/PKCSAuthInit.java
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.security.AuthInitialize;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.GemFireSecurityException;
-import org.apache.logging.log4j.Logger;
-
-import java.io.FileInputStream;
-import java.security.Key;
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.cert.X509Certificate;
-import java.util.Properties;
-
-/**
- * An {@link AuthInitialize} implementation that obtains the digital signature
- * for use with PKCS scheme on server from the given set of properties.
- *
- * To use this class the <c>security-client-auth-init</c> property should be
- * set to the fully qualified name the static <code>create</code> function
- * viz. <code>templates.security.PKCSAuthInit.create</code>
- *
- * @author Kumar Neeraj
- * @since 5.5
- */
-public class PKCSAuthInit implements AuthInitialize {
- private static final Logger logger = LogService.getLogger();
-
- public static final String KEYSTORE_FILE_PATH = "security-keystorepath";
-
- public static final String KEYSTORE_ALIAS = "security-alias";
-
- public static final String KEYSTORE_PASSWORD = "security-keystorepass";
-
- public static final String SIGNATURE_DATA = "security-signature";
-
- protected LogWriter securitylog;
-
- protected LogWriter systemlog;
-
- public void close() {
- }
-
- public static AuthInitialize create() {
- return new PKCSAuthInit();
- }
-
- public PKCSAuthInit() {
- }
-
- public void init(LogWriter systemLogger, LogWriter securityLogger)
- throws AuthenticationFailedException {
- this.systemlog = systemLogger;
- this.securitylog = securityLogger;
- }
-
- public Properties getCredentials(Properties props, DistributedMember server,
- boolean isPeer) throws AuthenticationFailedException {
- String keyStorePath = props.getProperty(KEYSTORE_FILE_PATH);
- if (keyStorePath == null) {
- throw new AuthenticationFailedException(
- "PKCSAuthInit: key-store file path property [" + KEYSTORE_FILE_PATH
- + "] not set.");
- }
- String alias = props.getProperty(KEYSTORE_ALIAS);
- if (alias == null) {
- throw new AuthenticationFailedException(
- "PKCSAuthInit: key alias name property [" + KEYSTORE_ALIAS
- + "] not set.");
- }
- String keyStorePass = props.getProperty(KEYSTORE_PASSWORD);
-
- try {
- KeyStore ks = KeyStore.getInstance("PKCS12");
- char[] passPhrase = (keyStorePass != null ? keyStorePass.toCharArray()
- : null);
- FileInputStream certificatefile = new FileInputStream(keyStorePath);
- try {
- ks.load(certificatefile, passPhrase);
- }
- finally {
- certificatefile.close();
- }
-
- Key key = ks.getKey(alias, passPhrase);
-
- if (key instanceof PrivateKey) {
-
- PrivateKey privKey = (PrivateKey)key;
- X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
- Signature sig = Signature.getInstance(cert.getSigAlgName());
-
- sig.initSign(privKey);
- sig.update(alias.getBytes("UTF-8"));
- byte[] signatureBytes = sig.sign();
-
- Properties newprops = new Properties();
- newprops.put(KEYSTORE_ALIAS, alias);
- newprops.put(SIGNATURE_DATA, signatureBytes);
- return newprops;
- }
- else {
- throw new AuthenticationFailedException("PKCSAuthInit: "
- + "Failed to load private key from the given file: " + keyStorePath);
- }
- }
- catch (Exception ex) {
- throw new AuthenticationFailedException(
- "PKCSAuthInit: Exception while getting credentials: " + ex, ex);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSAuthenticator.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/PKCSAuthenticator.java b/geode-core/src/test/java/templates/security/PKCSAuthenticator.java
deleted file mode 100755
index 7af7312..0000000
--- a/geode-core/src/test/java/templates/security/PKCSAuthenticator.java
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.internal.logging.LogService;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-import com.gemstone.gemfire.security.Authenticator;
-import com.gemstone.gemfire.security.GemFireSecurityException;
-import org.apache.logging.log4j.Logger;
-
-import java.io.FileInputStream;
-import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.Signature;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
-import java.security.spec.InvalidKeySpecException;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Properties;
-
-/**
- * @author kneeraj
- *
- */
-public class PKCSAuthenticator implements Authenticator {
- private static final Logger logger = LogService.getLogger();
-
- public static final String PUBLIC_KEY_FILE = "security-publickey-filepath";
-
- public static final String PUBLIC_KEYSTORE_PASSWORD = "security-publickey-pass";
-
- private String pubKeyFilePath;
-
- private String pubKeyPass;
-
- private Map aliasCertificateMap;
-
- protected LogWriter systemlog;
-
- protected LogWriter securitylog;
-
- public static Authenticator create() {
- return new PKCSAuthenticator();
- }
-
- public PKCSAuthenticator() {
- }
-
- private void populateMap() {
- try {
- KeyStore ks = KeyStore.getInstance("JKS");
- char[] passPhrase = (pubKeyPass != null ? pubKeyPass.toCharArray() : null);
- FileInputStream keystorefile = new FileInputStream(this.pubKeyFilePath);
- try {
- ks.load(keystorefile, passPhrase);
- }
- finally {
- keystorefile.close();
- }
- Enumeration e = ks.aliases();
- while (e.hasMoreElements()) {
- Object alias = e.nextElement();
- Certificate cert = ks.getCertificate((String)alias);
- if (cert instanceof X509Certificate) {
- this.aliasCertificateMap.put(alias, cert);
- }
- }
- }
- catch (Exception e) {
- throw new AuthenticationFailedException(
- "Exception while getting public keys: " + e.getMessage(), e);
- }
- }
-
- public void init(Properties systemProps, LogWriter systemLogger,
- LogWriter securityLogger) throws AuthenticationFailedException {
- this.systemlog = systemLogger;
- this.securitylog = securityLogger;
- this.pubKeyFilePath = systemProps.getProperty(PUBLIC_KEY_FILE);
- if (this.pubKeyFilePath == null) {
- throw new AuthenticationFailedException("PKCSAuthenticator: property "
- + PUBLIC_KEY_FILE + " not specified as the public key file.");
- }
- this.pubKeyPass = systemProps.getProperty(PUBLIC_KEYSTORE_PASSWORD);
- this.aliasCertificateMap = new HashMap();
- populateMap();
- }
-
- private AuthenticationFailedException getException(String exStr,
- Exception cause) {
-
- String exMsg = "PKCSAuthenticator: Authentication of client failed due to: "
- + exStr;
- if (cause != null) {
- return new AuthenticationFailedException(exMsg, cause);
- }
- else {
- return new AuthenticationFailedException(exMsg);
- }
- }
-
- private AuthenticationFailedException getException(String exStr) {
- return getException(exStr, null);
- }
-
- private X509Certificate getCertificate(String alias)
- throws NoSuchAlgorithmException, InvalidKeySpecException {
- if (this.aliasCertificateMap.containsKey(alias)) {
- return (X509Certificate)this.aliasCertificateMap.get(alias);
- }
- return null;
- }
-
- public Principal authenticate(Properties props, DistributedMember member)
- throws AuthenticationFailedException {
- String alias = (String)props.get(PKCSAuthInit.KEYSTORE_ALIAS);
- if (alias == null || alias.length() <= 0) {
- throw new AuthenticationFailedException("No alias received");
- }
- try {
- X509Certificate cert = getCertificate(alias);
- if (cert == null) {
- throw getException("No certificate found for alias:" + alias);
- }
- byte[] signatureBytes = (byte[])props.get(PKCSAuthInit.SIGNATURE_DATA);
- if (signatureBytes == null) {
- throw getException("signature data property ["
- + PKCSAuthInit.SIGNATURE_DATA + "] not provided");
- }
- Signature sig = Signature.getInstance(cert.getSigAlgName());
- sig.initVerify(cert);
- sig.update(alias.getBytes("UTF-8"));
-
- if (!sig.verify(signatureBytes)) {
- throw getException("verification of client signature failed");
- }
- return new PKCSPrincipal(alias);
- }
- catch (Exception ex) {
- throw getException(ex.toString(), ex);
- }
- }
-
- public void close() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSPrincipal.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/PKCSPrincipal.java b/geode-core/src/test/java/templates/security/PKCSPrincipal.java
deleted file mode 100755
index bc3049f..0000000
--- a/geode-core/src/test/java/templates/security/PKCSPrincipal.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package templates.security;
-
-import java.io.Serializable;
-import java.security.Principal;
-
-/**
- * @author kneeraj
- *
- */
-public class PKCSPrincipal implements Principal, Serializable {
-
- private String alias;
-
- public PKCSPrincipal(String alias) {
- this.alias = alias;
- }
-
- public String getName() {
- return this.alias;
- }
-
- @Override
- public String toString() {
- return this.alias;
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java b/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java
deleted file mode 100644
index fc8454c..0000000
--- a/geode-core/src/test/java/templates/security/PKCSPrincipalTest.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.test.junit.categories.UnitTest;
-import org.apache.commons.lang.SerializationUtils;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-import java.io.Serializable;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-/**
- * Unit tests for {@link PKCSPrincipal}
- */
-@Category(UnitTest.class)
-public class PKCSPrincipalTest {
-
- @Test
- public void isSerializable() throws Exception {
- assertThat(PKCSPrincipal.class).isInstanceOf(Serializable.class);
- }
-
- @Test
- public void canBeSerialized() throws Exception {
- String name = "jsmith";
- PKCSPrincipal instance = new PKCSPrincipal(name);
-
- PKCSPrincipal cloned = (PKCSPrincipal) SerializationUtils.clone(instance);
-
- assertThat(cloned.getName()).isEqualTo(name);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java b/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java
deleted file mode 100755
index 1c48773..0000000
--- a/geode-core/src/test/java/templates/security/UserPasswordAuthInit.java
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AuthInitialize;
-import com.gemstone.gemfire.security.AuthenticationFailedException;
-
-import java.util.Properties;
-
-/**
- * An {@link AuthInitialize} implementation that obtains the user name and
- * password as the credentials from the given set of properties.
- *
- * To use this class the <c>security-client-auth-init</c> property should be
- * set to the fully qualified name the static <code>create</code> function
- * viz. <code>templates.security.UserPasswordAuthInit.create</code>
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class UserPasswordAuthInit implements AuthInitialize {
-
- public static final String USER_NAME = "security-username";
-
- public static final String PASSWORD = "security-password";
-
- protected LogWriter securitylog;
-
- protected LogWriter systemlog;
-
- public static AuthInitialize create() {
- return new UserPasswordAuthInit();
- }
-
- public void init(LogWriter systemLogger, LogWriter securityLogger)
- throws AuthenticationFailedException {
- this.systemlog = systemLogger;
- this.securitylog = securityLogger;
- }
-
- public UserPasswordAuthInit() {
- }
-
- public Properties getCredentials(Properties props, DistributedMember server,
- boolean isPeer) throws AuthenticationFailedException {
-
- Properties newProps = new Properties();
- String userName = props.getProperty(USER_NAME);
- if (userName == null) {
- throw new AuthenticationFailedException(
- "UserPasswordAuthInit: user name property [" + USER_NAME
- + "] not set.");
- }
- newProps.setProperty(USER_NAME, userName);
- String passwd = props.getProperty(PASSWORD);
- // If password is not provided then use empty string as the password.
- if (passwd == null) {
- passwd = "";
- }
- newProps.setProperty(PASSWORD, passwd);
- return newProps;
- }
-
- public void close() {
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/UsernamePrincipal.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/UsernamePrincipal.java b/geode-core/src/test/java/templates/security/UsernamePrincipal.java
deleted file mode 100755
index 781dd5a..0000000
--- a/geode-core/src/test/java/templates/security/UsernamePrincipal.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import java.io.Serializable;
-import java.security.Principal;
-
-/**
- * An implementation of {@link Principal} class for a simple user name.
- *
- * @author Kumar Neeraj
- * @since 5.5
- */
-public class UsernamePrincipal implements Principal, Serializable {
-
- private final String userName;
-
- public UsernamePrincipal(String userName) {
- this.userName = userName;
- }
-
- public String getName() {
- return this.userName;
- }
-
- @Override
- public String toString() {
- return this.userName;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java b/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java
deleted file mode 100644
index 023c214..0000000
--- a/geode-core/src/test/java/templates/security/UsernamePrincipalTest.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.test.junit.categories.UnitTest;
-import org.apache.commons.lang.SerializationUtils;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-import java.io.Serializable;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-/**
- * Unit tests for {@link UsernamePrincipal}
- */
-@Category(UnitTest.class)
-public class UsernamePrincipalTest {
-
- @Test
- public void isSerializable() throws Exception {
- assertThat(UsernamePrincipal.class).isInstanceOf(Serializable.class);
- }
-
- @Test
- public void canBeSerialized() throws Exception {
- String name = "jsmith";
- UsernamePrincipal instance = new UsernamePrincipal(name);
-
- UsernamePrincipal cloned = (UsernamePrincipal) SerializationUtils.clone(instance);
-
- assertThat(cloned.getName()).isEqualTo(name);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/XmlAuthorization.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/XmlAuthorization.java b/geode-core/src/test/java/templates/security/XmlAuthorization.java
deleted file mode 100755
index 29d94de..0000000
--- a/geode-core/src/test/java/templates/security/XmlAuthorization.java
+++ /dev/null
@@ -1,672 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.cache.Cache;
-import com.gemstone.gemfire.cache.operations.ExecuteFunctionOperationContext;
-import com.gemstone.gemfire.cache.operations.OperationContext;
-import com.gemstone.gemfire.cache.operations.OperationContext.OperationCode;
-import com.gemstone.gemfire.cache.operations.QueryOperationContext;
-import com.gemstone.gemfire.distributed.DistributedMember;
-import com.gemstone.gemfire.security.AccessControl;
-import com.gemstone.gemfire.security.NotAuthorizedException;
-import org.w3c.dom.Attr;
-import org.w3c.dom.Document;
-import org.w3c.dom.NamedNodeMap;
-import org.w3c.dom.Node;
-import org.w3c.dom.NodeList;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-
-/**
- * An implementation of the <code>{@link AccessControl}</code> interface that
- * allows authorization using the permissions as specified in the given XML
- * file.
- *
- * The format of the XML file is specified in <a href="authz5_5.dtd"/>. It
- * implements a role-based authorization at the operation level for each region.
- * Each principal name may be associated with a set of roles. The name of the
- * principal is obtained using the {@link Principal#getName} method and no other
- * information of the principal is utilized. Each role can be provided
- * permissions to execute operations for each region.
- *
- * The top-level element in the XML is "acl" tag that contains the "role" and
- * "permission" tags. The "role" tag contains the list of users that have been
- * given that role. The name of the role is specified in the "role" attribute
- * and the users are contained in the "user" tags insided the "role" tag.
- *
- * The "permissions" tag contains the list of operations allowed for a
- * particular region. The role name is specified as the "role" attribute, the
- * list of comma separated region names as the optional "regions" attribute and
- * the operation names are contained in the "operation" tags inside the
- * "permissions" tag. The allowed operation names are: GET, PUT, PUTALL,
- * DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST, CONTAINS_KEY, KEY_SET,
- * QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR, REGION_CREATE,
- * REGION_DESTROY. These correspond to the operations in the
- * {@link OperationCode} enumeration with the same name.
- *
- * When no region name is specified then the operation is allowed for all
- * regions in the cache. Any permissions specified for regions using the
- * "regions" attribute override these permissions. This allows users to provide
- * generic permissions without any region name, and override for specific
- * regions specified using the "regions" attribute. A cache-level operation
- * (e.g. {@link OperationCode#REGION_DESTROY}) specified for a particular region
- * is ignored i.e. the cache-level operations are only applicable when no region
- * name is specified. A {@link OperationCode#QUERY} operation is permitted when
- * either the <code>QUERY</code> permission is provided at the cache-level for
- * the user or when <code>QUERY</code> permission is provided for all the
- * regions that are part of the query string.
- *
- * Any roles specified in the "user" tag that do not have a specified permission
- * set using the "permission" tags are ignored. When no {@link Principal} is
- * associated with the current connection, then empty user name is used to
- * search for the roles so an empty user name can be used to specify roles of
- * unauthenticated clients (i.e. <code>Everyone</code>).
- *
- * This sample implementation is useful only for pre-operation checks and should
- * not be used for post-operation authorization since it does nothing useful for
- * post-operation case.
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class XmlAuthorization implements AccessControl {
-
- public static final String DOC_URI_PROP_NAME = "security-authz-xml-uri";
-
- private static final String TAG_ROLE = "role";
-
- private static final String TAG_USER = "user";
-
- private static final String TAG_PERMS = "permission";
-
- private static final String TAG_OP = "operation";
-
- private static final String ATTR_ROLENAME = "name";
-
- private static final String ATTR_ROLE = "role";
-
- private static final String ATTR_REGIONS = "regions";
-
- private static final String ATTR_FUNCTION_IDS = "functionIds";
-
- private static final String ATTR_FUNCTION_OPTIMIZE_FOR_WRITE =
- "optimizeForWrite";
-
- private static final String ATTR_FUNCTION_KEY_SET = "keySet";
-
- private static String currentDocUri = null;
-
- private static Map<String, HashSet<String>> userRoles = null;
-
- private static Map<String, Map<String,
- Map<OperationCode, FunctionSecurityPrmsHolder>>> rolePermissions = null;
-
- private static NotAuthorizedException xmlLoadFailure = null;
-
- private static final Object sync = new Object();
-
- private static final String EMPTY_VALUE = "";
-
- private final Map<String, Map<OperationCode,
- FunctionSecurityPrmsHolder>> allowedOps;
-
- protected LogWriter logger;
-
- protected LogWriter securityLogger;
-
- private XmlAuthorization() {
-
- this.allowedOps = new HashMap<String, Map<OperationCode,
- FunctionSecurityPrmsHolder>>();
- this.logger = null;
- this.securityLogger = null;
- }
-
- /**
- * Change the region name to a standard format having single '/' as separator
- * and starting with a '/' as in standard POSIX paths
- */
- public static String normalizeRegionName(String regionName) {
-
- if (regionName == null || regionName.length() == 0) {
- return EMPTY_VALUE;
- }
- char[] resultName = new char[regionName.length() + 1];
- boolean changed = false;
- boolean isPrevCharSlash = false;
- int startIndex;
- if (regionName.charAt(0) != '/') {
- changed = true;
- startIndex = 0;
- }
- else {
- isPrevCharSlash = true;
- startIndex = 1;
- }
- resultName[0] = '/';
- int resultLength = 1;
- // Replace all more than one '/'s with a single '/'
- for (int index = startIndex; index < regionName.length(); ++index) {
- char currChar = regionName.charAt(index);
- if (currChar == '/') {
- if (isPrevCharSlash) {
- changed = true;
- continue;
- }
- isPrevCharSlash = true;
- }
- else {
- isPrevCharSlash = false;
- }
- resultName[resultLength++] = currChar;
- }
- // Remove any trailing slash
- if (resultName[resultLength - 1] == '/') {
- --resultLength;
- changed = true;
- }
- if (changed) {
- return new String(resultName, 0, resultLength);
- }
- else {
- return regionName;
- }
- }
-
- /** Get the attribute value for a given attribute name of a node. */
- private static String getAttributeValue(Node node, String attrName) {
-
- NamedNodeMap attrMap = node.getAttributes();
- Node attrNode;
- if (attrMap != null && (attrNode = attrMap.getNamedItem(attrName)) != null) {
- return ((Attr)attrNode).getValue();
- }
- return EMPTY_VALUE;
- }
-
- /** Get the string contained in the first text child of the node. */
- private static String getNodeValue(Node node) {
-
- NodeList childNodes = node.getChildNodes();
- for (int index = 0; index < childNodes.getLength(); index++) {
- Node childNode = childNodes.item(index);
- if (childNode.getNodeType() == Node.TEXT_NODE) {
- return childNode.getNodeValue();
- }
- }
- return EMPTY_VALUE;
- }
-
- /**
- * Public static factory method to create an instance of
- * <code>XmlAuthorization</code>. The fully qualified name of the class
- * (<code>templates.security.XmlAuthorization.create</code>)
- * should be mentioned as the <code>security-client-accessor</code> system
- * property to enable pre-operation authorization checks as implemented in
- * this class.
- *
- * @return an object of <code>XmlAuthorization</code> class
- */
- public static AccessControl create() {
-
- return new XmlAuthorization();
- }
-
- /**
- * Cache authorization information for all users statically. This method is
- * not thread-safe and is should either be invoked only once, or the caller
- * should take the appropriate locks.
- *
- * @param cache
- * reference to the cache object for the distributed system
- */
- private static void init(Cache cache) throws NotAuthorizedException {
-
- LogWriter logger = cache.getLogger();
- String xmlDocumentUri = (String)cache.getDistributedSystem()
- .getSecurityProperties().get(DOC_URI_PROP_NAME);
- try {
- if (xmlDocumentUri == null) {
- throw new NotAuthorizedException("No ACL file defined using tag ["
- + DOC_URI_PROP_NAME + "] in system properties");
- }
- if (xmlDocumentUri.equals(XmlAuthorization.currentDocUri)) {
- if (XmlAuthorization.xmlLoadFailure != null) {
- throw XmlAuthorization.xmlLoadFailure;
- }
- return;
- }
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- factory.setIgnoringComments(true);
- factory.setIgnoringElementContentWhitespace(true);
- factory.setValidating(true);
- DocumentBuilder builder = factory.newDocumentBuilder();
- XmlErrorHandler errorHandler = new XmlErrorHandler(logger, xmlDocumentUri);
- builder.setErrorHandler(errorHandler);
- builder.setEntityResolver(new AuthzDtdResolver());
- Document xmlDocument = builder.parse(xmlDocumentUri);
-
- XmlAuthorization.userRoles = new HashMap<String, HashSet<String>>();
- XmlAuthorization.rolePermissions = new HashMap<String, Map<String,
- Map<OperationCode, FunctionSecurityPrmsHolder>>>();
- NodeList roleUserNodes = xmlDocument.getElementsByTagName(TAG_ROLE);
- for (int roleIndex = 0; roleIndex < roleUserNodes.getLength();
- roleIndex++) {
- Node roleUserNode = roleUserNodes.item(roleIndex);
- String roleName = getAttributeValue(roleUserNode, ATTR_ROLENAME);
- NodeList userNodes = roleUserNode.getChildNodes();
- for (int userIndex = 0; userIndex < userNodes.getLength();
- userIndex++) {
- Node userNode = userNodes.item(userIndex);
- if (userNode.getNodeName() == TAG_USER) {
- String userName = getNodeValue(userNode);
- HashSet<String> userRoleSet = XmlAuthorization.userRoles
- .get(userName);
- if (userRoleSet == null) {
- userRoleSet = new HashSet<String>();
- XmlAuthorization.userRoles.put(userName, userRoleSet);
- }
- userRoleSet.add(roleName);
- }
- else {
- throw new SAXParseException("Unknown tag ["
- + userNode.getNodeName() + "] as child of tag [" + TAG_ROLE
- + ']', null);
- }
- }
- }
- NodeList rolePermissionNodes = xmlDocument
- .getElementsByTagName(TAG_PERMS);
- for (int permIndex = 0; permIndex < rolePermissionNodes.getLength();
- permIndex++) {
- Node rolePermissionNode = rolePermissionNodes.item(permIndex);
- String roleName = getAttributeValue(rolePermissionNode, ATTR_ROLE);
- Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>
- regionOperationMap = XmlAuthorization.rolePermissions.get(roleName);
- if (regionOperationMap == null) {
- regionOperationMap = new HashMap<String,
- Map<OperationCode, FunctionSecurityPrmsHolder>>();
- XmlAuthorization.rolePermissions.put(roleName, regionOperationMap);
- }
- NodeList operationNodes = rolePermissionNode.getChildNodes();
- HashMap<OperationCode, FunctionSecurityPrmsHolder> operationMap =
- new HashMap<OperationCode, FunctionSecurityPrmsHolder>();
- for (int opIndex = 0; opIndex < operationNodes.getLength(); opIndex++) {
- Node operationNode = operationNodes.item(opIndex);
- if (operationNode.getNodeName() == TAG_OP) {
- String operationName = getNodeValue(operationNode);
- OperationCode code = OperationCode.parse(operationName);
- if (code == null) {
- throw new SAXParseException("Unknown operation [" + operationName
- + ']', null);
- }
- if (code != OperationCode.EXECUTE_FUNCTION) {
- operationMap.put(code, null);
- }
- else {
- String optimizeForWrite = getAttributeValue(operationNode,
- ATTR_FUNCTION_OPTIMIZE_FOR_WRITE);
- String functionAttr = getAttributeValue(operationNode,
- ATTR_FUNCTION_IDS);
- String keysAttr = getAttributeValue(operationNode,
- ATTR_FUNCTION_KEY_SET);
-
- Boolean isOptimizeForWrite;
- HashSet<String> functionIds;
- HashSet<String> keySet;
-
- if (optimizeForWrite == null || optimizeForWrite.length() == 0) {
- isOptimizeForWrite = null;
- }
- else {
- isOptimizeForWrite = Boolean.parseBoolean(optimizeForWrite);
- }
-
- if (functionAttr == null || functionAttr.length() == 0) {
- functionIds = null;
- }
- else {
- String[] functionArray = functionAttr.split(",");
- functionIds = new HashSet<String>();
- for (int strIndex = 0; strIndex < functionArray.length;
- ++strIndex) {
- functionIds.add((functionArray[strIndex]));
- }
- }
-
- if (keysAttr == null || keysAttr.length() == 0) {
- keySet = null;
- }
- else {
- String[] keySetArray = keysAttr.split(",");
- keySet = new HashSet<String>();
- for (int strIndex = 0; strIndex < keySetArray.length;
- ++strIndex) {
- keySet.add((keySetArray[strIndex]));
- }
- }
- FunctionSecurityPrmsHolder functionContext =
- new FunctionSecurityPrmsHolder(isOptimizeForWrite,
- functionIds, keySet);
- operationMap.put(code, functionContext);
- }
- }
- else {
- throw new SAXParseException("Unknown tag ["
- + operationNode.getNodeName() + "] as child of tag ["
- + TAG_PERMS + ']', null);
- }
- }
- String regionNames = getAttributeValue(rolePermissionNode, ATTR_REGIONS);
- if (regionNames == null || regionNames.length() == 0) {
- regionOperationMap.put(EMPTY_VALUE, operationMap);
- }
- else {
- String[] regionNamesSplit = regionNames.split(",");
- for (int strIndex = 0; strIndex < regionNamesSplit.length;
- ++strIndex) {
- regionOperationMap.put(
- normalizeRegionName(regionNamesSplit[strIndex]), operationMap);
- }
- }
- }
- XmlAuthorization.currentDocUri = xmlDocumentUri;
- }
- catch (Exception ex) {
- String exStr;
- if (ex instanceof NotAuthorizedException) {
- exStr = ex.getMessage();
- }
- else {
- exStr = ex.getClass().getName() + ": " + ex.getMessage();
- }
- logger.warning("XmlAuthorization.init: " + exStr);
- XmlAuthorization.xmlLoadFailure = new NotAuthorizedException(exStr, ex);
- throw XmlAuthorization.xmlLoadFailure;
- }
- }
-
- /**
- * Initialize the <code>XmlAuthorization</code> callback for a client having
- * the given principal.
- *
- * This method caches the full XML authorization file the first time it is
- * invoked and caches all the permissions for the provided
- * <code>principal</code> to speed up lookup the
- * <code>authorizeOperation</code> calls. The permissions for the principal
- * are maintained as a {@link Map} of region name to the {@link HashSet} of
- * operations allowed for that region. A global entry with region name as
- * empty string is also made for permissions provided for all the regions.
- *
- * @param principal
- * the principal associated with the authenticated client
- * @param cache
- * reference to the cache object
- * @param remoteMember
- * the {@link DistributedMember} object for the remote
- * authenticated client
- *
- * @throws NotAuthorizedException
- * if some exception condition happens during the
- * initialization while reading the XML; in such a case all
- * subsequent client operations will throw
- * <code>NotAuthorizedException</code>
- */
- public void init(Principal principal, DistributedMember remoteMember,
- Cache cache) throws NotAuthorizedException {
-
- synchronized (sync) {
- XmlAuthorization.init(cache);
- }
- this.logger = cache.getLogger();
- this.securityLogger = cache.getSecurityLogger();
-
- String name;
- if (principal != null) {
- name = principal.getName();
- }
- else {
- name = EMPTY_VALUE;
- }
- HashSet<String> roles = XmlAuthorization.userRoles.get(name);
- if (roles != null) {
- for (String roleName : roles) {
- Map<String, Map<OperationCode, FunctionSecurityPrmsHolder>>
- regionOperationMap = XmlAuthorization.rolePermissions.get(roleName);
- if (regionOperationMap != null) {
- for (Map.Entry<String, Map<OperationCode, FunctionSecurityPrmsHolder>>
- regionEntry : regionOperationMap.entrySet()) {
- String regionName = regionEntry.getKey();
- Map<OperationCode, FunctionSecurityPrmsHolder> regionOperations =
- this.allowedOps.get(regionName);
- if (regionOperations == null) {
- regionOperations =
- new HashMap<OperationCode, FunctionSecurityPrmsHolder>();
- this.allowedOps.put(regionName, regionOperations);
- }
- regionOperations.putAll(regionEntry.getValue());
- }
- }
- }
- }
- }
-
- /**
- * Return true if the given operation is allowed for the cache/region.
- *
- * This looks up the cached permissions of the principal in the map for the
- * provided region name. If none are found then the global permissions with
- * empty region name are looked up. The operation is allowed if it is found
- * this permission list.
- *
- * @param regionName
- * When null then it indicates a cache-level operation, else
- * the name of the region for the operation.
- * @param context
- * the data required by the operation
- *
- * @return true if the operation is authorized and false otherwise
- *
- */
- public boolean authorizeOperation(String regionName,
- final OperationContext context) {
-
- Map<OperationCode, FunctionSecurityPrmsHolder> operationMap;
- // Check GET permissions for updates from server to client
- if (context.isClientUpdate()) {
- operationMap = this.allowedOps.get(regionName);
- if (operationMap == null && regionName.length() > 0) {
- operationMap = this.allowedOps.get(EMPTY_VALUE);
- }
- if (operationMap != null) {
- return operationMap.containsKey(OperationCode.GET);
- }
- return false;
- }
-
- OperationCode opCode = context.getOperationCode();
- if (opCode.isQuery() || opCode.isExecuteCQ() || opCode.isCloseCQ()
- || opCode.isStopCQ()) {
- // First check if cache-level permission has been provided
- operationMap = this.allowedOps.get(EMPTY_VALUE);
- boolean globalPermission = (operationMap != null && operationMap
- .containsKey(opCode));
- Set<String> regionNames = ((QueryOperationContext)context)
- .getRegionNames();
- if (regionNames == null || regionNames.size() == 0) {
- return globalPermission;
- }
- for (String r : regionNames) {
- regionName = normalizeRegionName(r);
- operationMap = this.allowedOps.get(regionName);
- if (operationMap == null) {
- if (!globalPermission) {
- return false;
- }
- }
- else if (!operationMap.containsKey(opCode)) {
- return false;
- }
- }
- return true;
- }
-
- final String normalizedRegionName = normalizeRegionName(regionName);
- operationMap = this.allowedOps.get(normalizedRegionName);
- if (operationMap == null && normalizedRegionName.length() > 0) {
- operationMap = this.allowedOps.get(EMPTY_VALUE);
- }
- if (operationMap != null) {
- if (context.getOperationCode() != OperationCode.EXECUTE_FUNCTION) {
- return operationMap.containsKey(context.getOperationCode());
- }else {
- if (!operationMap.containsKey(context.getOperationCode())) {
- return false;
- }
- else {
- if (!context.isPostOperation()) {
- FunctionSecurityPrmsHolder functionParameter =
- operationMap.get(
- context.getOperationCode());
- ExecuteFunctionOperationContext functionContext =
- (ExecuteFunctionOperationContext)context;
- // OnRegion execution
- if (functionContext.getRegionName() != null) {
- if (functionParameter.isOptimizeForWrite() != null
- && functionParameter.isOptimizeForWrite().booleanValue()
- != functionContext.isOptimizeForWrite()) {
- return false;
- }
- if (functionParameter.getFunctionIds() != null
- && !functionParameter.getFunctionIds().contains(
- functionContext.getFunctionId())) {
- return false;
- }
- if (functionParameter.getKeySet() != null
- && functionContext.getKeySet() != null) {
- if (functionContext.getKeySet().containsAll(
- functionParameter.getKeySet())) {
- return false;
- }
- }
- return true;
- }
- else {// On Server execution
- if (functionParameter.getFunctionIds() != null
- && !functionParameter.getFunctionIds().contains(
- functionContext.getFunctionId())) {
- return false;
- }
- return true;
- }
- }
- else {
- ExecuteFunctionOperationContext functionContext =
- (ExecuteFunctionOperationContext)context;
- FunctionSecurityPrmsHolder functionParameter = operationMap.get(
- context.getOperationCode());
- if (functionContext.getRegionName() != null) {
- if (functionContext.getResult() instanceof ArrayList
- && functionParameter.getKeySet() != null) {
- ArrayList<String> resultList = (ArrayList)functionContext
- .getResult();
- HashSet<String> nonAllowedKeys = functionParameter.getKeySet();
- if (resultList.containsAll(nonAllowedKeys)) {
- return false;
- }
- }
- return true;
- }
- else {
- ArrayList<String> resultList = (ArrayList)functionContext
- .getResult();
- final String inSecureItem = "Insecure item";
- if (resultList.contains(inSecureItem)) {
- return false;
- }
- return true;
- }
- }
- }
- }
- }
- return false;
- }
-
- /**
- * Clears the cached information for this principal.
- */
- public void close() {
-
- this.allowedOps.clear();
- }
-
- /**
- * Clear all the statically cached information.
- */
- public static void clear() {
-
- XmlAuthorization.currentDocUri = null;
- if (XmlAuthorization.userRoles != null) {
- XmlAuthorization.userRoles.clear();
- XmlAuthorization.userRoles = null;
- }
- if (XmlAuthorization.rolePermissions != null) {
- XmlAuthorization.rolePermissions.clear();
- XmlAuthorization.rolePermissions = null;
- }
- XmlAuthorization.xmlLoadFailure = null;
- }
-
- private static class AuthzDtdResolver implements EntityResolver {
- Pattern authzPattern = Pattern.compile("authz.*\\.dtd");
-
- @Override
- public InputSource resolveEntity(String publicId, String systemId)
- throws SAXException, IOException {
- try {
- Matcher matcher = authzPattern.matcher(systemId);
- if(matcher.find()) {
- String dtdName = matcher.group(0);
- InputStream stream = XmlAuthorization.class.getResourceAsStream(dtdName);
- return new InputSource(stream);
- }
- } catch(Exception e) {
- //do nothing, use the default resolver
- }
-
- return null;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/java/templates/security/XmlErrorHandler.java
----------------------------------------------------------------------
diff --git a/geode-core/src/test/java/templates/security/XmlErrorHandler.java b/geode-core/src/test/java/templates/security/XmlErrorHandler.java
deleted file mode 100755
index 1326548..0000000
--- a/geode-core/src/test/java/templates/security/XmlErrorHandler.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package templates.security;
-
-import com.gemstone.gemfire.LogWriter;
-import com.gemstone.gemfire.internal.logging.LogService;
-import org.apache.logging.log4j.Logger;
-import org.xml.sax.ErrorHandler;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
-
-/**
- * Implementation of {@link ErrorHandler} interface to handle validation errors
- * while XML parsing.
- *
- * This throws back exceptions raised for <code>error</code> and
- * <code>fatalError</code> cases while a {@link LogWriter#warning(String)} level
- * logging is done for the <code>warning</code> case.
- *
- * @author Sumedh Wale
- * @since 5.5
- */
-public class XmlErrorHandler implements ErrorHandler {
- private static final Logger logger = LogService.getLogger();
-
- private LogWriter logWriter;
-
- private String xmlFileName;
-
- public XmlErrorHandler(LogWriter logWriter, String xmlFileName) {
-
- this.logWriter = logWriter;
- this.xmlFileName = xmlFileName;
- }
-
- /**
- * Throws back the exception with the name of the XML file and the position
- * where the exception occurred.
- */
- public void error(SAXParseException exception) throws SAXException {
- throw new SAXParseException("Error while parsing XML at line "
- + exception.getLineNumber() + " column " + exception.getColumnNumber()
- + ": " + exception.getMessage(), null, exception);
- }
-
- /**
- * Throws back the exception with the name of the XML file and the position
- * where the exception occurred.
- */
- public void fatalError(SAXParseException exception) throws SAXException {
- throw new SAXParseException("Fatal error while parsing XML at line "
- + exception.getLineNumber() + " column " + exception.getColumnNumber()
- + ": " + exception.getMessage(), null, exception);
- }
-
- /**
- * Log the exception at {@link LogWriter#warning(String)} level with XML
- * filename and the position of exception in the file.
- */
- public void warning(SAXParseException exception) throws SAXException {
- this.logWriter.warning("Warning while parsing XML [" + this.xmlFileName
- + "] at line " + exception.getLineNumber() + " column "
- + exception.getColumnNumber() + ": " + exception.getMessage(), exception);
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml
new file mode 100644
index 0000000..de0cd17
--- /dev/null
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-dummy.xml
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
+ "com/gemstone/gemfire/security/templates/authz6_0.dtd" >
+<acl>
+
+ <role name="reader">
+ <user>reader0</user>
+ <user>reader1</user>
+ <user>reader2</user>
+ <user>root</user>
+ <user>admin</user>
+ <user>administrator</user>
+ </role>
+
+ <role name="writer">
+ <user>writer0</user>
+ <user>writer1</user>
+ <user>writer2</user>
+ <user>root</user>
+ <user>admin</user>
+ <user>administrator</user>
+ </role>
+
+ <role name="cacheOps">
+ <user>root</user>
+ <user>admin</user>
+ <user>administrator</user>
+ </role>
+
+ <role name="queryRegions">
+ <user>reader3</user>
+ <user>reader4</user>
+ </role>
+
+ <role name="registerInterest">
+ <user>reader5</user>
+ <user>reader6</user>
+ </role>
+
+ <role name="unregisterInterest">
+ <user>reader5</user>
+ <user>reader7</user>
+ </role>
+
+ <role name="onRegionFunctionExecutor">
+ <user>reader8</user>
+ </role>
+
+ <role name="onServerFunctionExecutor">
+ <user>reader9</user>
+ </role>
+
+ <permission role="cacheOps">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ <operation>REGION_CREATE</operation>
+ <operation>REGION_DESTROY</operation>
+ </permission>
+
+ <permission role="reader">
+ <operation>GET</operation>
+ <operation>REGISTER_INTEREST</operation>
+ <operation>UNREGISTER_INTEREST</operation>
+ <operation>KEY_SET</operation>
+ <operation>CONTAINS_KEY</operation>
+ <operation>EXECUTE_FUNCTION</operation>
+ </permission>
+
+ <permission role="writer">
+ <operation>PUT</operation>
+ <operation>PUTALL</operation>
+ <operation>DESTROY</operation>
+ <operation>INVALIDATE</operation>
+ <operation>REGION_CLEAR</operation>
+ </permission>
+
+ <permission role="queryRegions" regions="//Portfolios,/Positions/,AuthRegion">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ </permission>
+
+ <permission role="onRegionFunctionExecutor" regions="secureRegion,Positions">
+ <operation>PUT</operation>
+ <operation functionIds="SecureFunction,OptimizationFunction" optimizeForWrite="false" keySet="KEY-0,KEY-1">EXECUTE_FUNCTION</operation>
+ </permission>
+
+ <permission role="onServerFunctionExecutor" >
+ <operation>PUT</operation>
+ <operation functionIds="SecureFunction,OptimizationFunction">EXECUTE_FUNCTION</operation>
+ </permission>
+
+ <permission role="registerInterest">
+ <operation>REGISTER_INTEREST</operation>
+ <operation>GET</operation>
+ </permission>
+
+ <permission role="unregisterInterest">
+ <operation>UNREGISTER_INTEREST</operation>
+ <operation>GET</operation>
+ </permission>
+
+</acl>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml
new file mode 100644
index 0000000..cdfd478
--- /dev/null
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-ldap.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
+ "com/gemstone/gemfire/security/templates/authz5_5.dtd" >
+<acl>
+
+ <role name="reader">
+ <user>gemfire1</user>
+ <user>gemfire2</user>
+ <user>gemfire3</user>
+ <user>gemfire4</user>
+ <user>gemfire5</user>
+ </role>
+
+ <role name="writer">
+ <user>gemfire1</user>
+ <user>gemfire2</user>
+ <user>gemfire6</user>
+ <user>gemfire7</user>
+ <user>gemfire8</user>
+ </role>
+
+ <role name="cacheOps">
+ <user>gemfire1</user>
+ <user>gemfire2</user>
+ </role>
+
+ <role name="queryRegions">
+ <user>gemfire9</user>
+ <user>gemfire10</user>
+ </role>
+
+ <permission role="cacheOps">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ <operation>REGION_CREATE</operation>
+ <operation>REGION_DESTROY</operation>
+ </permission>
+
+ <permission role="reader">
+ <operation>GET</operation>
+ <operation>REGISTER_INTEREST</operation>
+ <operation>UNREGISTER_INTEREST</operation>
+ <operation>KEY_SET</operation>
+ <operation>CONTAINS_KEY</operation>
+ <operation>EXECUTE_FUNCTION</operation>
+ </permission>
+
+ <permission role="writer">
+ <operation>PUT</operation>
+ <operation>PUTALL</operation>
+ <operation>DESTROY</operation>
+ <operation>INVALIDATE</operation>
+ <operation>REGION_CLEAR</operation>
+ </permission>
+
+ <permission role="queryRegions" regions="Portfolios,/Positions//,/AuthRegion">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ </permission>
+
+</acl>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml
new file mode 100644
index 0000000..f64eb2e
--- /dev/null
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-dummy.xml
@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
+ "com/gemstone/gemfire/security/templates/authz6_0.dtd" >
+<acl>
+
+ <role name="reader">
+ <user>user1</user>
+ <user>user2</user>
+ <user>root</user>
+ <user>admin</user>
+ <user>administrator</user>
+ </role>
+
+ <role name="writer">
+ <user>user3</user>
+ <user>user4</user>
+ <user>root</user>
+ <user>admin</user>
+ <user>administrator</user>
+ </role>
+
+ <role name="cacheOps">
+ <user>user1</user>
+ <user>user2</user>
+ <user>root</user>
+ <user>admin</user>
+ <user>administrator</user>
+ </role>
+
+ <role name="queryRegions">
+ <user>user5</user>
+ <user>user6</user>
+ </role>
+
+ <role name="registerInterest">
+ <user>user7</user>
+ <user>user8</user>
+ </role>
+
+ <role name="unregisterInterest">
+ <user>user5</user>
+ <user>user7</user>
+ </role>
+
+ <permission role="cacheOps">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ </permission>
+
+ <permission role="reader">
+ <operation>GET</operation>
+ <operation>REGISTER_INTEREST</operation>
+ <operation>UNREGISTER_INTEREST</operation>
+ <operation>KEY_SET</operation>
+ <operation>CONTAINS_KEY</operation>
+ <operation>EXECUTE_FUNCTION</operation>
+ </permission>
+
+ <permission role="writer">
+ <operation>PUT</operation>
+ <operation>PUTALL</operation>
+ <operation>DESTROY</operation>
+ <operation>INVALIDATE</operation>
+ <operation>REGION_CLEAR</operation>
+ </permission>
+
+ <permission role="queryRegions" regions="//Portfolios,/Positions/,AuthRegion">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ </permission>
+
+ <permission role="registerInterest">
+ <operation>REGISTER_INTEREST</operation>
+ <operation>GET</operation>
+ </permission>
+
+ <permission role="unregisterInterest">
+ <operation>UNREGISTER_INTEREST</operation>
+ <operation>GET</operation>
+ </permission>
+
+</acl>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml
new file mode 100644
index 0000000..5469972
--- /dev/null
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/authz-multiUser-ldap.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to You under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!DOCTYPE acl PUBLIC "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
+ "com/gemstone/gemfire/security/templates/authz5_5.dtd" >
+<acl>
+
+ <role name="reader">
+ <user>gemfire1</user>
+ <user>gemfire2</user>
+ <user>gemfire3</user>
+ <user>gemfire4</user>
+ <user>gemfire5</user>
+ </role>
+
+ <role name="writer">
+ <user>gemfire1</user>
+ <user>gemfire2</user>
+ <user>gemfire6</user>
+ <user>gemfire7</user>
+ <user>gemfire8</user>
+ </role>
+
+ <role name="cacheOps">
+ <user>gemfire1</user>
+ <user>gemfire2</user>
+ </role>
+
+ <role name="queryRegions">
+ <user>gemfire9</user>
+ <user>gemfire10</user>
+ </role>
+
+ <permission role="cacheOps">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ </permission>
+
+ <permission role="reader">
+ <operation>GET</operation>
+ <operation>REGISTER_INTEREST</operation>
+ <operation>UNREGISTER_INTEREST</operation>
+ <operation>KEY_SET</operation>
+ <operation>CONTAINS_KEY</operation>
+ <operation>EXECUTE_FUNCTION</operation>
+ </permission>
+
+ <permission role="writer">
+ <operation>PUT</operation>
+ <operation>PUTALL</operation>
+ <operation>DESTROY</operation>
+ <operation>INVALIDATE</operation>
+ <operation>REGION_CLEAR</operation>
+ </permission>
+
+ <permission role="queryRegions" regions="Portfolios,/Positions//,/AuthRegion">
+ <operation>QUERY</operation>
+ <operation>EXECUTE_CQ</operation>
+ <operation>STOP_CQ</operation>
+ <operation>CLOSE_CQ</operation>
+ </permission>
+
+</acl>
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore
new file mode 100644
index 0000000..15270bb
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire1.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore
new file mode 100644
index 0000000..bb6f827
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire10.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore
new file mode 100644
index 0000000..6839c74
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire11.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore
new file mode 100644
index 0000000..fcb7ab8
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire2.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore
new file mode 100644
index 0000000..19afc4b
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire3.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore
new file mode 100644
index 0000000..c65916a
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire4.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore
new file mode 100644
index 0000000..d738cca
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire5.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore
new file mode 100644
index 0000000..1fea2d3
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire6.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore
new file mode 100644
index 0000000..7a3187c
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire7.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore
new file mode 100644
index 0000000..a3bb886
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire8.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore
new file mode 100644
index 0000000..674b4e6
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/gemfire9.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore
new file mode 100644
index 0000000..4f9120c
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire1.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore
new file mode 100644
index 0000000..0bd97d7
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire10.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore
new file mode 100644
index 0000000..62ae3c7
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire11.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore
new file mode 100644
index 0000000..c65bc81
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire2.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore
new file mode 100644
index 0000000..b0796e0
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire3.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore
new file mode 100644
index 0000000..9c94018
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire4.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore
new file mode 100644
index 0000000..33f6937
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire5.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore
new file mode 100644
index 0000000..568f674
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire6.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore
new file mode 100644
index 0000000..80e2d80
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire7.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore
new file mode 100644
index 0000000..a15def5
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire8.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore
new file mode 100644
index 0000000..72087f3
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/gemfire9.keystore differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile
new file mode 100644
index 0000000..1b13872
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/ibm/publickeyfile differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile
new file mode 100644
index 0000000..9c2daa3
Binary files /dev/null and b/geode-core/src/test/resources/com/gemstone/gemfire/security/generator/keys/publickeyfile differ
http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/8de59df1/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd
----------------------------------------------------------------------
diff --git a/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd b/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd
new file mode 100644
index 0000000..7080c0e
--- /dev/null
+++ b/geode-core/src/test/resources/com/gemstone/gemfire/security/templates/authz5_5.dtd
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!--
+
+This is the XML DTD for the GemFire sample XML based authorization callback
+in com.gemstone.gemfire.security.templates.XmlAuthorization.
+
+All XMLs must include a DOCTYPE of the following form:
+
+ <!DOCTYPE acl PUBLIC
+ "-//GemStone Systems, Inc.//GemFire XML Authorization 1.0//EN"
+ "http://www.gemstone.com/dtd/authz5_5.dtd">
+
+The contents of a declarative XML file correspond to APIs found in the
+
+ com.gemstone.gemfire.security.AccessControl
+
+package. The sample implementation may be used to specify access control
+policies.
+
+-->
+
+<!--
+
+The following conventions apply to all GemFire sample authorization
+XML file elements unless indicated otherwise.
+
+- In elements that contain PCDATA, leading and trailing whitespace in
+ the data may be ignored.
+
+- In elements whose value is an "enumerated type", the value is case
+ sensitive.
+
+-->
+
+
+<!--
+The "acl" element is the root element of the authorization file.
+This element contains the role to user mappings and role to permissions
+mapping on a per region per operation basis.
+-->
+
+<!ELEMENT acl (role+,permission+)>
+
+<!--
+The "role" element contains the set of users that have the permissions of
+given role. A user can be present in more than one "role" elements in
+which case the union of the permissions to all those roles determines
+the full set of permissions to be given to the user.
+-->
+
+<!ELEMENT role (user*)>
+<!ATTLIST role
+ name CDATA #REQUIRED
+>
+
+<!--
+The "user" element is contained within the "role" element and contains
+the name of a user having the permissions of that role.
+-->
+
+<!ELEMENT user (#PCDATA)>
+
+<!--
+The "permission" element specifies the list of operations that are allowed
+for a particular role in the given regions as provided in the optional
+"regions" attribute. The value of "regions" attribute should be a comma
+separated list of region names for which permissions are to be provided.
+If no "regions" attribute is provided then those permissions are provided
+for all the other regions (i.e. other than those that have been explicitly
+specified). Permissions for cache level operations REGION_DESTROY,
+REGION_CREATE, QUERY and CQ operations should be specified with no "regions"
+attribute. If cache-level permission is not provided for QUERY or CQ operations
+then the permission for all the region names in the query string is checked.
+-->
+
+<!ELEMENT permission (operation*)>
+<!ATTLIST permission
+ role CDATA #REQUIRED
+ regions CDATA #IMPLIED
+>
+
+
+<!--
+The operation should be one of the following strings:
+ GET, PUT, PUTALL, DESTROY, REGISTER_INTEREST, UNREGISTER_INTEREST,
+ CONTAINS_KEY, KEY_SET, QUERY, EXECUTE_CQ, STOP_CQ, CLOSE_CQ, REGION_CLEAR,
+ REGION_CREATE, REGION_DESTROY
+-->
+<!ELEMENT operation (#PCDATA)>