GEODE-1993: refactor tests to use rules rather than abstract classes

* created ServerStarter and LocatorStarter in the rule package
* refacterred LocatorServerConfigurationRule
* refactor tests to use these rules


Project: http://git-wip-us.apache.org/repos/asf/incubator-geode/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-geode/commit/de621597
Tree: http://git-wip-us.apache.org/repos/asf/incubator-geode/tree/de621597
Diff: http://git-wip-us.apache.org/repos/asf/incubator-geode/diff/de621597

Branch: refs/heads/develop
Commit: de62159780496c3362a1b6ac840e87bba019bc62
Parents: b065993
Author: Jinmei Liao <jil...@pivotal.io>
Authored: Wed Oct 12 09:30:15 2016 -0700
Committer: Jinmei Liao <jil...@pivotal.io>
Committed: Fri Oct 14 14:59:26 2016 -0700

----------------------------------------------------------------------
 .../internal/web/RestSecurityDUnitTest.java     | 557 -------------------
 .../web/RestSecurityIntegrationTest.java        | 497 +++++++++++++++++
 .../security/IntegratedSecurityService.java     |   2 +-
 .../security/AccessControlMBeanJUnitTest.java   |   7 +-
 ...CacheServerMBeanAuthenticationJUnitTest.java |   7 +-
 .../CacheServerMBeanAuthorizationJUnitTest.java |  13 +-
 .../CacheServerMBeanShiroJUnitTest.java         |  30 +-
 .../security/CacheServerStartupRule.java        |  74 +++
 .../security/CliCommandsSecurityTest.java       |   9 +-
 .../security/DataCommandsSecurityTest.java      |  11 +-
 .../DiskStoreMXBeanSecurityJUnitTest.java       |   9 +-
 .../GatewayReceiverMBeanSecurityTest.java       |   9 +-
 .../GatewaySenderMBeanSecurityTest.java         |   9 +-
 .../security/GfshCommandsPostProcessorTest.java |  30 +-
 .../security/GfshCommandsSecurityTest.java      |  48 +-
 .../security/GfshShellConnectionRule.java       |   5 +-
 .../security/JMXConnectionConfiguration.java    |  33 --
 .../security/JavaRmiServerNameTest.java         |  28 +-
 .../JsonAuthorizationCacheStartRule.java        |  86 ---
 .../LockServiceMBeanAuthorizationJUnitTest.java |  11 +-
 .../security/MBeanSecurityJUnitTest.java        |  10 +-
 .../security/MBeanServerConnectionRule.java     | 130 -----
 .../ManagerMBeanAuthorizationJUnitTest.java     |   9 +-
 .../security/MemberMBeanSecurityJUnitTest.java  |  13 +-
 .../security/ResourcePermissionTest.java        |  25 +-
 .../internal/security/ShiroCacheStartRule.java  |  64 ---
 .../security/AbstractSecureServerDUnitTest.java | 104 +---
 .../ClusterConfigWithoutSecurityDUnitTest.java  |  26 +-
 .../security/IntegratedClientAuthDUnitTest.java |  19 +-
 .../NoShowValue1PostProcessorDUnitTest.java     |   8 +-
 .../security/PDXPostProcessorDUnitTest.java     |  18 +-
 .../geode/security/PostProcessorDUnitTest.java  |  10 +-
 .../SecurityClusterConfigDUnitTest.java         |  46 +-
 .../SecurityWithoutClusterConfigDUnitTest.java  |  16 +-
 .../security/StartServerAuthorizationTest.java  |  17 +-
 .../dunit/rules/ConnectionConfiguration.java    |  34 ++
 .../rules/LocatorServerConfigurationRule.java   | 148 -----
 .../dunit/rules/LocatorServerStartupRule.java   | 133 +++++
 .../geode/test/dunit/rules/LocatorStarter.java  |  74 +++
 .../dunit/rules/MBeanServerConnectionRule.java  | 132 +++++
 .../geode/test/dunit/rules/ServerStarter.java   |  99 ++++
 .../geode/security/CQClientAuthDunitTest.java   |   6 +-
 .../security/CQPDXPostProcessorDUnitTest.java   |  19 +-
 .../security/CQPostProcessorDunitTest.java      |  10 +-
 .../LuceneClusterConfigurationDUnitTest.java    |  25 +-
 .../web/controllers/CommonCrudController.java   |   4 +-
 .../web/controllers/PdxBasedCrudController.java |   4 +-
 .../web/security/RestSecurityService.java       |   2 +-
 48 files changed, 1382 insertions(+), 1298 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java
 
b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java
deleted file mode 100644
index 59e00c8..0000000
--- 
a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityDUnitTest.java
+++ /dev/null
@@ -1,557 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.geode.rest.internal.web;
-
-import static org.junit.Assert.*;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.net.MalformedURLException;
-import java.nio.charset.StandardCharsets;
-
-import org.apache.http.HttpEntity;
-import org.apache.http.HttpHost;
-import org.apache.http.HttpResponse;
-import org.apache.http.auth.AuthScope;
-import org.apache.http.auth.UsernamePasswordCredentials;
-import org.apache.http.client.AuthCache;
-import org.apache.http.client.ClientProtocolException;
-import org.apache.http.client.CredentialsProvider;
-import org.apache.http.client.methods.HttpDelete;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.client.methods.HttpHead;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.client.methods.HttpPut;
-import org.apache.http.client.methods.HttpRequestBase;
-import org.apache.http.client.protocol.HttpClientContext;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.auth.BasicScheme;
-import org.apache.http.impl.client.BasicAuthCache;
-import org.apache.http.impl.client.BasicCredentialsProvider;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.json.JSONArray;
-import org.json.JSONObject;
-import org.json.JSONTokener;
-import org.junit.Test;
-import org.junit.experimental.categories.Category;
-
-import org.apache.geode.internal.AvailablePortHelper;
-import org.apache.geode.security.AbstractSecureServerDUnitTest;
-import org.apache.geode.test.junit.categories.DistributedTest;
-import org.apache.geode.test.junit.categories.SecurityTest;
-
-
-@Category({ DistributedTest.class, SecurityTest.class })
-public class RestSecurityDUnitTest extends AbstractSecureServerDUnitTest {
-
-  public final static String PROTOCOL = "http";
-  public final static String HOSTNAME = "localhost";
-  public final static String CONTEXT = "/geode/v1";
-
-  public RestSecurityDUnitTest() throws MalformedURLException {
-    int[] ports = AvailablePortHelper.getRandomAvailableTCPPorts(2);
-    this.jmxPort = ports[0];
-    this.restPort = ports[1];
-  }
-
-  @Test
-  public void testFunctions() {
-    client1.invoke(() -> {
-      String json = "{\"@type\":\"double\",\"@value\":210}";
-
-      HttpResponse response = doGet("/functions", "unknown-user", "1234567");
-      assertEquals(401, getCode(response));
-      response = doGet("/functions", "stranger", "1234567");
-      assertEquals(403, getCode(response));
-      response = doGet("/functions", "dataReader", "1234567");
-      assertTrue(isOK(response));
-
-      response = doPost("/functions/AddFreeItemsToOrder", "unknown-user", 
"1234567", json);
-      assertEquals(401, getCode(response));
-      response = doPost("/functions/AddFreeItemsToOrder", "dataReader", 
"1234567", json);
-      assertEquals(403, getCode(response));
-      response = doPost("/functions/AddFreeItemsToOrder?onRegion=" + 
REGION_NAME, "dataWriter", "1234567", json);
-      // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
-      assertEquals(500, getCode(response));
-    });
-  }
-
-  @Test
-  public void testQueries() {
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/queries", "unknown-user", "1234567");
-      assertEquals(401, getCode(response));
-      response = doGet("/queries", "stranger", "1234567");
-      assertEquals(403, getCode(response));
-      response = doGet("/queries", "dataReader", "1234567");
-      assertEquals(200, getCode(response));
-    });
-  }
-
-  @Test
-  public void testAdhocQuery() {
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/queries/adhoc?q=", "unknown-user", 
"1234567");
-      assertEquals(401, getCode(response));
-      response = doGet("/queries/adhoc?q=", "stranger", "1234567");
-      assertEquals(403, getCode(response));
-      response = doGet("/queries/adhoc?q=", "dataReader", "1234567");
-      // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
-      assertEquals(500, getCode(response));
-    });
-  }
-
-  @Test
-  public void testPostQuery() {
-    client1.invoke(() -> {
-      HttpResponse response = doPost("/queries?id=0&q=", "unknown-user", 
"1234567", "");
-      assertEquals(401, getCode(response));
-      response = doPost("/queries?id=0&q=", "stranger", "1234567", "");
-      assertEquals(403, getCode(response));
-      response = doPost("/queries?id=0&q=", "dataWriter", "1234567", "");
-      // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
-      assertEquals(500, getCode(response));
-    });
-  }
-
-  @Test
-  public void testPostQuery2() {
-    client1.invoke(() -> {
-      HttpResponse response = doPost("/queries/id", "unknown-user", "1234567", 
"{\"id\" : \"foo\"}");
-      assertEquals(401, getCode(response));
-      response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : 
\"foo\"}");
-      assertEquals(403, getCode(response));
-      response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : 
\"foo\"}");
-      // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
-      assertEquals(500, getCode(response));
-    });
-  }
-
-  @Test
-  public void testPutQuery() {
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/queries/id", "unknown-user", "1234567", 
"{\"id\" : \"foo\"}");
-      assertEquals(401, getCode(response));
-      response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : 
\"foo\"}");
-      assertEquals(403, getCode(response));
-      response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : 
\"foo\"}");
-      // We should get a 404 because we're trying to update a query that 
doesn't exist
-      assertEquals(404, getCode(response));
-    });
-  }
-
-  @Test
-  public void testDeleteQuery() {
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/queries/id", "unknown-user", 
"1234567");
-      assertEquals(401, getCode(response));
-      response = doDelete("/queries/id", "stranger", "1234567");
-      assertEquals(403, getCode(response));
-      response = doDelete("/queries/id", "dataWriter", "1234567");
-      // We should get a 404 because we're trying to delete a query that 
doesn't exist
-      assertEquals(404, getCode(response));
-    });
-  }
-
-  @Test
-  public void testServers() {
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/servers", "unknown-user", "1234567");
-      assertEquals(401, getCode(response));
-      response = doGet("/servers", "stranger", "1234567");
-      assertEquals(403, getCode(response));
-      response = doGet("/servers", "super-user", "1234567");
-      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * This test should always return an OK, whether the user is known or 
unknown.  A phishing script should not be
-   * able to determine whether a user/password combination is good
-   */
-  @Test
-  public void testPing() {
-    client1.invoke(() -> {
-      HttpResponse response = doHEAD("/ping", "stranger", "1234567");
-      assertTrue(isOK(response));
-      response = doGet("/ping", "stranger", "1234567");
-      assertTrue(isOK(response));
-
-      response = doHEAD("/ping", "super-user", "1234567");
-      assertTrue(isOK(response));
-      response = doGet("/ping", "super-user", "1234567");
-      assertTrue(isOK(response));
-
-      // TODO - invalid username/password should still respond, but doesn't
-      //      response = doHEAD("/ping", "unknown-user", "badpassword");
-      //      assertTrue(isOK(response));
-      //      response = doGet("/ping", "unknown-user", "badpassword");
-      //      assertTrue(isOK(response));
-
-      // TODO - credentials are currently required and shouldn't be for this 
endpoint
-      //      response = doHEAD("/ping", null, null);
-      //      assertTrue(isOK(response));
-      //      response = doGet("/ping", null, null);
-      //      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * Test permissions on retrieving a list of regions.
-   */
-  @Test
-  public void getRegions() {
-    client1.invoke(() -> {
-      HttpResponse response = doGet("", "dataReader", "1234567");
-      assertEquals("A '200 - OK' was expected", 200, getCode(response));
-
-      assertTrue(isOK(response));
-      JSONObject jsonObject = new JSONObject(getResponseBody(response));
-      JSONArray regions = jsonObject.getJSONArray("regions");
-      assertNotNull(regions);
-      assertTrue(regions.length() > 0);
-      JSONObject region = regions.getJSONObject(0);
-      assertEquals("AuthRegion", region.get("name"));
-      assertEquals("REPLICATE", region.get("type"));
-    });
-
-    // List regions with an unknown user - 401
-    client1.invoke(() -> {
-      HttpResponse response = doGet("", "unknown-user", "badpassword");
-      assertEquals(401, getCode(response));
-    });
-
-    // list regions with insufficent rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doGet("", "authRegionReader", "1234567");
-      assertEquals(403, getCode(response));
-    });
-  }
-
-  /**
-   * Test permissions on getting a region
-   */
-  @Test
-  public void getRegion() {
-    // Test an unknown user - 401 error
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME, "unknown-user", 
"1234567");
-      assertEquals(401, getCode(response));
-    });
-
-    // Test a user with insufficient rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME, "stranger", "1234567");
-      assertEquals(403, getCode(response));
-    });
-
-    // Test an authorized user - 200
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME, "super-user", 
"1234567");
-      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * Test permissions on HEAD region
-   */
-  @Test
-  public void headRegion() {
-    // Test an unknown user - 401 error
-    client1.invoke(() -> {
-      HttpResponse response = doHEAD("/" + REGION_NAME, "unknown-user", 
"1234567");
-      assertEquals(401, getCode(response));
-    });
-
-    // Test a user with insufficient rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doHEAD("/" + REGION_NAME, "stranger", "1234567");
-      assertEquals(403, getCode(response));
-    });
-
-    // Test an authorized user - 200
-    client1.invoke(() -> {
-      HttpResponse response = doHEAD("/" + REGION_NAME, "super-user", 
"1234567");
-      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * Test permissions on deleting a region
-   */
-  @Test
-  public void deleteRegion() {
-    // Test an unknown user - 401 error
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/" + REGION_NAME, "unknown-user", 
"1234567");
-      assertEquals(401, getCode(response));
-    });
-
-    // Test a user with insufficient rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/" + REGION_NAME, "dataReader", 
"1234567");
-      assertEquals(403, getCode(response));
-    });
-
-    // Test an authorized user - 200
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/" + REGION_NAME, "super-user", 
"1234567");
-      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * Test permissions on getting a region's keys
-   */
-  @Test
-  public void getRegionKeys() {
-    // Test an authorized user
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME + "/keys", "super-user", 
"1234567");
-      assertTrue(isOK(response));
-    });
-    // Test an unauthorized user
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME + "/keys", "dataWriter", 
"1234567");
-      assertEquals(403, getCode(response));
-    });
-  }
-
-  /**
-   * Test permissions on retrieving a key from a region
-   */
-  @Test
-  public void getRegionKey() {
-    // Test an authorized user
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME + "/key1", "key1User", 
"1234567");
-      assertTrue(isOK(response));
-    });
-    // Test an unauthorized user
-    client1.invoke(() -> {
-      HttpResponse response = doGet("/" + REGION_NAME + "/key1", "dataWriter", 
"1234567");
-      assertEquals(403, getCode(response));
-    });
-  }
-
-  /**
-   * Test permissions on deleting a region's key(s)
-   */
-  @Test
-  public void deleteRegionKey() {
-    // Test an unknown user - 401 error
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/" + REGION_NAME + "/key1", 
"unknown-user", "1234567");
-      assertEquals(401, getCode(response));
-    });
-
-    // Test a user with insufficient rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/" + REGION_NAME + "/key1", 
"dataReader", "1234567");
-      assertEquals(403, getCode(response));
-    });
-
-    // Test an authorized user - 200
-    client1.invoke(() -> {
-      HttpResponse response = doDelete("/" + REGION_NAME + "/key1", 
"key1User", "1234567");
-      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * Test permissions on deleting a region's key(s)
-   */
-  @Test
-  public void postRegionKey() {
-    // Test an unknown user - 401 error
-    client1.invoke(() -> {
-      HttpResponse response = doPost("/" + REGION_NAME + "?key9", "unknown", 
"1234567", "{ \"key9\" : \"foo\" }");
-      assertEquals(401, getCode(response));
-    });
-
-    // Test a user with insufficient rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doPost("/" + REGION_NAME + "?key9", 
"dataReader", "1234567", "{ \"key9\" : \"foo\" }");
-      assertEquals(403, getCode(response));
-    });
-
-    // Test an authorized user - 200
-    client1.invoke(() -> {
-      HttpResponse response = doPost("/" + REGION_NAME + "?key9", 
"dataWriter", "1234567", "{ \"key9\" : \"foo\" }");
-      assertEquals(201, getCode(response));
-      assertTrue(isOK(response));
-    });
-  }
-
-  /**
-   * Test permissions on deleting a region's key(s)
-   */
-  @Test
-  public void putRegionKey() {
-
-    String json = 
"{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order
 for  XYZ 
Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly
 
Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225}";
-    String casJSON = 
"{\"@old\":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order
 for  XYZ 
Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly
 
Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225},\"@new
 
\":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1013,\"description\":\"Order
 for  New 
Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/25/2014\",\"contact\":\"Vanilla
 
Bean\",\"email\":\"vanillab...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":12345,\"description\":\"part
 
123\",\"quantity\":12,\"unitPrice\":29.99,\"totalPrice\":149.95}],\"totalPrice\":149.95}}";
-    // Test an unknown user - 401 error
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", 
"unknown-user", "1234567", "{ \"key9\" : \"foo\" }");
-      assertEquals(401, getCode(response));
-    });
-
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=CAS", 
"unknown-user", "1234567", "{ \"key9\" : \"foo\" }");
-      assertEquals(401, getCode(response));
-    });
-
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", 
"unknown-user", "1234567", "{ \"@old\" : \"value1\", \"@new\" : \"CASvalue\" 
}");
-      assertEquals(401, getCode(response));
-    });
-
-    // Test a user with insufficient rights - 403
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", 
"dataReader", "1234567", "{ \"key1\" : \"foo\" }");
-      assertEquals(403, getCode(response));
-    });
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", 
"dataReader", "1234567", "{ \"key1\" : \"foo\" }");
-      assertEquals(403, getCode(response));
-    });
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=CAS", 
"dataReader", "1234567", casJSON);
-      assertEquals(403, getCode(response));
-    });
-
-    // Test an authorized user - 200
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", 
"key1User", "1234567", "{ \"key1\" : \"foo\" }");
-      assertEquals(200, getCode(response));
-      assertTrue(isOK(response));
-    });
-    client1.invoke(() -> {
-      HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", 
"key1User", "1234567", json);
-      assertEquals(200, getCode(response));
-      assertTrue(isOK(response));
-    });
-  }
-
-  protected HttpResponse doHEAD(String query, String username, String 
password) throws MalformedURLException {
-    HttpHead httpHead = new HttpHead(CONTEXT + query);
-    return doRequest(httpHead, username, password);
-  }
-
-
-  protected HttpResponse doPost(String query, String username, String 
password, String body) throws MalformedURLException {
-    HttpPost httpPost = new HttpPost(CONTEXT + query);
-    httpPost.addHeader("content-type", "application/json");
-    httpPost.setEntity(new StringEntity(body, StandardCharsets.UTF_8));
-    return doRequest(httpPost, username, password);
-  }
-
-
-  protected HttpResponse doPut(String query, String username, String password, 
String body) throws MalformedURLException {
-    HttpPut httpPut = new HttpPut(CONTEXT + query);
-    httpPut.addHeader("content-type", "application/json");
-    httpPut.setEntity(new StringEntity(body, StandardCharsets.UTF_8));
-    return doRequest(httpPut, username, password);
-  }
-
-  protected HttpResponse doGet(String uri, String username, String password) 
throws MalformedURLException {
-    HttpGet getRequest = new HttpGet(CONTEXT + uri);
-    return doRequest(getRequest, username, password);
-  }
-
-  protected HttpResponse doDelete(String uri, String username, String 
password) throws MalformedURLException {
-    HttpDelete httpDelete = new HttpDelete(CONTEXT + uri);
-    return doRequest(httpDelete, username, password);
-  }
-
-  /**
-   * Check the HTTP status of the response and return if it's within the OK 
range
-   * @param response The HttpResponse message received from the server
-   *
-   * @return true if the status code is a 2XX-type code (200-299), otherwise 
false
-   */
-  protected boolean isOK(HttpResponse response) {
-    int returnCode = response.getStatusLine().getStatusCode();
-    return (returnCode < 300 && returnCode >= 200);
-  }
-
-  /**
-   * Check the HTTP status of the response and return true if a 401
-   * @param response The HttpResponse message received from the server
-   *
-   * @return true if the status code is 401, otherwise false
-   */
-  protected boolean isUnauthorized(HttpResponse response) {
-    int returnCode = response.getStatusLine().getStatusCode();
-    return returnCode == 401;
-  }
-
-  /**
-   * Retrieve the status code of the HttpResponse
-   * @param response The HttpResponse message received from the server
-   *
-   * @return a numeric value
-   */
-  protected int getCode(HttpResponse response) {
-    return response.getStatusLine().getStatusCode();
-  }
-
-  protected JSONTokener getResponseBody(HttpResponse response) throws 
IOException {
-    HttpEntity entity = response.getEntity();
-    InputStream content = entity.getContent();
-    BufferedReader reader = new BufferedReader(new InputStreamReader(
-      content));
-    String line;
-    StringBuilder str = new StringBuilder();
-    while ((line = reader.readLine()) != null) {
-      str.append(line);
-    }
-    return new JSONTokener(str.toString());
-  }
-
-  private HttpResponse doRequest(HttpRequestBase request, String username, 
String password) throws MalformedURLException {
-    HttpHost targetHost = new HttpHost(HOSTNAME, this.restPort, PROTOCOL);
-    CloseableHttpClient httpclient = HttpClients.custom().build();
-    HttpClientContext clientContext = HttpClientContext.create();
-    // if username is null, do not put in authentication
-    if (username != null) {
-      CredentialsProvider credsProvider = new BasicCredentialsProvider();
-      credsProvider.setCredentials(new AuthScope(targetHost.getHostName(), 
targetHost.getPort()), new UsernamePasswordCredentials(username, password));
-      httpclient = 
HttpClients.custom().setDefaultCredentialsProvider(credsProvider).build();
-      AuthCache authCache = new BasicAuthCache();
-      BasicScheme basicAuth = new BasicScheme();
-      authCache.put(targetHost, basicAuth);
-      clientContext.setCredentialsProvider(credsProvider);
-      clientContext.setAuthCache(authCache);
-    }
-
-    try {
-      return httpclient.execute(targetHost, request, clientContext);
-    } catch (ClientProtocolException e) {
-      e.printStackTrace();
-      fail("Rest GET should not have thrown ClientProtocolException!");
-    } catch (IOException e) {
-      e.printStackTrace();
-      fail("Rest GET Request should not have thrown IOException!");
-    }
-    return null;
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
----------------------------------------------------------------------
diff --git 
a/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
 
b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
new file mode 100644
index 0000000..ef019a4
--- /dev/null
+++ 
b/geode-assembly/src/test/java/org/apache/geode/rest/internal/web/RestSecurityIntegrationTest.java
@@ -0,0 +1,497 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geode.rest.internal.web;
+
+import static org.apache.geode.distributed.ConfigurationProperties.*;
+import static org.junit.Assert.*;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.net.MalformedURLException;
+import java.nio.charset.StandardCharsets;
+import java.util.Properties;
+
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpResponse;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.AuthCache;
+import org.apache.http.client.ClientProtocolException;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.client.methods.HttpDelete;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpHead;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpPut;
+import org.apache.http.client.methods.HttpRequestBase;
+import org.apache.http.client.protocol.HttpClientContext;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.auth.BasicScheme;
+import org.apache.http.impl.client.BasicAuthCache;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.json.JSONArray;
+import org.json.JSONObject;
+import org.json.JSONTokener;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import org.apache.geode.cache.RegionShortcut;
+import org.apache.geode.internal.AvailablePortHelper;
+import org.apache.geode.security.templates.SampleSecurityManager;
+import org.apache.geode.test.dunit.rules.ServerStarter;
+import org.apache.geode.test.junit.categories.IntegrationTest;
+import org.apache.geode.test.junit.categories.SecurityTest;
+
+
+@Category({ IntegrationTest.class, SecurityTest.class })
+public class RestSecurityIntegrationTest {
+
+  protected static final String REGION_NAME = "AuthRegion";
+
+  public final static String PROTOCOL = "http";
+  public final static String HOSTNAME = "localhost";
+  public final static String CONTEXT = "/geode/v1";
+
+  private static int restPort = 
AvailablePortHelper.getRandomAvailableTCPPort();
+  static Properties properties = new Properties() {{
+    setProperty(SampleSecurityManager.SECURITY_JSON, 
"org/apache/geode/management/internal/security/clientServer.json");
+    setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName());
+    setProperty(START_DEV_REST_API, "true");
+    setProperty(HTTP_SERVICE_BIND_ADDRESS, "localhost");
+    setProperty(HTTP_SERVICE_PORT, restPort + "");
+  }};
+
+  @ClassRule
+  public static ServerStarter serverStarter = new ServerStarter(properties);
+
+  @BeforeClass
+  public static void before() throws Exception {
+    serverStarter.startServer();
+    
serverStarter.cache.createRegionFactory(RegionShortcut.REPLICATE).create(REGION_NAME);
+  }
+
+  @Test
+  public void testFunctions() throws Exception {
+    String json = "{\"@type\":\"double\",\"@value\":210}";
+
+    HttpResponse response = doGet("/functions", "unknown-user", "1234567");
+    assertEquals(401, getCode(response));
+    response = doGet("/functions", "stranger", "1234567");
+    assertEquals(403, getCode(response));
+    response = doGet("/functions", "dataReader", "1234567");
+    assertTrue(isOK(response));
+
+    response = doPost("/functions/AddFreeItemsToOrder", "unknown-user", 
"1234567", json);
+    assertEquals(401, getCode(response));
+    response = doPost("/functions/AddFreeItemsToOrder", "dataReader", 
"1234567", json);
+    assertEquals(403, getCode(response));
+    response = doPost("/functions/AddFreeItemsToOrder?onRegion=" + 
REGION_NAME, "dataWriter", "1234567", json);
+    // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
+    assertEquals(500, getCode(response));
+  }
+
+  @Test
+  public void testQueries() throws Exception {
+    HttpResponse response = doGet("/queries", "unknown-user", "1234567");
+    assertEquals(401, getCode(response));
+    response = doGet("/queries", "stranger", "1234567");
+    assertEquals(403, getCode(response));
+    response = doGet("/queries", "dataReader", "1234567");
+    assertEquals(200, getCode(response));
+  }
+
+  @Test
+  public void testAdhocQuery() throws Exception {
+    HttpResponse response = doGet("/queries/adhoc?q=", "unknown-user", 
"1234567");
+    assertEquals(401, getCode(response));
+    response = doGet("/queries/adhoc?q=", "stranger", "1234567");
+    assertEquals(403, getCode(response));
+    response = doGet("/queries/adhoc?q=", "dataReader", "1234567");
+    // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
+    assertEquals(500, getCode(response));
+  }
+
+  @Test
+  public void testPostQuery() throws Exception {
+    HttpResponse response = doPost("/queries?id=0&q=", "unknown-user", 
"1234567", "");
+    assertEquals(401, getCode(response));
+    response = doPost("/queries?id=0&q=", "stranger", "1234567", "");
+    assertEquals(403, getCode(response));
+    response = doPost("/queries?id=0&q=", "dataWriter", "1234567", "");
+    // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
+    assertEquals(500, getCode(response));
+  }
+
+  @Test
+  public void testPostQuery2() throws Exception {
+    HttpResponse response = doPost("/queries/id", "unknown-user", "1234567", 
"{\"id\" : \"foo\"}");
+    assertEquals(401, getCode(response));
+    response = doPost("/queries/id", "stranger", "1234567", "{\"id\" : 
\"foo\"}");
+    assertEquals(403, getCode(response));
+    response = doPost("/queries/id", "dataWriter", "1234567", "{\"id\" : 
\"foo\"}");
+    // because we're only testing the security of the endpoint, not the 
endpoint functionality, a 500 is acceptable
+    assertEquals(500, getCode(response));
+  }
+
+  @Test
+  public void testPutQuery() throws Exception {
+    HttpResponse response = doPut("/queries/id", "unknown-user", "1234567", 
"{\"id\" : \"foo\"}");
+    assertEquals(401, getCode(response));
+    response = doPut("/queries/id", "stranger", "1234567", "{\"id\" : 
\"foo\"}");
+    assertEquals(403, getCode(response));
+    response = doPut("/queries/id", "dataWriter", "1234567", "{\"id\" : 
\"foo\"}");
+    // We should get a 404 because we're trying to update a query that doesn't 
exist
+    assertEquals(404, getCode(response));
+  }
+
+  @Test
+  public void testDeleteQuery() throws Exception {
+    HttpResponse response = doDelete("/queries/id", "unknown-user", "1234567");
+    assertEquals(401, getCode(response));
+    response = doDelete("/queries/id", "stranger", "1234567");
+    assertEquals(403, getCode(response));
+    response = doDelete("/queries/id", "dataWriter", "1234567");
+    // We should get a 404 because we're trying to delete a query that doesn't 
exist
+    assertEquals(404, getCode(response));
+  }
+
+  @Test
+  public void testServers() throws Exception {
+    HttpResponse response = doGet("/servers", "unknown-user", "1234567");
+    assertEquals(401, getCode(response));
+    response = doGet("/servers", "stranger", "1234567");
+    assertEquals(403, getCode(response));
+    response = doGet("/servers", "super-user", "1234567");
+    assertTrue(isOK(response));
+  }
+
+  /**
+   * This test should always return an OK, whether the user is known or 
unknown.  A phishing script should not be
+   * able to determine whether a user/password combination is good
+   */
+  @Test
+  public void testPing() throws Exception {
+    HttpResponse response = doHEAD("/ping", "stranger", "1234567");
+    assertTrue(isOK(response));
+    response = doGet("/ping", "stranger", "1234567");
+    assertTrue(isOK(response));
+
+    response = doHEAD("/ping", "super-user", "1234567");
+    assertTrue(isOK(response));
+    response = doGet("/ping", "super-user", "1234567");
+    assertTrue(isOK(response));
+
+    // TODO - invalid username/password should still respond, but doesn't
+    //      response = doHEAD("/ping", "unknown-user", "badpassword");
+    //      assertTrue(isOK(response));
+    //      response = doGet("/ping", "unknown-user", "badpassword");
+    //      assertTrue(isOK(response));
+
+    // TODO - credentials are currently required and shouldn't be for this 
endpoint
+    //      response = doHEAD("/ping", null, null);
+    //      assertTrue(isOK(response));
+    //      response = doGet("/ping", null, null);
+    //      assertTrue(isOK(response));
+  }
+
+  /**
+   * Test permissions on retrieving a list of regions.
+   */
+  @Test
+  public void getRegions() throws Exception {
+    HttpResponse response = doGet("", "dataReader", "1234567");
+    assertEquals("A '200 - OK' was expected", 200, getCode(response));
+
+    assertTrue(isOK(response));
+    JSONObject jsonObject = new JSONObject(getResponseBody(response));
+    JSONArray regions = jsonObject.getJSONArray("regions");
+    assertNotNull(regions);
+    assertTrue(regions.length() > 0);
+    JSONObject region = regions.getJSONObject(0);
+    assertEquals("AuthRegion", region.get("name"));
+    assertEquals("REPLICATE", region.get("type"));
+
+    // List regions with an unknown user - 401
+    response = doGet("", "unknown-user", "badpassword");
+    assertEquals(401, getCode(response));
+
+    // list regions with insufficent rights - 403
+    response = doGet("", "authRegionReader", "1234567");
+    assertEquals(403, getCode(response));
+  }
+
+  /**
+   * Test permissions on getting a region
+   */
+  @Test
+  public void getRegion() throws Exception {
+    // Test an unknown user - 401 error
+    HttpResponse response = doGet("/" + REGION_NAME, "unknown-user", 
"1234567");
+    assertEquals(401, getCode(response));
+
+    // Test a user with insufficient rights - 403
+    response = doGet("/" + REGION_NAME, "stranger", "1234567");
+    assertEquals(403, getCode(response));
+
+    // Test an authorized user - 200
+    response = doGet("/" + REGION_NAME, "super-user", "1234567");
+    assertTrue(isOK(response));
+  }
+
+  /**
+   * Test permissions on HEAD region
+   */
+  @Test
+  public void headRegion() throws Exception {
+    // Test an unknown user - 401 error
+    HttpResponse response = doHEAD("/" + REGION_NAME, "unknown-user", 
"1234567");
+    assertEquals(401, getCode(response));
+
+    // Test a user with insufficient rights - 403
+    response = doHEAD("/" + REGION_NAME, "stranger", "1234567");
+    assertEquals(403, getCode(response));
+
+    // Test an authorized user - 200
+    response = doHEAD("/" + REGION_NAME, "super-user", "1234567");
+    assertTrue(isOK(response));
+  }
+
+  /**
+   * Test permissions on deleting a region
+   */
+  @Test
+  public void deleteRegion() throws Exception {
+    // Test an unknown user - 401 error
+    HttpResponse response = doDelete("/" + REGION_NAME, "unknown-user", 
"1234567");
+    assertEquals(401, getCode(response));
+
+    // Test a user with insufficient rights - 403
+    response = doDelete("/" + REGION_NAME, "dataReader", "1234567");
+    assertEquals(403, getCode(response));
+  }
+
+  /**
+   * Test permissions on getting a region's keys
+   */
+  @Test
+  public void getRegionKeys() throws Exception {
+    // Test an authorized user
+    HttpResponse response = doGet("/" + REGION_NAME + "/keys", "super-user", 
"1234567");
+    assertTrue(isOK(response));
+    // Test an unauthorized user
+    response = doGet("/" + REGION_NAME + "/keys", "dataWriter", "1234567");
+    assertEquals(403, getCode(response));
+  }
+
+  /**
+   * Test permissions on retrieving a key from a region
+   */
+  @Test
+  public void getRegionKey() throws Exception {
+    // Test an authorized user
+    HttpResponse response = doGet("/" + REGION_NAME + "/key1", "key1User", 
"1234567");
+    assertTrue(isOK(response));
+    // Test an unauthorized user
+    response = doGet("/" + REGION_NAME + "/key1", "dataWriter", "1234567");
+    assertEquals(403, getCode(response));
+  }
+
+  /**
+   * Test permissions on deleting a region's key(s)
+   */
+  @Test
+  public void deleteRegionKey() throws Exception {
+    // Test an unknown user - 401 error
+    HttpResponse response = doDelete("/" + REGION_NAME + "/key1", 
"unknown-user", "1234567");
+    assertEquals(401, getCode(response));
+
+    // Test a user with insufficient rights - 403
+    response = doDelete("/" + REGION_NAME + "/key1", "dataReader", "1234567");
+    assertEquals(403, getCode(response));
+
+    // Test an authorized user - 200
+    response = doDelete("/" + REGION_NAME + "/key1", "key1User", "1234567");
+    assertTrue(isOK(response));
+  }
+
+  /**
+   * Test permissions on deleting a region's key(s)
+   */
+  @Test
+  public void postRegionKey() throws Exception {
+    // Test an unknown user - 401 error
+    HttpResponse response = doPost("/" + REGION_NAME + "?key9", "unknown", 
"1234567", "{ \"key9\" : \"foo\" }");
+    assertEquals(401, getCode(response));
+
+    // Test a user with insufficient rights - 403
+    response = doPost("/" + REGION_NAME + "?key9", "dataReader", "1234567", "{ 
\"key9\" : \"foo\" }");
+    assertEquals(403, getCode(response));
+
+    // Test an authorized user - 200
+    response = doPost("/" + REGION_NAME + "?key9", "dataWriter", "1234567", "{ 
\"key9\" : \"foo\" }");
+    assertEquals(201, getCode(response));
+    assertTrue(isOK(response));
+  }
+
+  /**
+   * Test permissions on deleting a region's key(s)
+   */
+  @Test
+  public void putRegionKey() throws Exception {
+
+    String json = 
"{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order
 for  XYZ 
Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly
 
Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225}";
+    String casJSON = 
"{\"@old\":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1012,\"description\":\"Order
 for  XYZ 
Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/20/2014\",\"contact\":\"Jelly
 
Bean\",\"email\":\"jelly.b...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":1,\"description\":\"Product-100\",\"quantity\":12,\"unitPrice\":5,\"totalPrice\":60}],\"totalPrice\":225},\"@new
 
\":{\"@type\":\"com.gemstone.gemfire.web.rest.domain.Order\",\"purchaseOrderNo\":1121,\"customerId\":1013,\"description\":\"Order
 for  New 
Corp\",\"orderDate\":\"02/10/2014\",\"deliveryDate\":\"02/25/2014\",\"contact\":\"Vanilla
 
Bean\",\"email\":\"vanillab...@example.com\",\"phone\":\"01-2048096\",\"items\":[{\"itemNo\":12345,\"description\":\"part
 
123\",\"quantity\":12,\"unitPrice\":29.99,\"totalPrice\":149.95}],\"totalPrice\":149.95}}";
+    // Test an unknown user - 401 error
+    HttpResponse response = doPut("/" + REGION_NAME + "/key1?op=PUT", 
"unknown-user", "1234567", "{ \"key9\" : \"foo\" }");
+    assertEquals(401, getCode(response));
+
+    response = doPut("/" + REGION_NAME + "/key1?op=CAS", "unknown-user", 
"1234567", "{ \"key9\" : \"foo\" }");
+    assertEquals(401, getCode(response));
+    response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "unknown-user", 
"1234567", "{ \"@old\" : \"value1\", \"@new\" : \"CASvalue\" }");
+    assertEquals(401, getCode(response));
+
+    response = doPut("/" + REGION_NAME + "/key1?op=PUT", "dataReader", 
"1234567", "{ \"key1\" : \"foo\" }");
+    assertEquals(403, getCode(response));
+
+    response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "dataReader", 
"1234567", "{ \"key1\" : \"foo\" }");
+    assertEquals(403, getCode(response));
+
+    response = doPut("/" + REGION_NAME + "/key1?op=CAS", "dataReader", 
"1234567", casJSON);
+    assertEquals(403, getCode(response));
+
+    response = doPut("/" + REGION_NAME + "/key1?op=PUT", "key1User", 
"1234567", "{ \"key1\" : \"foo\" }");
+    assertEquals(200, getCode(response));
+    assertTrue(isOK(response));
+
+    response = doPut("/" + REGION_NAME + "/key1?op=REPLACE", "key1User", 
"1234567", json);
+    assertEquals(200, getCode(response));
+    assertTrue(isOK(response));
+  }
+
+  protected HttpResponse doHEAD(String query, String username, String 
password) throws MalformedURLException {
+    HttpHead httpHead = new HttpHead(CONTEXT + query);
+    return doRequest(httpHead, username, password);
+  }
+
+
+  protected HttpResponse doPost(String query, String username, String 
password, String body) throws MalformedURLException {
+    HttpPost httpPost = new HttpPost(CONTEXT + query);
+    httpPost.addHeader("content-type", "application/json");
+    httpPost.setEntity(new StringEntity(body, StandardCharsets.UTF_8));
+    return doRequest(httpPost, username, password);
+  }
+
+
+  protected HttpResponse doPut(String query, String username, String password, 
String body) throws MalformedURLException {
+    HttpPut httpPut = new HttpPut(CONTEXT + query);
+    httpPut.addHeader("content-type", "application/json");
+    httpPut.setEntity(new StringEntity(body, StandardCharsets.UTF_8));
+    return doRequest(httpPut, username, password);
+  }
+
+  protected HttpResponse doGet(String uri, String username, String password) 
throws MalformedURLException {
+    HttpGet getRequest = new HttpGet(CONTEXT + uri);
+    return doRequest(getRequest, username, password);
+  }
+
+  protected HttpResponse doDelete(String uri, String username, String 
password) throws MalformedURLException {
+    HttpDelete httpDelete = new HttpDelete(CONTEXT + uri);
+    return doRequest(httpDelete, username, password);
+  }
+
+  /**
+   * Check the HTTP status of the response and return if it's within the OK 
range
+   *
+   * @param response The HttpResponse message received from the server
+   *
+   * @return true if the status code is a 2XX-type code (200-299), otherwise 
false
+   */
+  protected boolean isOK(HttpResponse response) {
+    int returnCode = response.getStatusLine().getStatusCode();
+    return (returnCode < 300 && returnCode >= 200);
+  }
+
+  /**
+   * Check the HTTP status of the response and return true if a 401
+   *
+   * @param response The HttpResponse message received from the server
+   *
+   * @return true if the status code is 401, otherwise false
+   */
+  protected boolean isUnauthorized(HttpResponse response) {
+    int returnCode = response.getStatusLine().getStatusCode();
+    return returnCode == 401;
+  }
+
+  /**
+   * Retrieve the status code of the HttpResponse
+   *
+   * @param response The HttpResponse message received from the server
+   *
+   * @return a numeric value
+   */
+  protected int getCode(HttpResponse response) {
+    return response.getStatusLine().getStatusCode();
+  }
+
+  protected JSONTokener getResponseBody(HttpResponse response) throws 
IOException {
+    HttpEntity entity = response.getEntity();
+    InputStream content = entity.getContent();
+    BufferedReader reader = new BufferedReader(new InputStreamReader(content));
+    String line;
+    StringBuilder str = new StringBuilder();
+    while ((line = reader.readLine()) != null) {
+      str.append(line);
+    }
+    return new JSONTokener(str.toString());
+  }
+
+  private HttpResponse doRequest(HttpRequestBase request, String username, 
String password) throws MalformedURLException {
+    HttpHost targetHost = new HttpHost(HOSTNAME, this.restPort, PROTOCOL);
+    CloseableHttpClient httpclient = HttpClients.custom().build();
+    HttpClientContext clientContext = HttpClientContext.create();
+    // if username is null, do not put in authentication
+    if (username != null) {
+      CredentialsProvider credsProvider = new BasicCredentialsProvider();
+      credsProvider.setCredentials(new AuthScope(targetHost.getHostName(), 
targetHost.getPort()), new UsernamePasswordCredentials(username, password));
+      httpclient = 
HttpClients.custom().setDefaultCredentialsProvider(credsProvider).build();
+      AuthCache authCache = new BasicAuthCache();
+      BasicScheme basicAuth = new BasicScheme();
+      authCache.put(targetHost, basicAuth);
+      clientContext.setCredentialsProvider(credsProvider);
+      clientContext.setAuthCache(authCache);
+    }
+
+    try {
+      return httpclient.execute(targetHost, request, clientContext);
+    } catch (ClientProtocolException e) {
+      e.printStackTrace();
+      fail("Rest GET should not have thrown ClientProtocolException!");
+    } catch (IOException e) {
+      e.printStackTrace();
+      fail("Rest GET Request should not have thrown IOException!");
+    }
+    return null;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
 
b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
index 79b70f8..ac1be0d 100644
--- 
a/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/security/IntegratedSecurityService.java
@@ -107,7 +107,7 @@ public class IntegratedSecurityService implements 
SecurityService{
       }
     }
 
-    // in other cases like admin rest call or pulse authorization
+    // in other cases like rest call, client operations, we get it from the 
current thread
     currentUser = SecurityUtils.getSubject();
 
     if (currentUser == null || currentUser.getPrincipal() == null) {

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java
index c22fff3..db4767e 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/AccessControlMBeanJUnitTest.java
@@ -25,6 +25,8 @@ import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
 import org.apache.geode.internal.AvailablePort;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -36,8 +38,7 @@ public class AccessControlMBeanJUnitTest {
   private AccessControlMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -51,7 +52,7 @@ public class AccessControlMBeanJUnitTest {
    * Test that any authenticated user can access this method
    */
   @Test
-  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @ConnectionConfiguration(user = "stranger", password = "1234567")
   public void testAnyAccess() throws Exception {
     assertThat(bean.authorize("DATA", "READ")).isEqualTo(false);
     assertThat(bean.authorize("CLUSTER", "READ")).isEqualTo(false);

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
index 3880948..0dd512d 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthenticationJUnitTest.java
@@ -24,6 +24,8 @@ import org.junit.experimental.categories.Category;
 
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.CacheServerMXBean;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 
 @Category(IntegrationTest.class)
@@ -34,8 +36,7 @@ public class CacheServerMBeanAuthenticationJUnitTest {
   private CacheServerMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -46,7 +47,7 @@ public class CacheServerMBeanAuthenticationJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
+  @ConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testAllAccess() throws Exception {
     bean.removeIndex("foo");
     bean.fetchLoadProbe();

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
index 7bbfbcc..03b41a9 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanAuthorizationJUnitTest.java
@@ -26,6 +26,8 @@ import org.junit.experimental.categories.Category;
 
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.CacheServerMXBean;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.FlakyTest;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
@@ -38,8 +40,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   private CacheServerMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -50,7 +51,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
+  @ConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testDataAdmin() throws Exception {
     bean.removeIndex("foo");
     assertThatThrownBy(() -> 
bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
@@ -63,7 +64,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "cluster-admin", password = "1234567")
+  @ConnectionConfiguration(user = "cluster-admin", password = "1234567")
   public void testClusterAdmin() throws Exception {
     assertThatThrownBy(() -> 
bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     assertThatThrownBy(() -> 
bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
@@ -72,7 +73,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
 
 
   @Test
-  @JMXConnectionConfiguration(user = "data-user", password = "1234567")
+  @ConnectionConfiguration(user = "data-user", password = "1234567")
   public void testDataUser() throws Exception {
     assertThatThrownBy(() -> 
bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     bean.executeContinuousQuery("bar");
@@ -80,7 +81,7 @@ public class CacheServerMBeanAuthorizationJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @ConnectionConfiguration(user = "stranger", password = "1234567")
   public void testNoAccess() throws Exception {
     assertThatThrownBy(() -> 
bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     assertThatThrownBy(() -> 
bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java
index 721a431..d0df150 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerMBeanShiroJUnitTest.java
@@ -16,28 +16,40 @@
  */
 package org.apache.geode.management.internal.security;
 
+import static org.apache.geode.distributed.ConfigurationProperties.*;
 import static org.assertj.core.api.Assertions.*;
 
+import java.util.Properties;
+
 import org.junit.Before;
-import org.junit.ClassRule;
+import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.CacheServerMXBean;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
+import org.apache.geode.test.dunit.rules.ServerStarter;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
 @Category({ IntegrationTest.class, SecurityTest.class })
 public class CacheServerMBeanShiroJUnitTest {
-
-  private static int jmxManagerPort = 
AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+  static int jmxManagerPort = 
AvailablePort.getRandomAvailablePort(AvailablePort.SOCKET);
+  static Properties properties = new Properties(){{
+    setProperty(JMX_MANAGER_PORT, jmxManagerPort+"");
+    setProperty(SECURITY_SHIRO_INIT, "shiro.ini");
+  }};
 
   private CacheServerMXBean bean;
 
-  @ClassRule
-  public static ShiroCacheStartRule serverRule = new 
ShiroCacheStartRule(jmxManagerPort, "shiro.ini");
+  @BeforeClass
+  public static void before() throws Exception {
+    ServerStarter serverStarter = new ServerStarter(properties);
+    serverStarter.startServer();
+  }
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -48,7 +60,7 @@ public class CacheServerMBeanShiroJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "root", password = "secret")
+  @ConnectionConfiguration(user = "root", password = "secret")
   public void testAllAccess() throws Exception {
     bean.removeIndex("foo");
     bean.executeContinuousQuery("bar");
@@ -61,7 +73,7 @@ public class CacheServerMBeanShiroJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "guest", password = "guest")
+  @ConnectionConfiguration(user = "guest", password = "guest")
   public void testNoAccess() throws Exception {
     assertThatThrownBy(() -> 
bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     assertThatThrownBy(() -> 
bean.executeContinuousQuery("bar")).hasMessageContaining(TestCommand.dataRead.toString());
@@ -74,7 +86,7 @@ public class CacheServerMBeanShiroJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "regionAReader", password = "password")
+  @ConnectionConfiguration(user = "regionAReader", password = "password")
   public void testRegionAccess() throws Exception{
     assertThatThrownBy(() -> 
bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     assertThatThrownBy(() -> 
bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());
@@ -84,7 +96,7 @@ public class CacheServerMBeanShiroJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "dataReader", password = "12345")
+  @ConnectionConfiguration(user = "dataReader", password = "12345")
   public void testDataRead() throws Exception{
     assertThatThrownBy(() -> 
bean.removeIndex("foo")).hasMessageContaining(TestCommand.dataManage.toString());
     assertThatThrownBy(() -> 
bean.fetchLoadProbe()).hasMessageContaining(TestCommand.clusterRead.toString());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java
new file mode 100644
index 0000000..b99d8e1
--- /dev/null
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CacheServerStartupRule.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.geode.management.internal.security;
+
+import static org.apache.geode.distributed.ConfigurationProperties.*;
+
+import java.io.Serializable;
+import java.util.Properties;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.rules.ExternalResource;
+
+import org.apache.geode.cache.Cache;
+import org.apache.geode.security.templates.SampleSecurityManager;
+import org.apache.geode.test.dunit.rules.ServerStarter;
+
+/**
+ * this rule would help you start up a cache server with the given properties 
in the current VM
+ */
+public class CacheServerStartupRule extends ExternalResource implements 
Serializable {
+
+  private ServerStarter serverStarter;
+
+  public static CacheServerStartupRule withDefaultSecurityJson(int 
jmxManagerPort) {
+    return new CacheServerStartupRule(jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  }
+
+  public CacheServerStartupRule(int jmxManagerPort, String jsonFile) {
+    Properties properties = new Properties();
+    if(jmxManagerPort>0){
+      properties.put(JMX_MANAGER_PORT, String.valueOf(jmxManagerPort));
+    }
+    if(jsonFile!=null){
+      properties.put(SECURITY_MANAGER, SampleSecurityManager.class.getName());
+      properties.put(SampleSecurityManager.SECURITY_JSON, jsonFile);
+    }
+    serverStarter = new ServerStarter(properties);
+  }
+
+  @Before
+  public void before() throws Throwable {
+    serverStarter.startServer();
+    serverStarter.cache.createRegionFactory().create("region1");
+  }
+
+  @After
+  public void after(){
+    serverStarter.after();
+  }
+
+  public Cache getCache() {
+    return serverStarter.cache;
+  }
+
+  public int getServerPort(){
+    return serverStarter.server.getPort();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java
index 84155a9..403e2ab 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/CliCommandsSecurityTest.java
@@ -30,6 +30,8 @@ import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.MemberMXBean;
 import org.apache.geode.security.NotAuthorizedException;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -43,8 +45,7 @@ public class CliCommandsSecurityTest {
   private List<TestCommand> commands = TestCommand.getCommands();
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -55,7 +56,7 @@ public class CliCommandsSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @ConnectionConfiguration(user = "stranger", password = "1234567")
   public void testNoAccess(){
    for (TestCommand command:commands) {
      // skip query commands since query commands are only available in client 
shell
@@ -77,7 +78,7 @@ public class CliCommandsSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "super-user", password = "1234567")
+  @ConnectionConfiguration(user = "super-user", password = "1234567")
   public void testAdminUser() throws Exception {
     for (TestCommand command:commands) {
       LogService.getLogger().info("processing: "+command.getCommand());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java
index 0084cb8..1b2a7ce 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/DataCommandsSecurityTest.java
@@ -27,6 +27,8 @@ import org.junit.experimental.categories.Category;
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.MemberMXBean;
 import org.apache.geode.security.GemFireSecurityException;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -38,8 +40,7 @@ public class DataCommandsSecurityTest {
   private MemberMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -50,7 +51,7 @@ public class DataCommandsSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "region1-user", password = "1234567")
+  @ConnectionConfiguration(user = "region1-user", password = "1234567")
   public void testDataUser() throws Exception {
     bean.processCommand("locate entry --key=k1 --region=region1");
 
@@ -58,7 +59,7 @@ public class DataCommandsSecurityTest {
     assertThatThrownBy(() -> bean.processCommand("locate entry --key=k1 
--region=secureRegion")).isInstanceOf(GemFireSecurityException.class);
   }
 
-  @JMXConnectionConfiguration(user = "secure-user", password = "1234567")
+  @ConnectionConfiguration(user = "secure-user", password = "1234567")
   @Test
   public void testSecureDataUser(){
     // can do all these on both regions
@@ -67,7 +68,7 @@ public class DataCommandsSecurityTest {
   }
 
   // dataUser has all the permissions granted, but not to region2 (only to 
region1)
-  @JMXConnectionConfiguration(user = "region1-user", password = "1234567")
+  @ConnectionConfiguration(user = "region1-user", password = "1234567")
   @Test
   public void testRegionAccess(){
     assertThatThrownBy(() -> bean.processCommand("rebalance 
--include-region=region2")).isInstanceOf(GemFireSecurityException.class)

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
index 750ce2a..8e556a7 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/DiskStoreMXBeanSecurityJUnitTest.java
@@ -27,6 +27,8 @@ import org.junit.experimental.categories.Category;
 
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.DiskStoreMXBean;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -38,8 +40,7 @@ public class DiskStoreMXBeanSecurityJUnitTest {
   private DiskStoreMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -55,7 +56,7 @@ public class DiskStoreMXBeanSecurityJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
+  @ConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testAllAccess() throws Exception {
     bean.flush();
     bean.forceCompaction();
@@ -70,7 +71,7 @@ public class DiskStoreMXBeanSecurityJUnitTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-user", password = "1234567")
+  @ConnectionConfiguration(user = "data-user", password = "1234567")
   public void testNoAccess() throws Exception {
     assertThatThrownBy(() -> 
bean.flush()).hasMessageContaining(TestCommand.dataManage.toString());
     assertThatThrownBy(() -> 
bean.forceCompaction()).hasMessageContaining(TestCommand.dataManage.toString());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java
index b64a6f7..b799cbd 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewayReceiverMBeanSecurityTest.java
@@ -32,6 +32,8 @@ import org.junit.experimental.categories.Category;
 import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.GatewayReceiverMXBean;
 import org.apache.geode.management.ManagementService;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -47,8 +49,7 @@ public class GatewayReceiverMBeanSecurityTest {
   private GatewayReceiverMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -72,7 +73,7 @@ public class GatewayReceiverMBeanSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
+  @ConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testAllAccess() throws Exception {
     bean.getAverageBatchProcessingTime();
     bean.getBindAddress();
@@ -83,7 +84,7 @@ public class GatewayReceiverMBeanSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-user", password = "1234567")
+  @ConnectionConfiguration(user = "data-user", password = "1234567")
   public void testNoAccess() throws Exception {
     assertThatThrownBy(() -> 
bean.getTotalConnectionsTimedOut()).hasMessageContaining(TestCommand.clusterRead.toString());
     assertThatThrownBy(() -> 
bean.start()).hasMessageContaining(TestCommand.dataManage.toString());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java
index 9acf8db..a800064 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GatewaySenderMBeanSecurityTest.java
@@ -33,6 +33,8 @@ import org.apache.geode.internal.AvailablePort;
 import org.apache.geode.management.GatewaySenderMXBean;
 import org.apache.geode.management.ManagementService;
 import org.apache.geode.management.internal.beans.GatewaySenderMBean;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.MBeanServerConnectionRule;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -48,8 +50,7 @@ public class GatewaySenderMBeanSecurityTest {
   private GatewaySenderMXBean bean;
 
   @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxManagerPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  public static CacheServerStartupRule serverRule = 
CacheServerStartupRule.withDefaultSecurityJson(jmxManagerPort);
 
   @Rule
   public MBeanServerConnectionRule connectionRule = new 
MBeanServerConnectionRule(jmxManagerPort);
@@ -73,7 +74,7 @@ public class GatewaySenderMBeanSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
+  @ConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testAllAccess() throws Exception {
     bean.getAlertThreshold();
     bean.getAverageDistributionTimePerBatch();
@@ -90,7 +91,7 @@ public class GatewaySenderMBeanSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "stranger", password = "1234567")
+  @ConnectionConfiguration(user = "stranger", password = "1234567")
   public void testNoAccess() throws Exception {
     assertThatThrownBy(() -> 
bean.getAlertThreshold()).hasMessageContaining(TestCommand.clusterRead.toString());
     assertThatThrownBy(() -> 
bean.getAverageDistributionTimePerBatch()).hasMessageContaining(TestCommand.clusterRead.toString());

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java
index 34fd5a9..6eba91c 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsPostProcessorTest.java
@@ -16,30 +16,46 @@
  */
 package org.apache.geode.management.internal.security;
 
+import static org.apache.geode.distributed.ConfigurationProperties.*;
 import static org.apache.geode.internal.Assert.*;
 
-import org.apache.geode.security.templates.SamplePostProcessor;
+import java.util.Properties;
+
 import org.junit.Before;
-import org.junit.ClassRule;
+import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
+import org.apache.geode.cache.RegionShortcut;
 import org.apache.geode.internal.AvailablePortHelper;
 import org.apache.geode.management.internal.cli.HeadlessGfsh;
+import org.apache.geode.security.templates.SamplePostProcessor;
+import org.apache.geode.security.templates.SampleSecurityManager;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.ServerStarter;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
 @Category({ IntegrationTest.class, SecurityTest.class })
 public class GfshCommandsPostProcessorTest {
 
-  protected static int jmxPort = 
AvailablePortHelper.getRandomAvailableTCPPort();
+  protected static int jmxPort  = 
AvailablePortHelper.getRandomAvailableTCPPort();
+  static Properties properties = new Properties(){{
+    setProperty(JMX_MANAGER_PORT, jmxPort+"");
+    setProperty(SECURITY_POST_PROCESSOR, SamplePostProcessor.class.getName());
+    setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName());
+    setProperty("security-json", 
"org/apache/geode/management/internal/security/cacheServer.json");
+  }};
 
   private HeadlessGfsh gfsh = null;
 
-  @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxPort, 
"org/apache/geode/management/internal/security/cacheServer.json", 
SamplePostProcessor.class);
+  @BeforeClass
+  public static void beforeClass() throws Exception {
+    ServerStarter serverStarter = new ServerStarter(properties);
+    serverStarter.startServer();
+    
serverStarter.cache.createRegionFactory(RegionShortcut.REPLICATE).create("region1");
+  }
 
   @Rule
   public GfshShellConnectionRule gfshConnection = new 
GfshShellConnectionRule(jmxPort);
@@ -50,7 +66,7 @@ public class GfshCommandsPostProcessorTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-user", password = "1234567")
+  @ConnectionConfiguration(user = "data-user", password = "1234567")
   public void testGetPostProcess() throws Exception {
     gfsh.executeCommand("put --region=region1 --key=key1 --value=value1");
     gfsh.executeCommand("put --region=region1 --key=key2 --value=value2");

http://git-wip-us.apache.org/repos/asf/incubator-geode/blob/de621597/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java
----------------------------------------------------------------------
diff --git 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java
 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java
index def1792..960d13d 100644
--- 
a/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java
+++ 
b/geode-core/src/test/java/org/apache/geode/management/internal/security/GfshCommandsSecurityTest.java
@@ -16,17 +16,20 @@
  */
 package org.apache.geode.management.internal.security;
 
+import static org.apache.geode.distributed.ConfigurationProperties.*;
 import static org.junit.Assert.*;
 
 import java.util.List;
+import java.util.Properties;
 
 import org.apache.shiro.authz.permission.WildcardPermission;
 import org.junit.Before;
-import org.junit.ClassRule;
+import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 
+import org.apache.geode.cache.RegionShortcut;
 import org.apache.geode.internal.AvailablePortHelper;
 import org.apache.geode.internal.logging.LogService;
 import org.apache.geode.management.cli.Result;
@@ -34,6 +37,9 @@ import org.apache.geode.management.internal.cli.HeadlessGfsh;
 import org.apache.geode.management.internal.cli.result.CommandResult;
 import org.apache.geode.management.internal.cli.result.ErrorResultData;
 import org.apache.geode.management.internal.cli.result.ResultBuilder;
+import org.apache.geode.security.templates.SampleSecurityManager;
+import org.apache.geode.test.dunit.rules.ConnectionConfiguration;
+import org.apache.geode.test.dunit.rules.ServerStarter;
 import org.apache.geode.test.junit.categories.IntegrationTest;
 import org.apache.geode.test.junit.categories.SecurityTest;
 
@@ -44,11 +50,21 @@ public class GfshCommandsSecurityTest {
   protected static int jmxPort = ports[0];
   protected static int httpPort = ports[1];
 
+  static Properties properties = new Properties(){{
+    setProperty(JMX_MANAGER_PORT, jmxPort+"");
+    setProperty(HTTP_SERVICE_PORT, httpPort+"");
+    setProperty(SECURITY_MANAGER, SampleSecurityManager.class.getName());
+    setProperty("security-json", 
"org/apache/geode/management/internal/security/cacheServer.json");
+  }};
+
   private HeadlessGfsh gfsh = null;
 
-  @ClassRule
-  public static JsonAuthorizationCacheStartRule serverRule = new 
JsonAuthorizationCacheStartRule(
-      jmxPort, httpPort, 
"org/apache/geode/management/internal/security/cacheServer.json");
+  @BeforeClass
+  public static void beforeClass() throws Exception {
+    ServerStarter serverStarter = new ServerStarter(properties);
+    serverStarter.startServer();
+    
serverStarter.cache.createRegionFactory(RegionShortcut.REPLICATE).create("region1");
+  }
 
   @Rule
   public GfshShellConnectionRule gfshConnection = new 
GfshShellConnectionRule(jmxPort, httpPort, false);
@@ -59,67 +75,67 @@ public class GfshCommandsSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "wrongPwd")
+  @ConnectionConfiguration(user = "data-admin", password = "wrongPwd")
   public void testInvalidCredentials() throws Exception {
     assertFalse(gfshConnection.isAuthenticated());
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-admin", password = "1234567")
+  @ConnectionConfiguration(user = "data-admin", password = "1234567")
   public void testValidCredentials() throws Exception{
     assertTrue(gfshConnection.isAuthenticated());
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "cluster-reader", password = "1234567")
+  @ConnectionConfiguration(user = "cluster-reader", password = "1234567")
   public void testClusterReader() throws Exception{
     runCommandsWithAndWithout("CLUSTER:READ");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "cluster-writer", password = "1234567")
+  @ConnectionConfiguration(user = "cluster-writer", password = "1234567")
   public void testClusterWriter() throws Exception{
     runCommandsWithAndWithout("CLUSTER:WRITE");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "cluster-manager", password = "1234567")
+  @ConnectionConfiguration(user = "cluster-manager", password = "1234567")
   public void testClusterManager() throws Exception{
     runCommandsWithAndWithout("CLUSTER:MANAGE");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-reader", password = "1234567")
+  @ConnectionConfiguration(user = "data-reader", password = "1234567")
   public void testDataReader() throws Exception{
     runCommandsWithAndWithout("DATA:READ");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-writer", password = "1234567")
+  @ConnectionConfiguration(user = "data-writer", password = "1234567")
   public void testDataWriter() throws Exception{
     runCommandsWithAndWithout("DATA:WRITE");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-manager", password = "1234567")
+  @ConnectionConfiguration(user = "data-manager", password = "1234567")
   public void testDataManager() throws Exception{
     runCommandsWithAndWithout("DATA:MANAGE");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "regionA-reader", password = "1234567")
+  @ConnectionConfiguration(user = "regionA-reader", password = "1234567")
   public void testRegionAReader() throws Exception{
     runCommandsWithAndWithout("DATA:READ:RegionA");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "regionA-writer", password = "1234567")
+  @ConnectionConfiguration(user = "regionA-writer", password = "1234567")
   public void testRegionAWriter() throws Exception{
     runCommandsWithAndWithout("DATA:WRITE:RegionA");
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "regionA-manager", password = "1234567")
+  @ConnectionConfiguration(user = "regionA-manager", password = "1234567")
   public void testRegionAManager() throws Exception{
     runCommandsWithAndWithout("DATA:MANAGE:RegionA");
   }
@@ -168,7 +184,7 @@ public class GfshCommandsSecurityTest {
   }
 
   @Test
-  @JMXConnectionConfiguration(user = "data-user", password = "1234567")
+  @ConnectionConfiguration(user = "data-user", password = "1234567")
   public void testGetPostProcess() throws Exception {
     gfsh.executeCommand("put --region=region1 --key=key2 --value=value2");
     gfsh.executeCommand("put --region=region1 --key=key2 --value=value2");


Reply via email to