From 4a51a8f96715ffb2a42189b93b9fa91b453b8530 Mon Sep 17 00:00:00 2001
From: sg481n <sg481n@att.com>
Date: Thu, 3 Aug 2017 17:39:12 -0400
Subject:  [AAF-21] Initial code import
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: Ia1dd196befd061f6ba0c2be6bf4456a30ea50f97
Signed-off-by: sg481n <sg481n@att.com>
---
 core/.gitignore                                    |   5 +
 core/conf/cadi.properties                          |  60 ++
 core/pom.xml                                       | 131 ++++
 core/src/assemble/cadi.xml                         |  47 ++
 core/src/assemble/poll.xml                         |  47 ++
 core/src/main/java/com/att/cadi/AES.java           | 128 ++++
 .../main/java/com/att/cadi/AbsCachedPrincipal.java |  34 +
 core/src/main/java/com/att/cadi/AbsUserCache.java  | 409 +++++++++++
 core/src/main/java/com/att/cadi/Access.java        | 173 +++++
 core/src/main/java/com/att/cadi/BasicCred.java     |  37 +
 .../main/java/com/att/cadi/BufferedCadiWrap.java   |  81 ++
 .../com/att/cadi/BufferedServletInputStream.java   | 215 ++++++
 .../main/java/com/att/cadi/CachedPrincipal.java    |  48 ++
 core/src/main/java/com/att/cadi/CachingLur.java    |  36 +
 core/src/main/java/com/att/cadi/CadiException.java |  51 ++
 core/src/main/java/com/att/cadi/CadiWrap.java      | 194 +++++
 core/src/main/java/com/att/cadi/Capacitor.java     | 241 ++++++
 core/src/main/java/com/att/cadi/CmdLine.java       | 357 +++++++++
 core/src/main/java/com/att/cadi/Connector.java     |  28 +
 core/src/main/java/com/att/cadi/CredVal.java       |  43 ++
 core/src/main/java/com/att/cadi/GetCred.java       |  28 +
 core/src/main/java/com/att/cadi/Hash.java          | 203 +++++
 core/src/main/java/com/att/cadi/Locator.java       |  37 +
 .../main/java/com/att/cadi/LocatorException.java   |  48 ++
 core/src/main/java/com/att/cadi/Lur.java           |  95 +++
 core/src/main/java/com/att/cadi/Permission.java    |  30 +
 core/src/main/java/com/att/cadi/PropAccess.java    | 321 ++++++++
 core/src/main/java/com/att/cadi/Revalidator.java   |  36 +
 core/src/main/java/com/att/cadi/SLF4JAccess.java   | 101 +++
 .../src/main/java/com/att/cadi/SecuritySetter.java |  45 ++
 .../java/com/att/cadi/ServletContextAccess.java    |  70 ++
 core/src/main/java/com/att/cadi/StrLur.java        |  57 ++
 core/src/main/java/com/att/cadi/Symm.java          | 812 ++++++++++++++++++++
 core/src/main/java/com/att/cadi/Taf.java           |  58 ++
 core/src/main/java/com/att/cadi/Transmutate.java   |  46 ++
 core/src/main/java/com/att/cadi/TrustChecker.java  |  54 ++
 core/src/main/java/com/att/cadi/User.java          | 145 ++++
 core/src/main/java/com/att/cadi/UserChain.java     |  44 ++
 core/src/main/java/com/att/cadi/config/Config.java | 815 +++++++++++++++++++++
 core/src/main/java/com/att/cadi/config/Get.java    |  98 +++
 .../main/java/com/att/cadi/config/GetAccess.java   |  64 ++
 .../main/java/com/att/cadi/config/MultiGet.java    |  44 ++
 .../java/com/att/cadi/config/SecurityInfo.java     | 244 ++++++
 .../java/com/att/cadi/config/SecurityInfoC.java    |  45 ++
 .../main/java/com/att/cadi/config/UsersDump.java   | 159 ++++
 core/src/main/java/com/att/cadi/filter/AUTHZ.java  |  38 +
 .../java/com/att/cadi/filter/AUTHZServlet.java     | 101 +++
 .../java/com/att/cadi/filter/AccessGetter.java     |  38 +
 .../main/java/com/att/cadi/filter/CadiAccess.java  | 244 ++++++
 .../main/java/com/att/cadi/filter/CadiFilter.java  | 306 ++++++++
 .../java/com/att/cadi/filter/CadiHTTPManip.java    | 228 ++++++
 core/src/main/java/com/att/cadi/filter/FCGet.java  |  78 ++
 .../java/com/att/cadi/filter/MapPermConverter.java |  56 ++
 .../com/att/cadi/filter/NullPermConverter.java     |  44 ++
 .../main/java/com/att/cadi/filter/PathFilter.java  | 184 +++++
 .../java/com/att/cadi/filter/PermConverter.java    |  33 +
 .../java/com/att/cadi/filter/RolesAllowed.java     |  56 ++
 .../main/java/com/att/cadi/filter/ServletImpl.java |  56 ++
 .../java/com/att/cadi/lur/ConfigPrincipal.java     |  71 ++
 core/src/main/java/com/att/cadi/lur/EpiLur.java    | 168 +++++
 core/src/main/java/com/att/cadi/lur/LocalLur.java  | 202 +++++
 .../java/com/att/cadi/lur/LocalPermission.java     |  52 ++
 core/src/main/java/com/att/cadi/lur/NullLur.java   |  89 +++
 .../com/att/cadi/principal/BasicPrincipal.java     | 118 +++
 .../com/att/cadi/principal/BearerPrincipal.java    |  37 +
 .../com/att/cadi/principal/CSPPrincipal_T.java     |  34 +
 .../att/cadi/principal/CachedBasicPrincipal.java   |  66 ++
 .../com/att/cadi/principal/TGuardPrincipal.java    |  81 ++
 .../com/att/cadi/principal/TGuardPrincipal_T.java  |  34 +
 .../com/att/cadi/principal/TrustPrincipal.java     |  68 ++
 .../java/com/att/cadi/principal/X509Principal.java |  93 +++
 .../src/main/java/com/att/cadi/taf/AbsTafResp.java | 117 +++
 core/src/main/java/com/att/cadi/taf/EpiTaf.java    |  85 +++
 .../src/main/java/com/att/cadi/taf/HttpEpiTaf.java | 186 +++++
 core/src/main/java/com/att/cadi/taf/HttpTaf.java   |  61 ++
 .../java/com/att/cadi/taf/LoginPageTafResp.java    |  88 +++
 core/src/main/java/com/att/cadi/taf/NullTaf.java   |  65 ++
 .../main/java/com/att/cadi/taf/NullTafResp.java    |  74 ++
 .../main/java/com/att/cadi/taf/PuntTafResp.java    |  72 ++
 .../main/java/com/att/cadi/taf/Redirectable.java   |  33 +
 core/src/main/java/com/att/cadi/taf/TafResp.java   |  95 +++
 .../java/com/att/cadi/taf/TrustNotTafResp.java     |  78 ++
 .../main/java/com/att/cadi/taf/TrustTafResp.java   |  80 ++
 .../java/com/att/cadi/taf/basic/BasicHttpTaf.java  | 160 ++++
 .../com/att/cadi/taf/basic/BasicHttpTafResp.java   |  64 ++
 .../java/com/att/cadi/taf/cert/CertIdentity.java   |  47 ++
 .../com/att/cadi/taf/cert/X509HttpTafResp.java     |  53 ++
 .../main/java/com/att/cadi/taf/cert/X509Taf.java   | 258 +++++++
 .../com/att/cadi/taf/dos/DenialOfServiceTaf.java   | 371 ++++++++++
 .../att/cadi/taf/dos/DenialOfServiceTafResp.java   |  49 ++
 .../com/att/cadi/taf/localhost/LocalhostTaf.java   | 131 ++++
 .../att/cadi/taf/localhost/LocalhostTafResp.java   |  82 +++
 core/src/main/java/com/att/cadi/util/Chmod.java    |  64 ++
 .../java/com/att/cadi/util/JsonOutputStream.java   |  91 +++
 .../com/att/cadi/util/MaskFormatException.java     |  33 +
 .../src/main/java/com/att/cadi/util/MyConsole.java |  30 +
 core/src/main/java/com/att/cadi/util/NetMask.java  | 101 +++
 core/src/main/java/com/att/cadi/util/Split.java    |  92 +++
 .../java/com/att/cadi/util/SubStandardConsole.java |  64 ++
 .../main/java/com/att/cadi/util/TheConsole.java    |  49 ++
 .../java/com/att/cadi/util/UserChainManip.java     |  79 ++
 core/src/main/java/com/att/cadi/util/Vars.java     | 122 +++
 core/src/main/java/com/att/cadi/wsse/Action.java   |  38 +
 core/src/main/java/com/att/cadi/wsse/Match.java    | 131 ++++
 .../main/java/com/att/cadi/wsse/WSSEParser.java    |  87 +++
 core/src/main/java/com/att/cadi/wsse/XEvent.java   | 136 ++++
 core/src/main/java/com/att/cadi/wsse/XReader.java  | 417 +++++++++++
 core/src/test/java/com/att/cadi/JU_AES.java        |  87 +++
 .../java/com/att/cadi/lur/test/JU_LocalLur.java    | 102 +++
 .../java/com/att/cadi/lur/test/TestAccess.java     |  92 +++
 .../src/test/java/com/att/cadi/test/JU_Base64.java | 158 ++++
 .../cadi/test/JU_BufferedServletInputStream.java   | 192 +++++
 .../test/java/com/att/cadi/test/JU_Capacitor.java  | 145 ++++
 core/src/test/java/com/att/cadi/test/JU_Hash.java  |  62 ++
 .../test/java/com/att/cadi/test/JU_Passcode.java   |  91 +++
 .../java/com/att/cadi/test/JU_UserChainManip.java  |  49 ++
 core/src/test/java/com/att/cadi/test/JU_Vars.java  | 127 ++++
 core/src/test/java/com/att/cadi/test/Test.java     |  71 ++
 .../java/com/att/cadi/wsse/test/JU_WSSE_Read.java  | 192 +++++
 .../java/com/att/cadi/wsse/test/JU_XReader.java    |  67 ++
 120 files changed, 13857 insertions(+)
 create mode 100644 core/.gitignore
 create mode 100644 core/conf/cadi.properties
 create mode 100644 core/pom.xml
 create mode 100644 core/src/assemble/cadi.xml
 create mode 100644 core/src/assemble/poll.xml
 create mode 100644 core/src/main/java/com/att/cadi/AES.java
 create mode 100644 core/src/main/java/com/att/cadi/AbsCachedPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/AbsUserCache.java
 create mode 100644 core/src/main/java/com/att/cadi/Access.java
 create mode 100644 core/src/main/java/com/att/cadi/BasicCred.java
 create mode 100644 core/src/main/java/com/att/cadi/BufferedCadiWrap.java
 create mode 100644 core/src/main/java/com/att/cadi/BufferedServletInputStream.java
 create mode 100644 core/src/main/java/com/att/cadi/CachedPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/CachingLur.java
 create mode 100644 core/src/main/java/com/att/cadi/CadiException.java
 create mode 100644 core/src/main/java/com/att/cadi/CadiWrap.java
 create mode 100644 core/src/main/java/com/att/cadi/Capacitor.java
 create mode 100644 core/src/main/java/com/att/cadi/CmdLine.java
 create mode 100644 core/src/main/java/com/att/cadi/Connector.java
 create mode 100644 core/src/main/java/com/att/cadi/CredVal.java
 create mode 100644 core/src/main/java/com/att/cadi/GetCred.java
 create mode 100644 core/src/main/java/com/att/cadi/Hash.java
 create mode 100644 core/src/main/java/com/att/cadi/Locator.java
 create mode 100644 core/src/main/java/com/att/cadi/LocatorException.java
 create mode 100644 core/src/main/java/com/att/cadi/Lur.java
 create mode 100644 core/src/main/java/com/att/cadi/Permission.java
 create mode 100644 core/src/main/java/com/att/cadi/PropAccess.java
 create mode 100644 core/src/main/java/com/att/cadi/Revalidator.java
 create mode 100644 core/src/main/java/com/att/cadi/SLF4JAccess.java
 create mode 100644 core/src/main/java/com/att/cadi/SecuritySetter.java
 create mode 100644 core/src/main/java/com/att/cadi/ServletContextAccess.java
 create mode 100644 core/src/main/java/com/att/cadi/StrLur.java
 create mode 100644 core/src/main/java/com/att/cadi/Symm.java
 create mode 100644 core/src/main/java/com/att/cadi/Taf.java
 create mode 100644 core/src/main/java/com/att/cadi/Transmutate.java
 create mode 100644 core/src/main/java/com/att/cadi/TrustChecker.java
 create mode 100644 core/src/main/java/com/att/cadi/User.java
 create mode 100644 core/src/main/java/com/att/cadi/UserChain.java
 create mode 100644 core/src/main/java/com/att/cadi/config/Config.java
 create mode 100644 core/src/main/java/com/att/cadi/config/Get.java
 create mode 100644 core/src/main/java/com/att/cadi/config/GetAccess.java
 create mode 100644 core/src/main/java/com/att/cadi/config/MultiGet.java
 create mode 100644 core/src/main/java/com/att/cadi/config/SecurityInfo.java
 create mode 100644 core/src/main/java/com/att/cadi/config/SecurityInfoC.java
 create mode 100644 core/src/main/java/com/att/cadi/config/UsersDump.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/AUTHZ.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/AUTHZServlet.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/AccessGetter.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/CadiAccess.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/CadiFilter.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/FCGet.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/MapPermConverter.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/NullPermConverter.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/PathFilter.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/PermConverter.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/RolesAllowed.java
 create mode 100644 core/src/main/java/com/att/cadi/filter/ServletImpl.java
 create mode 100644 core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/lur/EpiLur.java
 create mode 100644 core/src/main/java/com/att/cadi/lur/LocalLur.java
 create mode 100644 core/src/main/java/com/att/cadi/lur/LocalPermission.java
 create mode 100644 core/src/main/java/com/att/cadi/lur/NullLur.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/BasicPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/BearerPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/TrustPrincipal.java
 create mode 100644 core/src/main/java/com/att/cadi/principal/X509Principal.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/AbsTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/EpiTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/HttpTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/NullTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/NullTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/PuntTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/Redirectable.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/TafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/TrustTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/cert/X509Taf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
 create mode 100644 core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java
 create mode 100644 core/src/main/java/com/att/cadi/util/Chmod.java
 create mode 100644 core/src/main/java/com/att/cadi/util/JsonOutputStream.java
 create mode 100644 core/src/main/java/com/att/cadi/util/MaskFormatException.java
 create mode 100644 core/src/main/java/com/att/cadi/util/MyConsole.java
 create mode 100644 core/src/main/java/com/att/cadi/util/NetMask.java
 create mode 100644 core/src/main/java/com/att/cadi/util/Split.java
 create mode 100644 core/src/main/java/com/att/cadi/util/SubStandardConsole.java
 create mode 100644 core/src/main/java/com/att/cadi/util/TheConsole.java
 create mode 100644 core/src/main/java/com/att/cadi/util/UserChainManip.java
 create mode 100644 core/src/main/java/com/att/cadi/util/Vars.java
 create mode 100644 core/src/main/java/com/att/cadi/wsse/Action.java
 create mode 100644 core/src/main/java/com/att/cadi/wsse/Match.java
 create mode 100644 core/src/main/java/com/att/cadi/wsse/WSSEParser.java
 create mode 100644 core/src/main/java/com/att/cadi/wsse/XEvent.java
 create mode 100644 core/src/main/java/com/att/cadi/wsse/XReader.java
 create mode 100644 core/src/test/java/com/att/cadi/JU_AES.java
 create mode 100644 core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java
 create mode 100644 core/src/test/java/com/att/cadi/lur/test/TestAccess.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_Base64.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_Capacitor.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_Hash.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_Passcode.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_UserChainManip.java
 create mode 100644 core/src/test/java/com/att/cadi/test/JU_Vars.java
 create mode 100644 core/src/test/java/com/att/cadi/test/Test.java
 create mode 100644 core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java
 create mode 100644 core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java

(limited to 'core')

diff --git a/core/.gitignore b/core/.gitignore
new file mode 100644
index 0000000..cf85207
--- /dev/null
+++ b/core/.gitignore
@@ -0,0 +1,5 @@
+/bin/
+/target/
+/.classpath
+/.project
+.settings
diff --git a/core/conf/cadi.properties b/core/conf/cadi.properties
new file mode 100644
index 0000000..d60fc23
--- /dev/null
+++ b/core/conf/cadi.properties
@@ -0,0 +1,60 @@
+#-------------------------------------------------------------------------------
+# ============LICENSE_START====================================================
+# * org.onap.aai
+# * ===========================================================================
+# * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# * Copyright © 2017 Amdocs
+# * ===========================================================================
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# * 
+#  *      http://www.apache.org/licenses/LICENSE-2.0
+# * 
+#  * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+# * ============LICENSE_END====================================================
+# *
+# * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+# *
+#-------------------------------------------------------------------------------
+###############################################################################
+# Copyright (c) 2016 AT&T Intellectual Property. All rights reserved.
+###############################################################################
+# This is a normal Java Properties File
+# Comments are with Pound Signs at beginning of lines,
+# and multi-line expression of properties can be obtained by backslash at end of line
+
+# Certain machines have several possible machine names, and
+# the right one may not be reported.  This is especially
+# important for CSP Authorization, which will only 
+# function on official AT&T domains.
+hostname=veeger.mo.sbc.com 
+
+port=2533
+
+# CSP has Production mode (active users) or DEVL mode (for 
+# Testing purposes... Bogus users)
+#csp_domain=DEVL
+csp_domain=PROD
+
+# Report all AUTHN and AUTHZ activity
+loglevel=AUDIT
+
+#
+# BasicAuth and other User/Password support
+#
+# The realm reported on BasicAuth callbacks
+basic_realm=spiderman.agile.att.com
+users=ks%xiVUs_25_1jqGdJ24hqy43Gi;
+groups=aaf:Jd8bb3jslg88b@spiderman.agile.att.com%7sZCPBZ_8iWbslqdjWFIDLgTZlm9ung0ym-G,\
+		jg1555,lg2384,rd8227,tp007s,pe3617;
+	
+
+# Keyfile (with relative path) for encryption.  This file
+# should be marked as ReadOnly by Only the running process
+# for security's sake
+keyfile=conf/keyfile
diff --git a/core/pom.xml b/core/pom.xml
new file mode 100644
index 0000000..15c7e63
--- /dev/null
+++ b/core/pom.xml
@@ -0,0 +1,131 @@
+<!--
+  ============LICENSE_START====================================================
+  * org.onap.aai
+  * ===========================================================================
+  * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+  * Copyright © 2017 Amdocs
+  * ===========================================================================
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+  * You may obtain a copy of the License at
+  * 
+   *      http://www.apache.org/licenses/LICENSE-2.0
+  * 
+   * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  * ============LICENSE_END====================================================
+  *
+  * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+  *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<parent>
+		<groupId>com.att.cadi</groupId>
+		<artifactId>parent</artifactId>
+		<relativePath>..</relativePath>
+		<version>1.3.2</version>
+	</parent>
+	
+	<modelVersion>4.0.0</modelVersion>
+	<name>CADI Core Framework (Code, Access, Data, Identity)</name>
+	<artifactId>cadi-core</artifactId>
+	<packaging>jar</packaging>
+	<url>https://github.com/att/AAF</url>
+	<description>CADI</description>
+	
+	<dependencies>
+
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>servlet-api</artifactId>
+			<scope>provided</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.slf4j</groupId>
+  			<artifactId>slf4j-api</artifactId>
+  			<scope>provided</scope>
+		</dependency>
+		
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<!-- Must put this in to turn on Signing, but Configuration itself is 
+					in Parent -->
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jarsigner-plugin</artifactId>
+			</plugin>
+			<plugin>
+			<groupId>org.apache.maven.plugins</groupId>
+			<artifactId>maven-jar-plugin</artifactId>
+			<configuration>
+				<archive>
+					<manifest>
+						<mainClass>com.att.cadi.CmdLine</mainClass>
+					</manifest>
+					<manifestEntries>
+						<Sealed>true</Sealed>
+					</manifestEntries>
+				</archive>
+			</configuration>
+			<executions>
+				<execution>
+					<id>test-jar</id>
+					<phase>package</phase>
+					<goals>
+						<goal>test-jar</goal>
+					</goals>
+				</execution>
+			</executions>
+		</plugin>
+		
+		<plugin>
+			<groupId>org.apache.maven.plugins</groupId>
+			<artifactId>maven-javadoc-plugin</artifactId>
+					<configuration>
+			<failOnError>false</failOnError>
+			</configuration>
+			<executions>
+				<execution>
+					<id>attach-javadocs</id>
+					<goals>
+						<goal>jar</goal>
+					</goals>
+				</execution>
+			</executions>
+		</plugin> 
+	   
+	   
+	       <plugin>
+		      <groupId>org.apache.maven.plugins</groupId>
+		      <artifactId>maven-source-plugin</artifactId>
+		      <version>2.2.1</version>
+		      <executions>
+			<execution>
+			  <id>attach-sources</id>
+			  <goals>
+			    <goal>jar-no-fork</goal>
+			  </goals>
+			</execution>
+		      </executions>
+		    </plugin>
+	
+		<plugin>
+			<groupId>org.sonatype.plugins</groupId>
+			<artifactId>nexus-staging-maven-plugin</artifactId>
+			<version>1.6.7</version>
+			<extensions>true</extensions>
+			<configuration>
+			<serverId>ossrhdme</serverId>
+			<nexusUrl>https://oss.sonatype.org/</nexusUrl>
+			<autoReleaseAfterClose>true</autoReleaseAfterClose>
+			</configuration>
+		</plugin>
+		</plugins>
+	</build>
+
+</project>
diff --git a/core/src/assemble/cadi.xml b/core/src/assemble/cadi.xml
new file mode 100644
index 0000000..0bbb8e8
--- /dev/null
+++ b/core/src/assemble/cadi.xml
@@ -0,0 +1,47 @@
+<!--
+  ============LICENSE_START====================================================
+  * org.onap.aai
+  * ===========================================================================
+  * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+  * Copyright © 2017 Amdocs
+  * ===========================================================================
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+  * You may obtain a copy of the License at
+  * 
+   *      http://www.apache.org/licenses/LICENSE-2.0
+  * 
+   * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  * ============LICENSE_END====================================================
+  *
+  * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+  *
+-->
+<assembly>
+  <id>test</id>
+  <formats>
+    <format>jar</format>
+  </formats>
+  <includeBaseDirectory>false</includeBaseDirectory>
+  <dependencySets>
+    <dependencySet>
+      <outputDirectory></outputDirectory>
+      <outputFileNameMapping></outputFileNameMapping>
+      <unpack>true</unpack>
+      <scope>runtime</scope>
+      <!--  includes>
+        <include>com.att.cssa:env*</include>
+      </includes -->
+    </dependencySet>
+  </dependencySets>
+  <fileSets>
+    <fileSet>
+      <directory>target/classes</directory>
+      <outputDirectory></outputDirectory>
+    </fileSet>
+   </fileSets>
+</assembly>
diff --git a/core/src/assemble/poll.xml b/core/src/assemble/poll.xml
new file mode 100644
index 0000000..c33dd83
--- /dev/null
+++ b/core/src/assemble/poll.xml
@@ -0,0 +1,47 @@
+<!--
+  ============LICENSE_START====================================================
+  * org.onap.aai
+  * ===========================================================================
+  * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+  * Copyright © 2017 Amdocs
+  * ===========================================================================
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+  * You may obtain a copy of the License at
+  * 
+   *      http://www.apache.org/licenses/LICENSE-2.0
+  * 
+   * Unless required by applicable law or agreed to in writing, software
+  * distributed under the License is distributed on an "AS IS" BASIS,
+  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  * ============LICENSE_END====================================================
+  *
+  * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+  *
+-->
+<assembly>
+  <id>app</id>
+  <formats>
+    <format>jar</format>
+  </formats>
+  <includeBaseDirectory>false</includeBaseDirectory>
+  <dependencySets>
+    <dependencySet>
+      <outputDirectory></outputDirectory>
+      <outputFileNameMapping></outputFileNameMapping>
+      <unpack>true</unpack>
+      <scope>runtime</scope>
+      <!--  includes>
+        <include>web</include>
+      </includes -->
+    </dependencySet>
+  </dependencySets>
+  <fileSets>
+    <fileSet>
+      <directory>target/classes</directory>
+      <outputDirectory></outputDirectory>
+    </fileSet>
+   </fileSets>
+</assembly>
diff --git a/core/src/main/java/com/att/cadi/AES.java b/core/src/main/java/com/att/cadi/AES.java
new file mode 100644
index 0000000..4041ae5
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/AES.java
@@ -0,0 +1,128 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+import com.att.cadi.util.Chmod;
+
+public class AES {
+	public static final String AES = AES.class.getSimpleName();
+	public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs.
+	
+	private Cipher aesCipher;
+	private SecretKeySpec aeskeySpec;
+
+	public AES() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
+		aesCipher = Cipher.getInstance(AES);
+	    aeskeySpec = new SecretKeySpec(newKey().getEncoded(), AES);
+	}
+	
+	public static SecretKey newKey() throws NoSuchAlgorithmException {
+		KeyGenerator kgen = KeyGenerator.getInstance(AES);
+	    kgen.init(AES_KEY_SIZE);
+	    return kgen.generateKey();
+	}
+
+	public AES(File keyfile) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
+		aesCipher = Cipher.getInstance(AES);
+		byte[] aesKey = new byte[AES_KEY_SIZE/8];
+		FileInputStream fis = new FileInputStream(keyfile);
+		try {
+			fis.read(aesKey);
+		} finally {
+			fis.close();
+		}
+		aeskeySpec = new SecretKeySpec(aesKey,AES);
+	}
+
+	public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
+		aesCipher = Cipher.getInstance(AES);
+		aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES);
+	}
+	
+	public byte[] encrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+		aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
+		return aesCipher.doFinal(in);
+	}
+	
+	public byte[] decrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+		aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec); 
+		return aesCipher.doFinal(in);
+	}
+	
+	public void save(File keyfile) throws IOException {
+		FileOutputStream fis = new FileOutputStream(keyfile);
+		try {
+			fis.write(aeskeySpec.getEncoded());
+		} finally {
+			fis.close();
+		}
+		Chmod.to400.chmod(keyfile);
+	}
+
+	public CipherOutputStream outputStream(OutputStream os, boolean encrypt) {
+		try {
+			if(encrypt) {
+				aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
+			} else {
+				aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec);
+			}
+		} catch (InvalidKeyException e) {
+			// KeySpec created earlier... no chance being wrong.
+		} 
+		return new CipherOutputStream(os,aesCipher);
+	}
+	
+	public CipherInputStream inputStream(InputStream is, boolean encrypt) {
+		try {
+			if(encrypt) {
+				aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
+			} else {
+				aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec);
+			}
+		} catch (InvalidKeyException e) {
+			// KeySpec created earlier... no chance being wrong.
+		} 
+		
+		return new CipherInputStream(is,aesCipher);
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/AbsCachedPrincipal.java b/core/src/main/java/com/att/cadi/AbsCachedPrincipal.java
new file mode 100644
index 0000000..bb76e3d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/AbsCachedPrincipal.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+
+public abstract class AbsCachedPrincipal<TAF> implements CachedPrincipal {
+	protected TAF taf;
+
+	protected AbsCachedPrincipal(TAF taf) {
+		this.taf = taf;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/AbsUserCache.java b/core/src/main/java/com/att/cadi/AbsUserCache.java
new file mode 100644
index 0000000..0229a71
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/AbsUserCache.java
@@ -0,0 +1,409 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.TreeMap;
+import java.util.concurrent.ConcurrentHashMap;
+
+import com.att.cadi.Access.Level;
+import com.att.cadi.CachedPrincipal.Resp;
+
+/**
+ * Implement Fast lookup and Cache for Local User Info
+ * 
+ * Include ability to add and remove Users
+ * 
+ * Also includes a Timer Thread (when necessary) to invoke cleanup on expiring Credentials
+ * 
+ *
+ */
+public abstract class AbsUserCache<PERM extends Permission> {
+	static final int MIN_INTERVAL = 15000;
+	static final int MAX_INTERVAL = 1000*60*5; // 5 mins
+	private static Timer timer;
+	// Map of userName to User
+	private final Map<String, User<PERM>> userMap;
+	private final Map<String, Miss> missMap;
+	private Clean clean;
+	protected Access access;
+//	private final static Permission teaser = new LocalPermission("***NoPERM****");
+	
+	protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) {
+		this.access = access;
+		userMap = new ConcurrentHashMap<String, User<PERM>>();
+		missMap = new TreeMap<String,Miss>();
+		if(cleanInterval>0) {
+			cleanInterval = Math.max(MIN_INTERVAL, cleanInterval);
+			synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed
+				if(timer==null) {
+					timer = new Timer("CADI Cleanup Timer",true);
+				}
+				
+				timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval);
+				access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount);
+			}
+		}
+	}
+	
+	@SuppressWarnings("unchecked")
+	public AbsUserCache(AbsUserCache<PERM> cache) {
+		this.access = cache.access;
+		userMap = cache.userMap;
+		missMap = cache.missMap;
+		synchronized(AbsUserCache.class) {
+			if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) {
+				cache.clean.lur=(CachingLur<PERM>)this;
+			}
+		}
+	}
+
+	protected void setLur(CachingLur<PERM> lur) {
+		if(clean!=null)clean.lur = lur;
+		
+	}
+	
+	protected void addUser(User<PERM> user) {
+		userMap.put(user.principal.getName(), user);
+	}
+
+	// Useful for looking up by WebToken, etc.
+	protected void addUser(String key, User<PERM> user) {
+		userMap.put(key, user);
+	}
+	
+	/**
+	 * Add miss to missMap.  If Miss exists, or too many tries, returns false.
+	 * 
+	 * otherwise, returns true to allow another attempt.
+	 * 
+	 * @param key
+	 * @param bs
+	 * @return
+	 */
+	protected boolean addMiss(String key, byte[] bs) {
+		Miss miss = missMap.get(key);
+		if(miss==null) {
+			synchronized(missMap) {
+				missMap.put(key, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval));
+			}
+			return true;
+		}
+		return miss.add(bs); 
+	}
+
+	protected Miss missed(String key) {
+		return missMap.get(key);
+	}
+
+	protected User<PERM> getUser(String userName) {
+		User<PERM> u = userMap.get(userName);
+		if(u!=null) {
+			u.incCount();
+		}
+		return u;
+	}
+	
+	protected User<PERM> getUser(Principal principal) {
+		return getUser(principal.getName()); 
+	}
+	
+	/**
+	 * Removes User from the Cache
+	 * @param user
+	 */
+	protected void remove(User<PERM> user) {
+		userMap.remove(user.principal.getName());
+	}
+	
+	/**
+	 * Removes user from the Cache
+	 * 
+	 * @param user
+	 */
+	public void remove(String user) {
+		Object o = userMap.remove(user);
+		if(o!=null) {
+			access.log(Level.INFO, user,"removed from Client Cache by Request");
+		}
+	}
+	
+	/**
+	 * Clear all users from the Client Cache
+	 */
+	public void clearAll() {
+		userMap.clear();
+	}
+	
+	public final List<DumpInfo> dumpInfo() {
+		List<DumpInfo> rv = new ArrayList<DumpInfo>();
+		for(User<PERM> user : userMap.values()) {
+			rv.add(new DumpInfo(user));
+		}
+		return rv;
+	}
+
+	/**
+	 * The default behavior of a LUR is to not handle something exclusively.
+	 */
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+	
+	/**
+	 * Container calls when cleaning up... 
+	 * 
+	 * If overloading in Derived class, be sure to call "super.destroy()"
+	 */
+	public void destroy() {
+		if(timer!=null) {
+			timer.purge();
+			timer.cancel();
+		}
+	}
+	
+	
+
+	// Simple map of Group name to a set of User Names
+	//	private Map<String, Set<String>> groupMap = new HashMap<String, Set<String>>();
+
+	/**
+	 * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects
+	 */
+	public final class DumpInfo {
+		public String user;
+		public List<String> perms;
+		
+		public DumpInfo(User<PERM> user) {
+			this.user = user.principal.getName();
+			perms = new ArrayList<String>(user.perms.keySet());
+		}
+	}
+	
+	/**
+	 * Clean will examine resources, and remove those that have expired.
+	 * 
+	 * If "highs" have been exceeded, then we'll expire 10% more the next time.  This will adjust after each run
+	 * without checking contents more than once, making a good average "high" in the minimum speed.
+	 * 
+	 *
+	 */
+	private final class Clean extends TimerTask {
+		private final Access access;
+		private CachingLur<PERM> lur;
+		
+		// The idea here is to not be too restrictive on a high, but to Expire more items by 
+		// shortening the time to expire.  This is done by judiciously incrementing "advance"
+		// when the "highs" are exceeded.  This effectively reduces numbers of cached items quickly.
+		private final int high;
+		private long advance;
+		private final long timeInterval;
+		private final int usageTriggerCount;
+		
+		public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) {
+			this.access = access;
+			lur = null;
+			high = highCount;
+			timeInterval = cleanInterval;
+			advance = 0;
+			this.usageTriggerCount=usageTriggerCount;
+		}
+		public void run() {
+			int renewed = 0;
+			int count = 0;
+			int total = 0;
+			try {
+				// look at now.  If we need to expire more by increasing "now" by "advance"
+				ArrayList<User<PERM>> al = new ArrayList<User<PERM>>(userMap.values().size());
+				al.addAll(0, userMap.values());
+				long now = System.currentTimeMillis() + advance;
+				for(User<PERM> user : al) {
+					++total;
+						if(user.count>usageTriggerCount) {
+	//						access.log(Level.AUDIT, "Checking Thread", new Date(now));
+							boolean touched = false, removed=false;
+							if(user.principal instanceof CachedPrincipal) {
+								CachedPrincipal cp = (CachedPrincipal)user.principal;
+								if(cp.expires() < now) {
+									switch(cp.revalidate()) {
+										case INACCESSIBLE:
+											access.log(Level.AUDIT, "AAF Inaccessible.  Keeping credentials");
+											break;
+										case REVALIDATED:
+											user.resetCount();
+			//								access.log(Level.AUDIT, "CACHE revalidated credentials");
+											touched = true;
+											break;
+										default:
+											user.resetCount();
+											remove(user);
+											++count;
+											removed = true;
+											break;
+									}
+								}
+							}
+						
+	//						access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires));
+							if(!removed && lur!=null && user.permExpires<= now ) {
+	//							access.log(Level.AUDIT, "Reloading");
+								if(lur.reload(user).equals(Resp.REVALIDATED)) {
+									user.renewPerm();
+									access.log(Level.DEBUG, "Reloaded Perms for",user);
+									touched = true;
+								}
+							}
+							user.resetCount();
+							if(touched) {
+								++renewed;
+							}
+	
+						} else {
+							if(user.permExpired()) {
+								remove(user);
+								++count;
+							}
+						}
+				}
+				
+				// Clean out Misses
+				int missTotal = missMap.keySet().size();
+				int miss = 0;
+				if(missTotal>0) {
+					ArrayList<String> keys = new ArrayList<String>(missTotal);
+					keys.addAll(missMap.keySet());
+					for(String key : keys) {
+						Miss m = missMap.get(key);
+						if(m!=null && m.timestamp<System.currentTimeMillis()) {
+							synchronized(missMap) {
+								missMap.remove(key);
+							}
+							access.log(Level.INFO, key, "has been removed from Missed Credential Map (" + m.tries + " invalid tries)");
+							++miss;
+						}
+					}
+				}
+				
+				if(count+renewed+miss>0) {
+					access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count,
+						"and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal);
+				}
+	
+				// If High (total) is reached during this period, increase the number of expired services removed for next time.
+				// There's no point doing it again here, as there should have been cleaned items.
+				if(total>high) {
+					// advance cleanup by 10%, without getting greater than timeInterval.
+					advance = Math.min(timeInterval, advance+(timeInterval/10));
+				} else {
+					// reduce advance by 10%, without getting lower than 0.
+					advance = Math.max(0, advance-(timeInterval/10));
+				}
+			} catch (Exception e) {
+				access.log(Level.ERROR,e.getMessage());
+			}
+		}
+	}
+	
+	public static class Miss {
+		private static final int MAX_TRIES = 3;
+
+		long timestamp;
+		byte[][] array;
+
+		private long timetolive;
+
+		private int tries;
+		
+		public Miss(byte[] first, long timeInterval) {
+			array = new byte[MAX_TRIES][];
+			array[0]=first;
+			timestamp = System.currentTimeMillis() + timeInterval;
+			this.timetolive = timeInterval;
+			tries = 1;
+		}
+		
+		public boolean mayContinue(byte[] bs) {
+			if(++tries > MAX_TRIES) return false;
+			for(byte[] a : array) {
+				if(a==null)return true;
+				if(equals(a,bs)) {
+					return false;
+				}
+			}
+			return true;
+		}
+
+		public synchronized boolean add(byte[] bc) {
+			if(++tries>MAX_TRIES)return false;
+			timestamp = System.currentTimeMillis()+timetolive;
+			for(int i=0;i<MAX_TRIES;++i) {
+				if(array[i]==null) {
+					array[i]=bc;
+					return true; // add to array, and allow more tries
+				} else if(equals(array[i],bc)) {
+					return false;
+				}
+			}
+			return false; // no more tries until cache cleared.
+		}
+		
+		private boolean equals(byte[] src, byte[] target) {
+			if(target.length==src.length) {
+				for(int j=0;j<src.length;++j) {
+					if(src[j]!=target[j]) return false;
+				}
+				return true; // same length and same chars
+			}
+			return false;
+		}
+	}
+	
+	/**
+	 * Report on state
+	 */
+	public String toString() {
+		return getClass().getSimpleName() + 
+				" Cache:\n  Users Cached: " +
+				userMap.size() +
+				"\n  Misses Saved: " +
+				missMap.size() +
+				'\n';
+				
+	}
+
+	public void clear(Principal p, StringBuilder sb) {
+		sb.append(toString());
+		userMap.clear();
+		missMap.clear();
+		access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName());
+		sb.append("Now cleared\n");
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/Access.java b/core/src/main/java/com/att/cadi/Access.java
new file mode 100644
index 0000000..34ae9d4
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Access.java
@@ -0,0 +1,173 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * Various Environments require different logging mechanisms, or at least allow
+ * for different ones. We need the Framework to be able to hook into any particular instance of logging
+ * mechanism, whether it be a Logging Object within a Servlet Context, or a direct library like log4j.
+ * This interface, therefore, allows maximum pluggability in a variety of different app styles.  
+ *  
+ *
+ */
+public interface Access {
+	// levels to use
+	public enum Level {
+		DEBUG(0x1), INFO(0x10), AUDIT(0x100), WARN(0x2000), ERROR(0x4000), INIT(0x8000),NONE(0XFFFF);
+		private final int bit;
+		
+		Level(int ord) {
+			bit = ord;
+		}
+		
+		public boolean inMask(int mask) {
+			return (mask & bit) == bit;
+		}
+		
+		public int addToMask(int mask) {
+			return mask | bit;
+		}
+
+		public int delFromMask(int mask) {
+			return mask & ~bit;
+		}
+
+		public int toggle(int mask) {
+			if(inMask(mask)) {
+				return delFromMask(mask);
+			} else {
+				return addToMask(mask);
+			}
+		}
+
+
+		public int maskOf() {
+			int mask=0;
+			for(Level l : values()) {
+				if(ordinal()<l.ordinal()) {
+					mask|=l.bit;
+				}
+			}
+			return mask;
+		}
+	}
+
+	/**
+	 * Write a variable list of Object's text via the toString() method with appropriate space, etc.
+	 * @param elements
+	 */
+	public void log(Level level, Object ... elements);
+
+	/**
+	 * Printf mechanism for Access
+	 * @param level
+	 * @param fmt
+	 * @param elements
+	 */
+	public void printf(Level level, String fmt, Object ... elements);
+	
+	/** 
+	 * Check if message will log before constructing
+	 * @param level
+	 * @return
+	 */
+	public boolean willLog(Level level);
+
+	/**
+	 * Write the contents of an exception, followed by a variable list of Object's text via the 
+	 * toString() method with appropriate space, etc.
+	 * 
+	 * The Loglevel is always "ERROR"
+	 * 
+	 * @param elements
+	 */
+	public void log(Exception e, Object ... elements);
+	
+	/**
+	 * Set the Level to compare logging too
+	 */
+	public void setLogLevel(Level level);
+		
+	/**
+	 * It is important in some cases to create a class from within the same Classloader that created
+	 * Security Objects.  Specifically, it's pretty typical for Web Containers to separate classloaders
+	 * so as to allow Apps with different dependencies. 
+	 * @return
+	 */
+	public ClassLoader classLoader();
+
+	public String getProperty(String string, String def);
+	
+	public void load(InputStream is) throws IOException;
+
+	/**
+	 * if "anytext" is true, then decryption will always be attempted.  Otherwise, only if starts with 
+	 * Symm.ENC
+	 * @param encrypted
+	 * @param anytext
+	 * @return
+	 * @throws IOException
+	 */
+	public String decrypt(String encrypted, boolean anytext) throws IOException;
+
+	public static final Access NULL = new Access() {
+		public void log(Level level, Object... elements) {
+		}
+
+		@Override
+		public void printf(Level level, String fmt, Object... elements) {
+		}
+
+		public void log(Exception e, Object... elements) {
+		}
+
+		public ClassLoader classLoader() {
+			return this.classLoader();
+		}
+
+		public String getProperty(String string, String def) {
+			return null;
+		}
+
+		public void load(InputStream is) throws IOException {
+		}
+
+		public void setLogLevel(Level level) {
+		}
+
+		public String decrypt(String encrypted, boolean anytext) throws IOException {
+			return encrypted;
+		}
+
+		@Override
+		public boolean willLog(Level level) {
+			return false;
+		}
+	};
+
+
+}
diff --git a/core/src/main/java/com/att/cadi/BasicCred.java b/core/src/main/java/com/att/cadi/BasicCred.java
new file mode 100644
index 0000000..f2411c4
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/BasicCred.java
@@ -0,0 +1,37 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+/**
+ * An Interface for testing on Requests to see if we can get a User and Password
+ * It works for CadiWrap, but also, Container Specific Wraps (aka Tomcat) should also
+ * implement.
+ * 
+ *
+ */
+public interface BasicCred extends GetCred {
+	public void setUser(String user);
+	public void setCred(byte[] passwd);
+	public String getUser();
+}
diff --git a/core/src/main/java/com/att/cadi/BufferedCadiWrap.java b/core/src/main/java/com/att/cadi/BufferedCadiWrap.java
new file mode 100644
index 0000000..cc9b40d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/BufferedCadiWrap.java
@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * BufferedCadiWrap exists to additionally wrap the InputStream with a BufferedInputStream to engage the
+ * "mark()/release()" API of InputStream.
+ * 
+ * This is a requirement for Re-Reading Content for brain-dead Middleware such as SOAP WS-Security.
+ * 
+ * Framework needs to set the TafResp and Lur (typically) later in the 
+ * 
+ *
+ */
+public class BufferedCadiWrap extends CadiWrap {
+	private BufferedServletInputStream sis;
+	
+	public BufferedCadiWrap(HttpServletRequest request) {
+		super(request, null, null); // will need to set TafResp and Lur separately
+		sis = null;
+	}
+
+
+	// @Override
+	public BufferedServletInputStream getInputStream() throws IOException {
+//		System.out.println("getInputStream() from Buffered CadiWrap... sis = " + sis);
+//		try {
+//			throw new Exception("OK, here's where we are...");
+//		} catch (Exception e) {
+//			e.printStackTrace();
+//		}
+		if(sis==null) {
+			sis = new BufferedServletInputStream(super.getInputStream());
+//		} else {
+//			try {
+//			System.out.println("sis has " + sis.buffered() + " buffered bytes, and reports " + sis.available() + " available");
+//			} catch (Exception e) {
+//				e.printStackTrace();
+//			}
+		}
+		return sis;
+	}
+
+	// @Override
+	public BufferedReader getReader() throws IOException {
+//		System.out.println("getReader() from Buffered CadiWrap... sis = " + sis);
+//		try {
+//			throw new Exception("OK, here's where we are...");
+//		} catch (Exception e) {
+//			e.printStackTrace();
+//		}
+		return new BufferedReader(new InputStreamReader(getInputStream()));
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/BufferedServletInputStream.java b/core/src/main/java/com/att/cadi/BufferedServletInputStream.java
new file mode 100644
index 0000000..88114b2
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/BufferedServletInputStream.java
@@ -0,0 +1,215 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.servlet.ServletInputStream;
+
+/**
+ * BufferedServletInputStream
+ * 
+ * There are cases in brain-dead middleware (SOAP) where they store routing information in the content.
+ * 
+ * In HTTP, this requires reading the content from the InputStream which, of course, cannot be re-read.
+ * 
+ * BufferedInputStream exists to implement the "Mark" protocols for Streaming, which will enable being 
+ * re-read.  Unfortunately, J2EE chose to require a "ServletInputStream" as an abstract class, rather than
+ * an interface, which requires we create a delegating pattern, rather than the preferred inheriting pattern. 
+ * 
+ * Unfortunately, the standard "BufferedInputStream" cannot be used, because it simply creates a byte array
+ * in the "mark(int)" method of that size.  This is not appropriate for this application, because the Header 
+ * can be potentially huge, and if a buffer was allocated to accommodate all possibilities, the cost of memory 
+ * allocation would be too large for high performance transactions.
+ *
+ * 
+ *
+ */
+public class BufferedServletInputStream extends ServletInputStream {
+	private static final int NONE = 0;
+	private static final int STORE = 1;
+	private static final int READ = 2;
+	
+	private InputStream is;
+	private int state = NONE;
+	private Capacitor capacitor;
+
+	public BufferedServletInputStream(InputStream is) {
+		this.is = is;
+		capacitor = null;
+	}
+
+
+	// @Override
+	public int read() throws IOException {
+		int value=-1;
+		if(capacitor==null) {
+			value=is.read();
+		} else {
+			switch(state) {
+				case STORE:
+					value = is.read();
+					if(value>=0) {
+						capacitor.put((byte)value);
+					}
+					break;
+				case READ:
+					value = capacitor.read();
+					if(value<0) {
+						capacitor.done();
+						capacitor=null; // all done with buffer
+						value = is.read();
+					}
+			}
+		} 
+		return value;
+	}
+
+	// @Override
+	public int read(byte[] b) throws IOException {
+		return read(b,0,b.length);
+	}
+
+
+	// @Override
+	public int read(byte[] b, int off, int len) throws IOException {
+		int count = -1;
+		if(capacitor==null) {
+			count = is.read(b,off,len);
+		} else {
+			switch(state) {
+				case STORE:
+					count = is.read(b, off, len);
+					if(count>0) {
+						capacitor.put(b, off, count);
+					}
+					break;
+				case READ:
+					count = capacitor.read(b, off, len);
+//					System.out.println("Capacitor read " + count);
+					if(count<=0) {
+						capacitor.done();
+						capacitor=null; // all done with buffer
+					}
+					if(count<len) {
+						int temp = is.read(b, count, len-count);
+//						System.out.println("Capacitor done, stream read " + temp);
+						if(temp>0) { // watch for -1
+							count+=temp;
+						} else {
+							if(count<=0)count = temp; // must account for Stream coming back -1  
+						}
+					}
+					break;
+			}
+		}
+//		System.out.println("read reports " + count);
+		return count;
+	}
+
+	// @Override
+	public long skip(long n) throws IOException {
+		long skipped = capacitor.skip(n);
+		if(skipped<n) {
+			skipped += is.skip(n-skipped);
+		}
+		return skipped;
+	}
+
+
+	// @Override
+	public int available() throws IOException {
+		int count = is.available();
+		if(capacitor!=null)count+=capacitor.available();
+		return count;		
+	}
+	
+	/**
+	 * Return just amount buffered (for debugging purposes, mostly)
+	 * @return
+	 */
+	public int buffered() {
+		return capacitor.available();
+	}
+
+
+	// @Override
+	public void close() throws IOException {
+		if(capacitor!=null) {
+			capacitor.done();
+			capacitor=null;
+		}
+		is.close();
+	}
+
+
+	/**
+	 * Note: Readlimit is ignored in this implementation, because the need was for unknown buffer size which wouldn't 
+	 * require allocating and dumping huge chunks of memory every use, or risk overflow.
+	 */
+	// @Override
+	public synchronized void mark(int readlimit) {
+		switch(state) {
+			case NONE:
+				capacitor = new Capacitor();
+				break;
+			case READ:
+				capacitor.done();
+				break;
+			// ignore case STORE:
+		}
+		state = STORE;
+	}
+
+
+	/**
+	 * Reset Stream
+	 * 
+	 * Calling this twice is not supported in typical Stream situations, but it is allowed in this service.  The caveat is that it can only reset
+	 * the data read in since Mark has been called.  The data integrity is only valid if you have not continued to read past what is stored.
+	 *  
+	 */
+	// @Override
+	public synchronized void reset() throws IOException {
+		switch(state) {
+			case STORE:
+				capacitor.setForRead();
+				state = READ;
+				break;
+			case READ:
+				capacitor.reset();
+				break;
+//				throw new IOException("InputStream is already in READ state");
+			case NONE: 
+				throw new IOException("InputStream has not been marked");
+		}
+	}
+
+
+	// @Override
+	public boolean markSupported() {
+		return true;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/CachedPrincipal.java b/core/src/main/java/com/att/cadi/CachedPrincipal.java
new file mode 100644
index 0000000..741d579
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/CachedPrincipal.java
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.security.Principal;
+
+/**
+ * Cached Principals need to be able to revalidate in the background.
+ * 
+ *
+ */
+public interface CachedPrincipal extends Principal {
+	public enum Resp {NOT_MINE,UNVALIDATED,REVALIDATED,INACCESSIBLE,DENIED};
+	
+	/**
+	 * Re-validate with Creator
+	 * 
+	 * @return
+	 */
+	public abstract Resp revalidate();
+	
+	/**
+	 * Store when last updated.
+	 * @return
+	 */
+	public abstract long expires();
+}
diff --git a/core/src/main/java/com/att/cadi/CachingLur.java b/core/src/main/java/com/att/cadi/CachingLur.java
new file mode 100644
index 0000000..b7a194f
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/CachingLur.java
@@ -0,0 +1,36 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.security.Principal;
+
+import com.att.cadi.CachedPrincipal.Resp;
+
+
+public interface CachingLur<PERM extends Permission> extends Lur {
+	public abstract void remove(String user);
+	public abstract Resp reload(User<PERM> user);
+	public abstract void setDebug(String commaDelimIDsOrNull);
+	public abstract void clear(Principal p, StringBuilder sb);
+}
diff --git a/core/src/main/java/com/att/cadi/CadiException.java b/core/src/main/java/com/att/cadi/CadiException.java
new file mode 100644
index 0000000..123b394
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/CadiException.java
@@ -0,0 +1,51 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+/**
+ * CADI Specific Exception
+ */
+public class CadiException extends Exception {
+	/**
+	 *  Generated ID 
+	 */
+	private static final long serialVersionUID = -4180145363107742619L;
+
+	public CadiException() {
+		super();
+	}
+
+	public CadiException(String message) {
+		super(message);
+	}
+
+	public CadiException(Throwable cause) {
+		super(cause);
+	}
+
+	public CadiException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/CadiWrap.java b/core/src/main/java/com/att/cadi/CadiWrap.java
new file mode 100644
index 0000000..1961c6e
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/CadiWrap.java
@@ -0,0 +1,194 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import com.att.cadi.Access.Level;
+import com.att.cadi.filter.NullPermConverter;
+import com.att.cadi.filter.PermConverter;
+import com.att.cadi.lur.EpiLur;
+import com.att.cadi.taf.TafResp;
+
+
+
+/**
+ * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
+ * overload the key security mechanisms with CADI mechanisms
+ * 
+ * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
+ * 
+ * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
+ * need something similar.  See AppServer specific code (i.e. tomcat) for these.
+ * 
+ *
+ */
+public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
+	private Principal principal;
+	private Lur lur;
+	private String user; // used to set user/pass from brain-dead protocols like WSSE 
+	private byte[] password;
+	private PermConverter pconv;
+	private Access access; 
+	
+	/**
+	 * Standard Wrapper constructor for Delegate pattern
+	 * @param request
+	 */
+	public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
+		super(request);
+		principal = tafResp.getPrincipal();
+		access = tafResp.getAccess();
+		this.lur = lur;
+		pconv = NullPermConverter.singleton();
+	}
+
+	/**
+	 * Standard Wrapper constructor for Delegate pattern, with PermConverter
+	 * @param request
+	 */
+	public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
+		super(request);
+		principal = tafResp.getPrincipal();
+		access = tafResp.getAccess();
+		this.lur = lur;
+		pconv = pc;
+	}
+
+
+	/**
+	 * Part of the HTTP Security API.  Declare the User associated with this HTTP Transaction.
+	 * CADI does this by reporting the name associated with the Principal obtained, if any.
+	 */
+// @Override
+	public String getRemoteUser() {
+		return principal==null?null:principal.getName();
+	}
+
+	/**
+	 * Part of the HTTP Security API.  Return the User Principal associated with this HTTP 
+	 * Transaction.
+	 */
+// @Override
+	public Principal getUserPrincipal() {
+		return principal;
+	}
+	
+	/**
+	 * This is the key API call for AUTHZ in J2EE.  Given a Role (String passed in), is the user
+	 * associated with this HTTP Transaction allowed to function in this Role?
+	 * 
+	 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
+	 * determined by the Enterprise.
+	 * 
+	 * Note: Role check is also done in "CadiRealm" in certain cases...
+	 * 
+	 *
+	 */
+// @Override
+	public boolean isUserInRole(String perm) {
+		return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);
+	}
+	
+	public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
+		if(principal== null) {
+			access.log(Level.AUDIT,caller, "No Principal in Transaction");
+			return false;
+		} else { 
+			perm = pconv.convert(perm);
+			if(lur.fish(principal,lur.createPerm(perm))) {
+				access.log(Level.DEBUG,caller, principal.getName(), "has", perm);
+				return true;
+			} else {
+				access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);
+				return false;
+			}
+		}
+
+	}
+
+	/** 
+	 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
+	 *  as implemented with lur.fishAll
+	 *  
+	 *  To utilize, the Request must be a "CadiWrap" object, then call.
+	 */
+	public List<Permission> getPermissions(Principal p) {
+		List<Permission> perms = new ArrayList<Permission>();
+		lur.fishAll(p, perms);
+		return perms;
+	}
+	/**
+	 * Allow setting of tafResp and lur after construction
+	 * 
+	 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
+	 */
+	public void set(TafResp tafResp, Lur lur) {
+		principal = tafResp.getPrincipal();
+		access = tafResp.getAccess();
+		this.lur = lur;
+	}
+
+	public String getUser() {
+		if(user==null && principal!=null) {
+			user = principal.getName();
+		}
+		return user;
+	}
+
+	public byte[] getCred() {
+		return password;
+	}
+
+	public void setUser(String user) {
+		this.user = user;
+	}
+
+	public void setCred(byte[] passwd) {
+		password = passwd;
+	}
+	
+	public CadiWrap setPermConverter(PermConverter pc) {
+		pconv = pc;
+		return this;
+	}
+	
+	// Add a feature
+	public void invalidate(String id) {
+		if(lur instanceof EpiLur) {
+			((EpiLur)lur).remove(id);
+		} else if(lur instanceof CachingLur) {
+			((CachingLur<?>)lur).remove(id);
+		}
+	}
+	
+	public Lur getLur() {
+		return lur;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/Capacitor.java b/core/src/main/java/com/att/cadi/Capacitor.java
new file mode 100644
index 0000000..0745875
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Capacitor.java
@@ -0,0 +1,241 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+
+/**
+ * Capacitor
+ * 
+ * Storage mechanism for read data, specifically designed for InputStreams.
+ * 
+ * The Standard BufferedInputStream requires a limit to be set for buffered reading, which is 
+ * impractical for reading SOAP headers, which can be quite large.
+ *
+ */
+public class Capacitor {
+	private static final int DEFAULT_CHUNK = 256;
+	private ArrayList<ByteBuffer> bbs = new ArrayList<ByteBuffer>();
+	private ByteBuffer curr = null;
+	private int idx;
+	
+	// Maintain a private RingBuffer for Memory, for efficiency
+	private static ByteBuffer[] ring = new ByteBuffer[16];
+	private static int start, end;
+	
+	
+	public void put(byte b) {
+		if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data
+			curr = ringGet();
+			bbs.add(curr);
+		}
+		curr.put(b); 
+	}
+
+	public int read() {
+		if(curr!=null) { 
+			if(curr.remaining()>0) { // have a buffer, use it!
+				return curr.get();
+			} else if(idx<bbs.size()){ // Buffer not enough, get next one from array
+				if(idx<bbs.size()) {
+					curr=bbs.get(idx++);
+					return curr.get();
+				}
+			}
+		} // if no curr buffer, treat as end of stream
+		return -1;
+	}
+	
+	/**
+	 * read into an array like Streams
+	 * 
+	 * @param array
+	 * @param offset
+	 * @param length
+	 * @return
+	 */
+	public int read(byte[] array, int offset, int length) {
+		if(curr==null)return -1;
+		int len;
+		int count=0;
+		while(length>0) { // loop through while there's data needed
+			if((len=curr.remaining())>length) { //  if enough data in curr buffer, use this code
+				curr.get(array,offset,length);
+				count+=length;
+				length=0;
+			} else {  // get data from curr, mark how much is needed to fulfil, and loop for next curr.
+				curr.get(array,offset,len);
+				count+=len;
+				offset+=len;
+				length-=len;
+				if(idx<bbs.size()) {
+					curr=bbs.get(idx++);
+				} else {
+					length=0; // stop, and return the count of how many we were able to load
+				}
+			}
+		}
+		return count;
+	}
+
+	/**
+	 * Put an array of data into Capacitor
+	 * 
+	 * @param array
+	 * @param offset
+	 * @param length
+	 */
+	public void put(byte[] array, int offset, int length) {
+		if(curr == null || curr.remaining()==0) {
+			curr = ringGet();
+			bbs.add(curr);
+		}
+		
+		int len;
+		while(length>0) {
+			if((len=curr.remaining())>length) {
+				curr.put(array,offset,length);
+				length=0;
+			} else {
+//				System.out.println(new String(array));
+				curr.put(array,offset,len);
+				length-=len;
+				offset+=len;
+				curr = ringGet();
+				bbs.add(curr);
+			}
+		}
+	}
+	 
+	/**
+	 * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc
+	 */
+	public void setForRead() {
+		for(ByteBuffer bb : bbs) {
+			bb.flip();
+		}
+		if(bbs.isEmpty()) {
+			curr = null;
+			idx = 0;
+		} else {
+			curr=bbs.get(0);
+			idx=1;
+		}
+	}
+	
+	/**
+	 * reuse all the buffers
+	 */
+	public void done() {
+		for(ByteBuffer bb : bbs) {
+			ringPut(bb);
+		}
+		bbs.clear();
+		curr = null;
+	}
+	
+	/**
+	 * Declare amount of data available to be read at once.
+	 * 
+	 * @return
+	 */
+	public int available() {
+		int count = 0;
+		for(ByteBuffer bb : bbs) {
+			count+=bb.remaining();
+		}
+		return count;
+	}
+	
+	/**
+	 * Returns how many are left that were not skipped
+	 * @param n
+	 * @return
+	 */
+	public long skip(long n) {
+		long skipped=0L;
+		int skip;
+		while(n>0) {
+			if(n<(skip=curr.remaining())) {
+				curr.position(curr.position()+(int)n);
+				skipped+=skip;
+				n=0;
+			} else {
+				curr.position(curr.limit());
+				
+				skipped-=skip;
+				if(idx<bbs.size()) {
+					curr=bbs.get(idx++);
+					n-=skip;
+				} else {
+					n=0;
+				}
+			}
+		}
+		return skipped;
+	}
+	/**
+	 * Be able to re-read data that is stored that has already been re-read.  This is not a standard Stream behavior, but can be useful
+	 * in a standalone mode.
+	 */
+	public void reset() {
+		for(ByteBuffer bb : bbs) {
+			bb.position(0);
+		}
+		if(bbs.isEmpty()) {
+			curr = null;
+			idx = 0;
+		} else {
+			curr=bbs.get(0);
+			idx=1;
+		}
+	}
+
+	/*
+	 * Ring Functions.  Reuse allocated memory 
+	 */
+	private ByteBuffer ringGet() {
+		ByteBuffer bb = null;
+		synchronized(ring) {
+			bb=ring[start];
+			ring[start]=null;
+			if(bb!=null && ++start>15)start=0;
+		}
+		if(bb==null) {
+			bb=ByteBuffer.allocate(DEFAULT_CHUNK);
+		} else {
+			bb.clear();// refresh reused buffer
+		}
+		return bb;
+	}
+	
+	private void ringPut(ByteBuffer bb) {
+		synchronized(ring) {
+			ring[end]=bb; // if null or not, BB will just be Garbage collected
+			if(++end>15)end=0;
+		}
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/CmdLine.java b/core/src/main/java/com/att/cadi/CmdLine.java
new file mode 100644
index 0000000..2d19234
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/CmdLine.java
@@ -0,0 +1,357 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.NoSuchAlgorithmException;
+
+import com.att.cadi.util.Chmod;
+import com.att.cadi.util.JsonOutputStream;
+
+
+
+/**
+ * A Class to run on command line to determine suitability of environment for certain TAFs.
+ * 
+ * For instance, CSP supports services only in certain domains, and while dynamic host
+ * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and
+ * invalid) for CSP because of multiple NetworkInterfaces, etc
+ * 
+ *
+ */
+public class CmdLine {
+
+	/**
+	 * @param args
+	 */
+	public static void main(String[] args) {
+		if(args.length>0) {
+			if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) {
+				String keyfile;
+				String password;
+				if(args.length>2) {
+					password = args[1];
+					keyfile = args[2];
+				} else {
+					keyfile = args[1];
+					password = new String(System.console().readPassword("Type here (keystrokes hidden): "));
+				}
+
+				try {
+					Symm symm;
+					FileInputStream fis = new FileInputStream(keyfile);
+					try {
+						symm = Symm.obtain(fis);
+					} finally {
+						fis.close();
+					}
+					symm.enpass(password, System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+					/*  testing code... don't want it exposed
+					System.out.println(" ******** Testing *********");
+					for(int i=0;i<100000;++i) {
+						System.out.println(args[1]);
+						ByteArrayOutputStream baos = new ByteArrayOutputStream();
+						b64.enpass(args[1], baos);
+						String pass; 
+						System.out.println(pass=new String(baos.toByteArray()));
+						ByteArrayOutputStream reconstituted = new ByteArrayOutputStream();
+						b64.depass(pass, reconstituted);
+						String r = reconstituted.toString();
+						System.out.println(r);
+						if(!r.equals(args[1])) {
+							System.err.println("!!!!! STOP - ERROR !!!!!");
+							return;
+						}
+						System.out.println();
+					}
+					System.out.flush();
+					*/
+					 
+				} catch (IOException e) {
+					System.err.println("Cannot digest password");
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+// .  Oh, well, Deployment services need this behavior.  I will put this code in, but leave it undocumented. 
+// One still needs access to the keyfile to read.
+// July 2016 - thought of a tool "CMPass" to reguritate from properties, but only if allowed.
+			} else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) {
+				try {
+					Symm symm;
+					FileInputStream fis = new FileInputStream(args[2]);
+					try {
+						symm = Symm.obtain(fis);
+					} finally {
+						fis.close();
+					}
+					boolean isFile = false;
+					if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) {
+						BufferedReader br;
+						if(isFile) {
+							if(args.length<4) {
+								System.err.println("Filename in 4th position");
+								return;
+							}
+							br = new BufferedReader(new FileReader(args[3]));
+						} else {
+							br = new BufferedReader(new InputStreamReader(System.in));
+						}
+						try {
+							String line;
+							boolean cont = false;
+							StringBuffer sb = new StringBuffer();
+							JsonOutputStream jw = new JsonOutputStream(System.out);
+							while((line=br.readLine())!=null) {
+								if(cont) {
+									int end;
+									if((end=line.indexOf('"'))>=0) {
+										sb.append(line,0,end);
+										cont=false;
+									} else {
+										sb.append(line);
+									}
+								} else {
+									int idx;
+									if((idx = line.indexOf(' '))>=0 
+											&& (idx = line.indexOf(' ',++idx))>0
+											&& (idx = line.indexOf('=',++idx))>0
+											&& (idx = line.indexOf('=',++idx))>0
+											) {
+										System.out.println(line.substring(0, idx-5));
+										int start = idx+2;
+										int end;
+										if((end=line.indexOf('"',start))<0) {
+											end = line.length();
+											cont = true;
+										}
+										sb.append(line,start,end);
+									}
+								}
+								if(sb.length()>0) {
+									symm.depass(sb.toString(),jw);
+									if(!cont) {
+										System.out.println();
+									}
+								}
+								System.out.flush();
+								sb.setLength(0);
+								if(!cont) {
+									jw.resetIndent();
+								}
+							}
+						} finally {
+							if(isFile) {
+								br.close();
+							}
+						}
+					} else {
+						symm.depass(args[1], System.out);
+					}
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot regurgitate password");
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64.encode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot encode Base64 with " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64.decode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot decode Base64 text from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64url.encode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot encode Base64url with " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64url.decode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot decode Base64url text from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("md5".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					System.out.println(Hash.encryptMD5asStringHex(args[1]));
+					System.out.flush();
+				} catch (NoSuchAlgorithmException e) {
+					System.err.println("Cannot hash MD5 from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+				return;
+			} else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					if(args.length>2) {
+						int salt = Integer.parseInt(args[2]);
+						System.out.println(Hash.hashSHA256asStringHex(args[1],salt));
+					} else { 
+						System.out.println(Hash.hashSHA256asStringHex(args[1]));
+					}
+				} catch (NoSuchAlgorithmException e) {
+					System.err.println("Cannot hash SHA256 text from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+				System.out.flush();
+				return;
+			} else if("keygen".equalsIgnoreCase(args[0])) {
+				try {
+					if(args.length>1) {
+						File f = new File(args[1]);
+						FileOutputStream fos = new FileOutputStream(f);
+						try {
+							fos.write(Symm.baseCrypt().keygen());
+							fos.flush();
+						} finally {
+							fos.close();
+							Chmod.to400.chmod(f);
+						}
+					} else {
+						// create a Symmetric Key out of same characters found in base64
+						System.out.write(Symm.baseCrypt().keygen());
+						System.out.flush();
+					}
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot create a key " + args[0]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			
+			} else if("passgen".equalsIgnoreCase(args[0])) {
+				int numDigits;
+				if(args.length <= 1) {
+					numDigits = 24;
+				} else {
+					numDigits = Integer.parseInt(args[1]); 
+					if(numDigits<8)numDigits = 8;
+				}
+				String pass;
+				boolean noLower,noUpper,noDigits,noSpecial,repeats;
+				do {
+					pass = Symm.randomGen(numDigits);
+					noLower=noUpper=noDigits=noSpecial=true;
+					repeats=false;
+					int c=-1,last;
+					for(int i=0;i<numDigits;++i) {
+						last = c;
+						c = pass.charAt(i);
+						if(c==last) {
+							repeats=true;
+							break;
+						}
+						
+						if(noLower) {
+							noLower=!(c>=0x61 && c<=0x7A);
+							continue;
+						} 
+						if(noUpper) {
+							noUpper=!(c>=0x41 && c<=0x5A);
+							continue;
+						} 
+						if(noDigits) {
+							noDigits=!(c>=0x30 && c<=0x39);
+							continue;
+						} 
+						if(noSpecial) {
+							noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0;
+							continue;
+						} 
+						
+						break;
+					}
+				} while(noLower || noUpper || noDigits || noSpecial || repeats);
+				System.out.println(pass.substring(0,numDigits));
+			} else if("urlgen".equalsIgnoreCase(args[0])) {
+				int numDigits;
+				if(args.length < 1) {
+					numDigits = 24;
+				} else {
+					numDigits = Integer.parseInt(args[1]); 
+				}
+				System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits));
+			
+			} else if("csptest".equalsIgnoreCase(args[0])) {
+				try {
+					System.out.println("CSP Compatibility test");
+					
+					String hostName = InetAddress.getLocalHost().getCanonicalHostName();
+					
+					System.out.println("  Your automatic hostname is reported as \"" + hostName + "\"\n");
+					System.out.flush();
+					return;
+				} catch (UnknownHostException e) {
+					e.printStackTrace(System.err);
+				}
+			}
+		} else {
+			System.out.println("Usage: java -jar <this jar> ...");
+			System.out.println("  keygen [<keyfile>]                     (Generates Key on file, or Std Out)");
+			System.out.println("  digest <keyfile>                       (Encrypts to Key with \"keyfile\")");
+			System.out.println("  passgen <digits>                       (Generate Password of given size)");
+			System.out.println("  urlgen <digits>                        (Generate URL field of given size)");
+			System.out.println("  csptest                                (Tests for CSP compatibility)");
+			System.out.println("  encode64 <your text>                   (Encodes to Base64)");
+			System.out.println("  decode64 <base64 encoded text>         (Decodes from Base64)");
+			System.out.println("  encode64url <your text>                (Encodes to Base64 URL charset)");
+			System.out.println("  decode64url <base64url encoded text>   (Decodes from Base64 URL charset)");
+			System.out.println("  sha256 <text>                          (Digest String into SHA256 Hash)");
+			System.out.println("  md5 <text>                             (Digest String into MD5 Hash)");
+		}
+		System.exit(1);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/Connector.java b/core/src/main/java/com/att/cadi/Connector.java
new file mode 100644
index 0000000..4f5576d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Connector.java
@@ -0,0 +1,28 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+public interface Connector {
+	public Lur newLur() throws CadiException;
+}
diff --git a/core/src/main/java/com/att/cadi/CredVal.java b/core/src/main/java/com/att/cadi/CredVal.java
new file mode 100644
index 0000000..040781d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/CredVal.java
@@ -0,0 +1,43 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+
+/**
+ * UserPass
+ * 
+ * The essential interface required by BasicAuth to determine if a given User/Password combination is 
+ * valid.  This is done as an interface.
+ * 
+ */
+public interface CredVal {
+	public enum Type{PASSWORD};
+	/**
+	 *  Validate if the User/Password combination matches records 
+	 * @param user
+	 * @param pass
+	 * @return
+	 */
+	public boolean validate(String user, Type type, byte[] cred);
+}
diff --git a/core/src/main/java/com/att/cadi/GetCred.java b/core/src/main/java/com/att/cadi/GetCred.java
new file mode 100644
index 0000000..f5289f0
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/GetCred.java
@@ -0,0 +1,28 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+public interface GetCred {
+	byte[] getCred();
+}
diff --git a/core/src/main/java/com/att/cadi/Hash.java b/core/src/main/java/com/att/cadi/Hash.java
new file mode 100644
index 0000000..190049f
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Hash.java
@@ -0,0 +1,203 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class Hash {
+	private static char hexDigit[] = "0123456789abcdef".toCharArray();
+	
+/////////////////////////////////
+// MD5
+/////////////////////////////////
+	/**
+	 * Encrypt MD5 from Byte Array to Byte Array
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static byte[] encryptMD5 (byte[] input) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("MD5");
+		md.update(input); 
+		return md.digest();
+	}
+
+	/**
+	 * Encrypt MD5 from Byte Array to Byte Array
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static byte[] encryptMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("MD5");
+		md.update(input,offset,length); 
+		return md.digest();
+	}
+
+
+
+	/**
+	 * Convenience Function: Encrypt MD5 from String to String Hex representation 
+	 * 
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static String encryptMD5asStringHex(String input) throws NoSuchAlgorithmException {
+		byte[] output = encryptMD5(input.getBytes());
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : output) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+
+/////////////////////////////////
+// SHA256
+/////////////////////////////////
+	/**
+	 * SHA256 Hashing
+	 */
+	public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		md.update(input); 
+		return md.digest();
+	}
+
+	/**
+	 * SHA256 Hashing
+	 */
+	public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		md.update(input,offset,length); 
+		return md.digest();
+	}
+	
+	/**
+	 * Convenience Function: Hash from String to String Hex representation
+	 * 
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException {
+		byte[] output = hashSHA256(input.getBytes());
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : output) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+
+	/**
+	 * Convenience Function: Hash from String to String Hex representation
+	 * 
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static String hashSHA256asStringHex(String input, int salt) throws NoSuchAlgorithmException {
+		byte[] in = input.getBytes();
+		ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + in.length);
+		bb.putInt(salt);
+		bb.put(input.getBytes());
+		byte[] output = Hash.hashSHA256(bb.array());
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : output) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+	
+	/**
+	 * Compare two byte arrays for equivalency
+	 * @param ba1
+	 * @param ba2
+	 * @return
+	 */
+	public static boolean isEqual(byte ba1[], byte ba2[]) {
+		if(ba1.length!=ba2.length)return false;
+		for(int i = 0;i<ba1.length; ++i) {
+			if(ba1[i]!=ba2[i])return false;
+		}
+		return true;
+	}
+
+	public static int compareTo(byte[] a, byte[] b) {
+		int end = Math.min(a.length, b.length);
+		int compare = 0;
+		for(int i=0;compare == 0 && i<end;++i) {
+			compare = a[i]-b[i];
+		}
+		if(compare==0)compare=a.length-b.length;
+		return compare;
+	}
+	
+	public static String toHex(byte[] ba) {
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : ba) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+	
+	public static byte[] fromHex(String s)  throws CadiException{
+		if(!s.startsWith("0x")) {
+			throw new CadiException("HexString must start with \"0x\"");
+		}
+		boolean high = true;
+		int c;
+		byte b;
+		byte[] ba = new byte[(s.length()-2)/2];
+		int idx;
+		for(int i=2;i<s.length();++i) {
+			c = s.charAt(i);
+			if(c>=0x30 && c<=0x39) {
+				b=(byte)(c-0x30);
+			} else if(c>=0x61 && c<=0x66) {
+				b=(byte)(c-0x57);  // account for "A"
+			} else if(c>=0x41 && c<=0x46) {
+				b=(byte)(c-0x37);
+			} else {
+				throw new CadiException("Invalid char '" + c + "' in HexString");
+			}
+			idx = (i-2)/2;
+			if(high) {
+				ba[idx]=(byte)(b<<4);
+				high = false;
+			} else {
+				ba[idx]|=b;
+				high = true;
+			}
+		}
+		return ba;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/Locator.java b/core/src/main/java/com/att/cadi/Locator.java
new file mode 100644
index 0000000..a1593bb
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Locator.java
@@ -0,0 +1,37 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+public interface Locator<T> {
+	public T get(Locator.Item item) throws LocatorException;
+	public boolean hasItems();
+	public void invalidate(Locator.Item item) throws LocatorException;
+	public Locator.Item best() throws LocatorException;
+	public Item first() throws LocatorException;
+	public Item next(Item item) throws LocatorException;
+	public boolean refresh();
+	public void destroy();
+	
+	public interface Item {}
+}
diff --git a/core/src/main/java/com/att/cadi/LocatorException.java b/core/src/main/java/com/att/cadi/LocatorException.java
new file mode 100644
index 0000000..b9260b9
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/LocatorException.java
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+public class LocatorException extends Exception {
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = -4267929804321134469L;
+
+	public LocatorException(String arg0) {
+		super(arg0);
+	}
+
+	public LocatorException(Throwable arg0) {
+		super(arg0);
+	}
+
+	public LocatorException(String arg0, Throwable arg1) {
+		super(arg0, arg1);
+	}
+
+	public LocatorException(CharSequence cs) {
+		super(cs.toString());
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/Lur.java b/core/src/main/java/com/att/cadi/Lur.java
new file mode 100644
index 0000000..7ca94c9
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Lur.java
@@ -0,0 +1,95 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.security.Principal;
+import java.util.List;
+
+
+
+/**
+ * LUR: Local User Registry
+ *
+ * Concept by Robert Garskof, Implementation by Jonathan Gathman
+ * 
+ * Where we can keep local copies of users and roles for faster Authorization when asked.
+ * 
+ * Note: Author cannot resist the mental image of using a Fishing Lure to this LUR pattern 
+ * 
+ *
+ */
+public interface Lur {
+	/**
+	 * Allow the Lur, which has correct Permission access, to create and hand back. 
+	 */
+	public Permission createPerm(String p);
+	
+	/** 
+	 * Fish for Principals in a Pond
+	 * 
+	 *   or more boringly, is the User identified within a named collection representing permission.
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public boolean fish(Principal bait, Permission pond);
+
+	/** 
+	 * Fish all the Principals out a Pond
+	 * 
+	 *   For additional humor, pronounce the following with a Southern Drawl, "FishOil"
+	 * 
+	 *   or more boringly, load the List with Permissions found for Principal
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public void fishAll(Principal bait, List<Permission> permissions);
+
+	/**
+	 * Allow implementations to disconnect, or cleanup resources if unneeded
+	 */
+	public void destroy();
+
+	/**
+	 * Does this LUR handle this pond exclusively?  Important for EpiLUR to determine whether 
+	 * to try another (more expensive) LUR 
+	 * @param pond
+	 * @return
+	 */
+	public boolean handlesExclusively(Permission pond);  
+	
+	/**
+	 * What domain of User does this LUR support?  (used to avoid asking when not possible)
+	 * 
+	 * @param bait
+	 * @return
+	 */
+	public boolean supports(String userName);
+	
+	/**
+	 * Clear: Clear any Caching, if exists
+	 */
+	public void clear(Principal p, StringBuilder report);
+}
diff --git a/core/src/main/java/com/att/cadi/Permission.java b/core/src/main/java/com/att/cadi/Permission.java
new file mode 100644
index 0000000..b8cd56e
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Permission.java
@@ -0,0 +1,30 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+public interface Permission {
+	public String permType();
+	public String getKey();
+	public boolean match(Permission p);
+}
diff --git a/core/src/main/java/com/att/cadi/PropAccess.java b/core/src/main/java/com/att/cadi/PropAccess.java
new file mode 100644
index 0000000..25573a0
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/PropAccess.java
@@ -0,0 +1,321 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Map.Entry;
+import java.util.Properties;
+
+import com.att.cadi.config.Config;
+import com.att.cadi.config.SecurityInfo;
+
+public class PropAccess implements Access {
+	private static final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+
+	public static Level DEFAULT = Level.AUDIT;
+	
+	private Symm symm;
+	private int level;
+	private Properties props;
+	private List<String> recursionProtection = null;
+	private PrintStream out;
+	
+	private String name;
+
+	public PropAccess() {
+		out=System.out;
+		init(null);
+	}
+	
+	/**
+	 * This Constructor soley exists to instantiate Servlet Context Based Logging that will call "init" later.
+	 * @param sc
+	 */
+	protected PropAccess(Object o) {
+		out=System.out;
+		props = new Properties();
+	}
+	
+	public PropAccess(String ... args) {
+		this(System.out,args);
+	}
+	
+	public PropAccess(PrintStream ps, String[] args) {
+		out=ps==null?System.out:ps;
+		Properties nprops=new Properties();
+		int eq;
+		for(String arg : args) {
+			if((eq=arg.indexOf('='))>0) {
+				nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1));
+			}
+		}
+		init(nprops);
+	}
+
+	public PropAccess(Properties p) {
+		this(System.out,p);
+	}
+	
+	public PropAccess(PrintStream ps, Properties p) {
+		out=ps==null?System.out:ps;
+		init(p);
+	}
+	
+	protected void init(Properties p) {
+		// Make sure these two are set before any changes in Logging
+		name = "cadi";
+		level=DEFAULT.maskOf();
+		
+		props = new Properties();
+		// First, load related System Properties
+		for(Entry<Object,Object> es : System.getProperties().entrySet()) {
+			String key = es.getKey().toString();
+			for(String start : new String[] {"cadi_","aaf_","cm_","csp_"}) {
+				if(key.startsWith(start)) {
+					props.put(key, es.getValue());
+				}
+			}			
+		}
+		// Second, overlay or fill in with Passed in Props
+		if(p!=null) {
+			props.putAll(p);
+		}
+		
+		// Third, load any Chained Property Files
+		load(props.getProperty(Config.CADI_PROP_FILES));
+		
+		String sLevel = props.getProperty(Config.CADI_LOGLEVEL); 
+		if(sLevel!=null) {
+			level=Level.valueOf(sLevel).maskOf(); 
+		}
+		// Setup local Symmetrical key encryption
+		if(symm==null) {
+			symm = Symm.obtain(this);
+		}
+		
+		name = props.getProperty(Config.CADI_LOGNAME, name);
+		
+		// Critical - if no Security Protocols set, then set it.  We'll just get messed up if not
+		if(props.get(Config.CADI_PROTOCOLS)==null) {
+			props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT);
+		}
+	}
+
+	private void load(String cadi_prop_files) {
+		String prevKeyFile = props.getProperty(Config.CADI_KEYFILE);
+
+		if(cadi_prop_files!=null) {
+			int prev = 0, end = cadi_prop_files.length();
+			int idx;
+			String filename;
+			while(prev<end) {
+				idx = cadi_prop_files.indexOf(File.pathSeparatorChar,prev);
+				if(idx<0) {
+					idx = end;
+				}
+				File file = new File(filename=cadi_prop_files.substring(prev,idx));
+				if(file.exists()) {
+					printf(Level.INIT,"Loading CADI Properties from %s",file.getAbsolutePath());
+					try {
+						FileInputStream fis = new FileInputStream(file);
+						try {
+							props.load(fis);
+							// Recursively Load
+							String chainProp = props.getProperty(Config.CADI_PROP_FILES);
+							if(chainProp!=null) {
+								if(recursionProtection==null) {
+									recursionProtection = new ArrayList<String>();
+									recursionProtection.add(cadi_prop_files);
+								}
+								if(!recursionProtection.contains(chainProp)) {
+									recursionProtection.add(chainProp);
+									load(chainProp); // recurse
+								}
+							}
+						} finally {
+							fis.close();
+						}
+					} catch (Exception e) {
+						log(e,filename,"cannot be opened");
+					}
+				} else {
+					printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath());
+				}
+				prev = idx+1;
+			}
+		}
+		// Reset Symm if Keyfile Changes:
+		String newKeyFile = props.getProperty(Config.CADI_KEYFILE);
+		if((prevKeyFile==null && newKeyFile!=null) || (newKeyFile!=null && !newKeyFile.equals(prevKeyFile))) {
+			symm = Symm.obtain(this);
+			prevKeyFile=newKeyFile;
+		}
+		
+		String loglevel = props.getProperty(Config.CADI_LOGLEVEL);
+		if(loglevel!=null) {
+			try {
+				level=Level.valueOf(loglevel).maskOf();
+			} catch (IllegalArgumentException e) {
+				printf(Level.ERROR,"%s=%s is an Invalid Log Level",Config.CADI_LOGLEVEL,loglevel);
+			}
+		}
+	}
+	
+	@Override
+	public void load(InputStream is) throws IOException {
+		props.load(is);
+		load(props.getProperty(Config.CADI_PROP_FILES));
+	}
+
+	@Override
+	public void log(Level level, Object ... elements) {
+		if(willLog(level)) {
+			StringBuilder sb = buildMsg(level, elements);
+			out.println(sb);
+			out.flush();
+		}
+	}
+	
+	protected StringBuilder buildMsg(Level level, Object[] elements) {
+		StringBuilder sb = new StringBuilder(iso8601.format(new Date()));
+		sb.append(' ');
+		sb.append(level.name());
+		sb.append(" [");
+		sb.append(name);
+		
+		int end = elements.length;
+		if(end<=0) {
+			sb.append("] ");
+		} else {
+			int idx = 0;
+			if(elements[idx] instanceof Integer) {
+				sb.append('-');
+				sb.append(elements[idx]);
+				++idx;
+			}
+			sb.append("] ");
+			String s;
+			boolean first = true;
+			for(Object o : elements) {
+				if(o!=null) {
+					s=o.toString();
+					if(first) {
+						first = false;
+					} else {
+						int l = s.length();
+						if(l>0)	{
+							switch(s.charAt(l-1)) {
+								case ' ':
+									break;
+								default:
+									sb.append(' ');
+							}
+						}
+					}
+					sb.append(s);
+				}
+			}
+		}
+		return sb;
+	}
+
+	@Override
+	public void log(Exception e, Object... elements) {
+		log(Level.ERROR,e.getMessage(),elements);
+		e.printStackTrace(System.err);
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object... elements) {
+		if(willLog(level)) {
+			log(level,String.format(fmt, elements));
+		}
+	}
+
+	@Override
+	public void setLogLevel(Level level) {
+		this.level = level.maskOf();
+	}
+
+	@Override
+	public boolean willLog(Level level) {
+		return level.inMask(this.level);
+	}
+
+	@Override
+	public ClassLoader classLoader() {
+		return ClassLoader.getSystemClassLoader();
+	}
+
+	@Override
+	public String getProperty(String tag, String def) {
+		return props.getProperty(tag,def);
+	}
+
+	@Override
+	public String decrypt(String encrypted, boolean anytext) throws IOException {
+		return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC)))
+			? symm.depass(encrypted)
+			: encrypted;
+	}
+	
+	public String encrypt(String unencrypted) throws IOException {
+		return Symm.ENC+symm.enpass(unencrypted);
+	}
+
+	//////////////////
+	// Additional
+	//////////////////
+	public String getProperty(String tag) {
+		return props.getProperty(tag);
+	}
+	
+
+	public Properties getProperties() {
+		return props;
+	}
+
+	public void setProperty(String tag, String value) {
+		if(value!=null) {
+			props.put(tag, value);
+			if(Config.CADI_KEYFILE.equals(tag)) {
+				// reset decryption too
+				symm = Symm.obtain(this);
+			}
+		}
+	}
+
+	public Properties getDME2Properties() {
+		return Config.getDME2Props(this);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/Revalidator.java b/core/src/main/java/com/att/cadi/Revalidator.java
new file mode 100644
index 0000000..ded7b2d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Revalidator.java
@@ -0,0 +1,36 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+
+public interface Revalidator<TRANS> {
+	/**
+	 * Re-Validate Credential
+	 * 
+	 * @param prin
+	 * @return
+	 */
+	public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin);
+
+}
diff --git a/core/src/main/java/com/att/cadi/SLF4JAccess.java b/core/src/main/java/com/att/cadi/SLF4JAccess.java
new file mode 100644
index 0000000..e3d8451
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/SLF4JAccess.java
@@ -0,0 +1,101 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.util.Properties;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SLF4JAccess extends PropAccess {
+	private static final Logger slf4j = LoggerFactory.getLogger("AAF");
+	
+	public SLF4JAccess(final Properties initial) throws CadiException {
+		super(initial);
+	}
+
+	public void log(Level level, Object... elements) {
+		switch(level) {
+			case AUDIT:
+				slf4j.info(msg(elements).toString());
+				break;
+			case DEBUG:
+				slf4j.debug(msg(elements).toString());
+				break;
+			case ERROR:
+				slf4j.error(msg(elements).toString());
+				break;
+			case INFO:
+				slf4j.info(msg(elements).toString());
+				break;
+			case INIT:
+				slf4j.info(msg(elements).toString());
+				break;
+			case WARN:
+				slf4j.warn(msg(elements).toString());
+				break;
+			default:
+				slf4j.info(msg(elements).toString());
+				break;
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level)
+	 */
+	@Override
+	public boolean willLog(Level level) {
+		switch(level) {
+			case DEBUG:
+				return slf4j.isDebugEnabled();
+			case ERROR:
+				return slf4j.isErrorEnabled();
+			case WARN:
+				return slf4j.isWarnEnabled();
+//			case INFO:
+//			case INIT:
+//			case AUDIT:
+			default:
+				return slf4j.isInfoEnabled();
+		}
+	}
+
+	private StringBuilder msg(Object ... elements) {
+		StringBuilder sb = new StringBuilder();
+		boolean first = true;
+		for(Object o : elements) {
+			if(first) first = false;
+			else {
+				sb.append(' ');
+			}
+			sb.append(o.toString());
+		}
+		return sb;
+	}
+
+	public void log(Exception e, Object... elements) {
+		slf4j.error(msg(elements).toString(),e);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/SecuritySetter.java b/core/src/main/java/com/att/cadi/SecuritySetter.java
new file mode 100644
index 0000000..dadbd06
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/SecuritySetter.java
@@ -0,0 +1,45 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+
+/**
+ *  Apply any particular security mechanism
+ *  
+ *  This allows the definition of various mechanisms involved outside of DRcli jars 
+ *  
+ *
+ */
+public interface SecuritySetter<CT> {
+	public String getID();
+	
+	public void setSecurity(CT client) throws CadiException;
+	
+	/**
+	 * Returns number of bad logins registered
+	 * @param respCode
+	 * @return
+	 */
+	public int setLastResponse(int respCode);
+}
diff --git a/core/src/main/java/com/att/cadi/ServletContextAccess.java b/core/src/main/java/com/att/cadi/ServletContextAccess.java
new file mode 100644
index 0000000..896f824
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/ServletContextAccess.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+import java.util.Enumeration;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+
+import com.att.cadi.config.Config;
+
+public class ServletContextAccess extends PropAccess {
+
+	private ServletContext context;
+
+	public ServletContextAccess(FilterConfig filterConfig) {
+		super(filterConfig); // protected contstructor... does not have "init" called.
+		context = filterConfig.getServletContext();
+
+		for(Enumeration<?> en = filterConfig.getInitParameterNames();en.hasMoreElements();) {
+			String name = (String)en.nextElement();
+			setProperty(name, filterConfig.getInitParameter(name));
+		}
+		init(getProperties());
+		Config.getDME2Props(this);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#log(com.att.cadi.Access.Level, java.lang.Object[])
+	 */
+	@Override
+	public void log(Level level, Object... elements) {
+		if(willLog(level)) {
+			StringBuilder sb = buildMsg(level, elements);
+			context.log(sb.toString());
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[])
+	 */
+	@Override
+	public void log(Exception e, Object... elements) {
+		StringBuilder sb = buildMsg(Level.ERROR, elements);
+		context.log(sb.toString(),e);
+	}
+
+	public ServletContext context() {
+		return context;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/StrLur.java b/core/src/main/java/com/att/cadi/StrLur.java
new file mode 100644
index 0000000..dc4c992
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/StrLur.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.util.List;
+
+
+
+/**
+ * StrLUR: Implements fish with String, skipping the need to be a Principal where it doesn't make sense.
+ *
+ *
+ */
+public interface StrLur extends Lur {
+	/** 
+	 * Fish for Principals in a Pond
+	 * 
+	 *   or more boringly, is the User identified within a named collection representing permission.
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public boolean fish(String bait, Permission pond);
+
+	/** 
+	 * Fish all the Principals out a Pond
+	 * 
+	 *   For additional humor, pronounce the following with a Southern Drawl, "FishOil"
+	 * 
+	 *   or more boringly, load the List with Permissions found for Principal
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public void fishAll(String bait, List<Permission> permissions);
+}
diff --git a/core/src/main/java/com/att/cadi/Symm.java b/core/src/main/java/com/att/cadi/Symm.java
new file mode 100644
index 0000000..0b34b58
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Symm.java
@@ -0,0 +1,812 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Random;
+
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+import com.att.cadi.Access.Level;
+import com.att.cadi.config.Config;
+
+/**
+ * Key Conversion, primarily "Base64"
+ * 
+ * Base64 is required for "Basic Authorization", which is an important part of the overall CADI Package.
+ * 
+ * Note: This author found that there is not a "standard" library for Base64 conversion within Java.  
+ * The source code implementations available elsewhere were surprisingly inefficient, requiring, for 
+ * instance, multiple string creation, on a transaction pass.  Integrating other packages that might be
+ * efficient enough would put undue Jar File Dependencies given this Framework should have none-but-Java 
+ * dependencies.
+ * 
+ * The essential algorithm is good for a symmetrical key system, as Base64 is really just
+ * a symmetrical key that everyone knows the values.  
+ * 
+ * This code is quite fast, taking about .016 ms for encrypting, decrypting and even .08 for key 
+ * generation. The speed quality, especially of key generation makes this a candidate for a short term token 
+ * used for identity.
+ * 
+ * It may be used to easily avoid placing Clear-Text passwords in configurations, etc. and contains 
+ * supporting functions such as 2048 keyfile generation (see keygen).  This keyfile should, of course, 
+ * be set to "400" (Unix) and protected as any other mechanism requires. 
+ * 
+ * However, this algorithm has not been tested against hackers.  Until such a time, utilize more tested
+ * packages to protect Data, especially sensitive data at rest (long term). 
+ *
+ */
+public class Symm {
+	private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; 
+	public static final String ENC = "enc:";
+	private static final SecureRandom random = new SecureRandom();
+	
+	public final char[] codeset;
+	private final int splitLinesAt;
+	private final String encoding;
+	private final Convert convert;
+	private final boolean endEquals;
+	//Note: AES Encryption is not Thread Safe.  It is Synchronized
+	private static AES aes = null;  // only initialized from File, and only if needed for Passwords
+	
+	/**
+	 * This is the standard base64 Key Set.
+	 * RFC 2045
+	 */
+	public static final Symm base64 = new Symm(
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray()
+			,76, Config.UTF_8,true);
+
+	public static final Symm base64noSplit = new Symm(
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray()
+			,Integer.MAX_VALUE, Config.UTF_8,true);
+
+	/**
+	 * This is the standard base64 set suitable for URLs and Filenames
+	 * RFC 4648
+	 */
+	public static final Symm base64url = new Symm(
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray()
+			,76, Config.UTF_8,true);
+
+	/**
+	 * A Password set, using US-ASCII
+	 * RFC 4648
+	 */
+	public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false);
+
+	/**
+	 * A typical set of Password Chars
+	 * Note, this is too large to fit into the algorithm. Only use with PassGen
+	 */
+	private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray();
+			
+
+
+	/**
+	 * Use this to create special case Case Sets and/or Line breaks
+	 * 
+	 * If you don't know why you need this, use the Singleton Method
+	 * 
+	 * @param codeset
+	 * @param split
+	 */
+	public Symm(char[] codeset, int split, String charset, boolean useEndEquals) {
+		this.codeset = codeset;
+		splitLinesAt = split;
+		encoding = charset;
+		endEquals = useEndEquals;
+		char prev = 0, curr=0, first = 0;
+		int offset=Integer.SIZE; // something that's out of range for integer array
+		
+		// There can be time efficiencies gained when the underlying keyset consists mainly of ordered 
+		// data (i.e. abcde...).  Therefore, we'll quickly analyze the keyset.  If it proves to have
+		// too much entropy, the "Unordered" algorithm, which is faster in such cases is used.
+		ArrayList<int[]> la = new ArrayList<int[]>();
+		for(int i=0;i<codeset.length;++i) {
+			curr = codeset[i];
+			if(prev+1==curr) { // is next character in set
+				prev = curr;
+			} else {
+				if(offset!=Integer.SIZE) { // add previous range 
+					la.add(new int[]{first,prev,offset});
+				}
+				first = prev = curr;
+				offset = curr-i;
+			}
+		}
+		la.add(new int[]{first,curr,offset});
+		if(la.size()>codeset.length/3) {
+			convert = new Unordered(codeset);
+		} else { // too random to get speed enhancement from range algorithm
+			int[][] range = new int[la.size()][];
+			la.toArray(range);
+			convert = new Ordered(range);
+		}
+	}
+	
+	public Symm copy(int lines) {
+		return new Symm(codeset,lines,encoding,endEquals);
+	}
+	
+	// Only used by keygen, which is intentionally randomized. Therefore, always use unordered
+	private  Symm(char[] codeset, Symm parent) {
+		this.codeset = codeset;
+		splitLinesAt = parent.splitLinesAt;
+		endEquals = parent.endEquals;
+		encoding = parent.encoding;
+		convert = new Unordered(codeset);
+	}
+
+	/**
+	 * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc.
+	 * @return
+	 */
+	@Deprecated
+	public static final Symm base64() {
+		return base64;
+	}
+
+	/**
+	 * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc.  
+	 * No Line Splitting
+	 * @return
+	 */
+	@Deprecated
+	public static final Symm base64noSplit() {
+		return base64noSplit;
+	}
+
+	/**
+	 * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/")
+	 */
+	@Deprecated
+	public static final Symm base64url() {
+		return base64url;
+	}
+
+	/**
+	 * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/")
+	 */
+	public static final Symm baseCrypt() {
+		return encrypt;
+	}
+
+	/*
+	 *  Note: AES Encryption is NOT thread-safe.  Must surround entire use with synchronized
+	 */
+	private synchronized void exec(AESExec exec) throws IOException {
+		if(aes == null) {
+			try {
+				byte[] bytes = new byte[AES.AES_KEY_SIZE/8];
+				int offset = (Math.abs(codeset[0])+47)%(codeset.length-bytes.length);
+				for(int i=0;i<bytes.length;++i) {
+					bytes[i] = (byte)codeset[i+offset];
+				}
+				aes = new AES(bytes,0,bytes.length);
+			} catch (Exception e) {
+				throw new IOException(e);
+			}
+		}
+		exec.exec(aes);
+	}
+	
+	private static interface AESExec {
+		public void exec(AES aes) throws IOException;
+	}
+	
+    public byte[] encode(byte[] toEncrypt) throws IOException {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(toEncrypt.length*1.25));
+		encode(new ByteArrayInputStream(toEncrypt),baos);
+		return baos.toByteArray();
+	}
+
+    public byte[] decode(byte[] encrypted) throws IOException {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(encrypted.length*1.25));
+		decode(new ByteArrayInputStream(encrypted),baos);
+		return baos.toByteArray();
+	}
+
+	/**
+     *  Helper function for String API of "Encode"
+     *  use "getBytes" with appropriate char encoding, etc.
+     *  
+     * @param str
+     * @return
+     * @throws IOException
+     */
+    public String encode(String str) throws IOException {
+    	byte[] array;
+    	try { 
+    		array = str.getBytes(encoding);
+    	} catch (IOException e) {
+    		array = str.getBytes(); // take default
+    	}
+    	// Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code
+    	ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*1.363)); // account for 4 bytes for 3 and a byte or two more
+    	
+    	encode(new ByteArrayInputStream(array),baos);
+    	return baos.toString(encoding);
+    }
+    
+    /**
+     * Helper function for the String API of "Decode"
+     * use "getBytes" with appropriate char encoding, etc.
+     * @param str
+     * @return
+     * @throws IOException
+     */
+    public String decode(String str) throws IOException {
+    	byte[] array;
+    	try { 
+    		array = str.getBytes(encoding);
+    	} catch (IOException e) {
+    		array = str.getBytes(); // take default
+    	}
+    	// Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code
+    	ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*.76)); // Decoding is 3 bytes for 4.  Allocate slightly more than 3/4s
+    	decode(new ByteArrayInputStream(array), baos);
+    	return baos.toString(encoding);
+	}
+
+	/**
+     * Convenience Function
+     * 
+     * encode String into InputStream and call encode(InputStream, OutputStream)
+     * 
+     * @param string
+     * @param out
+     * @throws IOException
+     */
+  	public void encode(String string, OutputStream out) throws IOException {
+  		encode(new ByteArrayInputStream(string.getBytes()),out);
+	}
+
+	/**
+	 * Convenience Function
+	 * 
+	 * encode String into InputStream and call decode(InputStream, OutputStream)
+	 * 
+	 * @param string
+	 * @param out
+	 * @throws IOException
+	 */
+	public void decode(String string, OutputStream out) throws IOException {
+		decode(new ByteArrayInputStream(string.getBytes()),out);
+	}
+
+    public void encode(InputStream is, OutputStream os, byte[] prefix) throws IOException {
+    	os.write(prefix);
+    	encode(is,os);
+    }
+
+	/** 
+     * encode InputStream onto Output Stream
+     * 
+     * @param is
+     * @param estimate
+     * @return
+     * @throws IOException
+     */
+    public void encode(InputStream is, OutputStream os) throws IOException {
+    	// StringBuilder sb = new StringBuilder((int)(estimate*1.255)); // try to get the right size of StringBuilder from start.. slightly more than 1.25 times 
+    	int prev=0;
+    	int read, idx=0, line=0;
+    	boolean go;
+    	do {
+    		read = is.read();
+    		if(go = read>=0) {
+    			if(line>=splitLinesAt) {
+	    			os.write('\n');
+	    			line = 0;
+	    		}
+	    		switch(++idx) { // 1 based reading, slightly faster ++
+	    			case 1: // ptr is the first 6 bits of read
+	    				os.write(codeset[read>>2]);
+	    				prev = read;
+	    				break;
+	    			case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read
+	    				os.write(codeset[((prev & 0x03)<<4) | (read>>4)]);
+    					prev = read;
+	    				break;
+	    			default: //(3+) 
+	    					// Char 1 is last 4 bits of prev plus the first 2 bits of read
+	    				    // Char 2 is the last 6 bits of read
+	    				os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]);
+	    				if(line==splitLinesAt) { // deal with line splitting for two characters
+	    					os.write('\n');
+	    					line=0;
+	    				}
+	    				os.write(codeset[(read & 0x3F)]);
+	    				++line;
+	    				idx = 0;
+	    				prev = 0;
+	    		}
+	    		++line;
+    		} else { // deal with any remaining bits from Prev, then pad
+    			switch(idx) {
+    				case 1: // just the last 2 bits of prev
+	    				os.write(codeset[(prev & 0x03)<<4]);
+    					if(endEquals)os.write(DOUBLE_EQ);
+    					break;
+    				case 2: // just the last 4 bits of prev
+	    				os.write(codeset[(prev & 0xF)<<2]);
+	    				if(endEquals)os.write('=');
+	    				break;
+    			}
+    			idx = 0;
+    		}
+    		
+    	} while(go);
+    }
+
+    public void decode(InputStream is, OutputStream os, int skip) throws IOException {
+    	is.skip(skip);
+    	decode(is,os);
+    }
+
+    /**
+	 * Decode InputStream onto OutputStream
+	 * @param is
+	 * @param os
+	 * @throws IOException
+	 */
+    public void decode(InputStream is, OutputStream os) throws IOException {
+	   int read, idx=0;
+	   int prev=0, index;
+	   	while((read = is.read())>=0) {
+	   		index = convert.convert(read);
+	   		if(index>=0) {
+	    		switch(++idx) { // 1 based cases, slightly faster ++
+	    			case 1: // index goes into first 6 bits of prev
+	    				prev = index<<2; 
+	    				break;
+	    			case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev
+	    				os.write((byte)(prev|(index>>4)));
+	    				prev = index<<4;
+	    				break;
+	    			case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev
+	    				os.write((byte)(prev|(index>>2)));
+	    				prev = index<<6;
+	    				break;
+	    			default: // (3+) | prev and last six of index
+	    				os.write((byte)(prev|(index&0x3F)));
+	    				idx = prev = 0;
+	    		}
+	   		}
+	   	};
+	   	os.flush();
+   }
+   
+   /**
+    * Interface to allow this class to choose which algorithm to find index of character in Key
+    *
+    */
+   private interface Convert {
+	   public int convert(int read) throws IOException;
+   }
+
+   /**
+    * Ordered uses a range of orders to compare against, rather than requiring the investigation
+    * of every character needed.
+    *
+    */
+   private static final class Ordered implements Convert {
+	   private int[][] range;
+	   public Ordered(int[][] range) {
+		   this.range = range;
+	   }
+	   public int convert(int read) throws IOException {
+		   switch(read) {
+			   case -1: 
+			   case '=':
+			   case '\n': 
+				   return -1;
+		   }
+		   for(int i=0;i<range.length;++i) {
+			   if(read >= range[i][0] && read<=range[i][1]) {
+				   return read-range[i][2];
+			   }
+		   }
+		   throw new IOException("Unacceptable Character in Stream");
+	   }
+   }
+   
+   /**
+    * Unordered, i.e. the key is purposely randomized, simply has to investigate each character
+    * until we find a match.
+    *
+    */
+   private static final class Unordered implements Convert {
+	   private char[] codec;
+	   public Unordered(char[] codec) {
+		   this.codec = codec;
+	   }
+	   public int convert(int read) throws IOException {
+		   switch(read) {
+			   case -1: 
+			   case '=':
+			   case '\n': 
+				   return -1;
+		   }
+		   for(int i=0;i<codec.length;++i) {
+			   if(codec[i]==read)return i;
+		   }
+		  // don't give clue in Encryption mode
+		  throw new IOException("Unacceptable Character in Stream");
+	   }
+   }
+
+   /**
+    * Generate a 2048 based Key from which we extract our code base
+    * 
+    * @return
+    * @throws IOException
+    */
+   public byte[] keygen() throws IOException {
+		byte inkey[] = new byte[0x600];
+		new SecureRandom().nextBytes(inkey);
+		ByteArrayOutputStream baos = new ByteArrayOutputStream(0x800);
+		base64url.encode(new ByteArrayInputStream(inkey), baos);
+		return baos.toByteArray();
+   }
+   
+   // A class allowing us to be less predictable about significant digits (i.e. not picking them up from the
+   // beginning, and not picking them up in an ordered row.  Gives a nice 2048 with no visible patterns.
+   private class Obtain {
+	   private int last;
+	   private int skip;
+	   private int length;
+	   private byte[] key;
+  
+	   private Obtain(Symm b64, byte[] key) {
+		   skip = Math.abs(key[key.length-13]%key.length);
+		   if((key.length&0x1) == (skip&0x1)) { // if both are odd or both are even
+			   ++skip;
+		   }
+		   length = b64.codeset.length;
+		   last = 17+length%59; // never start at beginning
+		   this.key = key;
+	   }
+	   
+	   private int next() {
+  		   return Math.abs(key[(++last*skip)%key.length])%length;
+	   }
+   };
+  
+   /**
+    * Obtain a Symm from "keyfile" (Config.KEYFILE) property
+    * 
+    * @param acesss
+    * @return
+    */
+   public static Symm obtain(Access access) {
+		Symm symm = Symm.baseCrypt();
+
+		String keyfile = access.getProperty(Config.CADI_KEYFILE,null);
+		if(keyfile!=null) {
+			File file = new File(keyfile);
+			try {
+				access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getCanonicalPath());
+			} catch (IOException e1) {
+				access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getAbsolutePath());
+			}
+			if(file.exists()) {
+				try {
+					FileInputStream fis = new FileInputStream(file);
+					try {
+						symm = Symm.obtain(fis);
+					} finally {
+						try {
+						   fis.close();
+						} catch (IOException e) {
+						}
+					}
+				} catch (IOException e) {
+					access.log(e, "Cannot load keyfile");
+				}
+			}
+		}
+		return symm;
+   }
+  /**
+   *  Create a new random key 
+   */
+  public Symm obtain() throws IOException {
+		byte inkey[] = new byte[0x800];
+		new SecureRandom().nextBytes(inkey);
+		return obtain(inkey);
+  }
+  
+  /**
+   * Obtain a Symm from 2048 key from a String
+   * 
+   * @param key
+   * @return
+   * @throws IOException
+   */
+  public static Symm obtain(String key) throws IOException {
+	  return obtain(new ByteArrayInputStream(key.getBytes()));
+  }
+  
+  /**
+   * Obtain a Symm from 2048 key from a Stream
+   * 
+   * @param is
+   * @return
+   * @throws IOException
+   */
+  public static Symm obtain(InputStream is) throws IOException {
+	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  try {
+		  base64url.decode(is, baos);
+	  } catch (IOException e) {
+		  // don't give clue
+		  throw new IOException("Invalid Key");
+	  }
+	  byte[] bkey = baos.toByteArray();
+	  if(bkey.length<0x88) { // 2048 bit key
+		  throw new IOException("Invalid key");
+	  }
+	  return baseCrypt().obtain(bkey);
+  }
+
+  /**
+   * Convenience for picking up Keyfile
+   * 
+   * @param f
+   * @return
+   * @throws IOException
+   */
+  public static Symm obtain(File f) throws IOException {
+	  FileInputStream fis = new FileInputStream(f);
+	  try {
+		  return obtain(fis);
+	  } finally {
+		  fis.close();
+	  }
+  }
+  /**
+   * Decrypt into a String
+   *
+   *  Convenience method
+   * 
+   * @param password
+   * @return
+   * @throws IOException
+   */
+  public String enpass(String password) throws IOException {
+	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  enpass(password,baos);
+	  return new String(baos.toByteArray());
+  }
+
+  /**
+   * Create an encrypted password, making sure that even short passwords have a minimum length.
+   * 
+   * @param password
+   * @param os
+   * @throws IOException
+   */
+  public void enpass(final String password, final OutputStream os) throws IOException {
+		final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		DataOutputStream dos = new DataOutputStream(baos);
+		byte[] bytes = password.getBytes();
+		if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization
+			dos.write(bytes);
+		} else {
+			
+			Random r = new SecureRandom();
+			int start = 0;
+			byte b;
+			for(int i=0;i<3;++i) {
+				dos.writeByte(b=(byte)r.nextInt());
+				start+=Math.abs(b);
+			}
+			start%=0x7;
+			for(int i=0;i<start;++i) {
+				dos.writeByte(r.nextInt());
+			}
+			dos.writeInt((int)System.currentTimeMillis());
+			int minlength = Math.min(0x9,bytes.length);
+			dos.writeByte(minlength); // expect truncation
+			if(bytes.length<0x9) {
+				for(int i=0;i<bytes.length;++i) {
+					dos.writeByte(r.nextInt());
+					dos.writeByte(bytes[i]);
+				}
+				// make sure it's long enough
+				for(int i=bytes.length;i<0x9;++i) {
+					dos.writeByte(r.nextInt());
+				}
+			} else {
+				dos.write(bytes);
+			}
+		}
+		
+		// 7/21/2016 jg add AES Encryption to the mix
+		exec(new AESExec() {
+			@Override
+			public void exec(AES aes) throws IOException {
+				CipherInputStream cis = aes.inputStream(new ByteArrayInputStream(baos.toByteArray()), true);
+				try {
+					encode(cis,os);
+				} finally {
+					os.flush();
+					cis.close();
+				}
+			}
+		});
+		synchronized(ENC) {
+		}
+	}
+
+  /**
+   * Decrypt a password into a String
+   * 
+   * Convenience method
+   * 
+   * @param password
+   * @return
+   * @throws IOException
+   */
+  public String depass(String password) throws IOException {
+	  if(password==null)return null;
+	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  depass(password,baos);
+	  return new String(baos.toByteArray());
+  }
+  
+  /**
+   * Decrypt a password
+   * 
+   * Skip Symm.ENC
+   * 
+   * @param password
+   * @param os
+   * @return
+   * @throws IOException
+   */
+  public long depass(final String password, final OutputStream os) throws IOException {
+	  int offset = password.startsWith(ENC)?4:0;
+	  final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  final ByteArrayInputStream bais =  new ByteArrayInputStream(password.getBytes(),offset,password.length()-offset);
+	  exec(new AESExec() {
+		@Override
+		public void exec(AES aes) throws IOException {
+			  CipherOutputStream cos = aes.outputStream(baos, false);
+			  decode(bais,cos);
+			  cos.close(); // flush
+		}
+	  });
+	  byte[] bytes = baos.toByteArray();
+	  DataInputStream dis = new DataInputStream(new ByteArrayInputStream(bytes));
+	  long time;
+	  if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization
+		  os.write(bytes);
+		  time = 0L;
+	  } else {
+		  int start=0;
+		  for(int i=0;i<3;++i) {
+			  start+=Math.abs(dis.readByte());
+		  }
+		  start%=0x7;
+		  for(int i=0;i<start;++i) {
+			  dis.readByte();
+		  }
+		  time = (dis.readInt() & 0xFFFF)|(System.currentTimeMillis()&0xFFFF0000);
+		  int minlength = dis.readByte();
+		  if(minlength<0x9){
+			DataOutputStream dos = new DataOutputStream(os);
+			for(int i=0;i<minlength;++i) {
+				dis.readByte();
+				dos.writeByte(dis.readByte());
+			}
+		  } else {
+			  int pre =((Byte.SIZE*3+Integer.SIZE+Byte.SIZE)/Byte.SIZE)+start; 
+			  os.write(bytes, pre, bytes.length-pre);
+		  }
+	  }
+	  return time;
+  }
+
+  public static String randomGen(int numBytes) {
+	  return randomGen(passChars,numBytes);  
+  }
+  
+  public static String randomGen(char[] chars ,int numBytes) {
+	    int rint;
+	    StringBuilder sb = new StringBuilder(numBytes);
+	    for(int i=0;i<numBytes;++i) {
+	    	rint = random.nextInt(chars.length);
+	    	sb.append(chars[rint]);
+	    }
+	    return sb.toString();
+  }
+  // Internal mechanism for helping to randomize placement of characters within a Symm codeset
+  // Based on an incoming data stream (originally created randomly, but can be recreated within 
+  // 2048 key), go after a particular place in the new codeset.  If that codeset spot is used, then move
+  // right or left (depending on iteration) to find the next available slot.  In this way, key generation 
+  // is speeded up by only enacting N iterations, but adds a spreading effect of the random number stream, so that keyset is also
+  // shuffled for a good spread. It is, however, repeatable, given the same number set, allowing for 
+  // quick recreation when the official stream is actually obtained.
+  public Symm obtain(byte[] key) throws IOException {
+	  try {
+		byte[] bytes = new byte[AES.AES_KEY_SIZE/8];
+		int offset = (Math.abs(key[(47%key.length)])+137)%(key.length-bytes.length);
+		for(int i=0;i<bytes.length;++i) {
+			bytes[i] = key[i+offset];
+		}
+
+	  	aes = new AES(bytes,0,bytes.length);
+	  } catch (Exception e) {
+		  throw new IOException(e);
+	  }
+		int filled = codeset.length;
+		char[] seq = new char[filled];
+		int end = filled--;
+		
+		boolean right = true;
+		int index;
+		Obtain o = new Obtain(this,key);
+		
+		while(filled>=0) {
+			index = o.next();
+			if(index<0 || index>=codeset.length) {
+				System.out.println("uh, oh");
+			}
+			if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) 
+				for(int j=index;j<end;++j) {
+					if(seq[j]==0) {
+						seq[j]=codeset[filled];
+						--filled;
+						break;
+					}
+				}
+				right = false;
+			} else {
+				for(int j=index;j>=0;--j) {
+					if(seq[j]==0) {
+						seq[j]=codeset[filled];
+						--filled;
+						break;
+					}
+				}
+				right = true;
+			}
+		}
+		return new Symm(seq,this);
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/Taf.java b/core/src/main/java/com/att/cadi/Taf.java
new file mode 100644
index 0000000..7ba6fb4
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Taf.java
@@ -0,0 +1,58 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import com.att.cadi.taf.TafResp;
+
+
+/**
+ * TAF - Transmutative Assertion Framework.  
+ * 
+ * This main Interface embodies the essential of the assertion, where a number of different TAFs might be used to authenticate
+ * and that authentication to be recognized through other elements.
+ * 
+ * Concept by Robert Garskof.  Implemented by Jonathan Gathman
+ *  
+ *
+ */
+public interface Taf {
+	enum LifeForm {CBLF, SBLF, LFN};
+	/**
+	 * The lifeForm param is a humorous way of describing whether the interaction is proceeding from direct Human Interaction via a browser 
+	 * or App which can directly query a memorized password, key sequence, bio-feedback, from that user, or a machine mechanism for which identity
+	 * can more easily be determined by Certificate, Mechanical ID/Password etc.  Popularized in modern culture and Science Fiction (especially 
+	 * Star Trek), we (starting with Robert Garskof) use the terms "Carbon Based Life Form" (CBLF) for mechanisms with people at the end of them, or 
+	 * "Silicon Based Life Forms" (SBLF) to indicate machine only interactions.  I have added "LFN" for (Life-Form Neutral) to aid identifying
+	 * processes for which it doesn't matter whether there is a human at the immediate end of the chain, or cannot be determined mechanically.  
+	 * 
+	 * The variable parameter is not necessarily ideal, but with too many unknown Tafs to be created, flexibility,
+	 * is unfortunately required at this point.  Future versions could lock this down more.  JG 10/18/2012
+	 * 
+	 * @param lifeForm
+	 * @param info
+	 * @return
+	 */
+	public TafResp validate(LifeForm reading, String ... info);
+	
+}
diff --git a/core/src/main/java/com/att/cadi/Transmutate.java b/core/src/main/java/com/att/cadi/Transmutate.java
new file mode 100644
index 0000000..e392e86
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/Transmutate.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.security.Principal;
+
+/**
+ * The unique element of TAF is that we establish the relationship/mechanism to mutate the Principal derived from
+ * one Authentication mechanism into a trustable Principal of another.  The mechanism needs to be decided by system
+ * trusting.  
+ * 
+ * The Generic "T" is used so that the code used will be very specific for the implementation, enforced by Compiler
+ * 
+ * This interface will allow differences of trusting Transmutation of Authentication 
+ *
+ */
+public interface Transmutate<T> {
+	/**
+	 * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct
+	 * 
+	 * @param p
+	 * @return
+	 */
+	public T mutate(Principal p);
+}
diff --git a/core/src/main/java/com/att/cadi/TrustChecker.java b/core/src/main/java/com/att/cadi/TrustChecker.java
new file mode 100644
index 0000000..2cf2203
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/TrustChecker.java
@@ -0,0 +1,54 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+
+import javax.servlet.http.HttpServletRequest;
+
+import com.att.cadi.taf.TafResp;
+
+/**
+ * Change to another Principal based on Trust of caller and User Chain (if desired)
+ * 
+ *
+ */
+public interface TrustChecker {
+	public TafResp mayTrust(TafResp tresp, HttpServletRequest req);
+	
+	/**
+	 * A class that trusts no-one else, so just return same TResp
+	 */
+	public static TrustChecker NOTRUST = new TrustChecker() {
+		@Override
+		public TafResp mayTrust(TafResp tresp, HttpServletRequest req) {
+			return tresp;
+		}
+
+		@Override
+		public void setLur(Lur lur) {
+		}
+	};
+
+	public void setLur(Lur lur);
+}
diff --git a/core/src/main/java/com/att/cadi/User.java b/core/src/main/java/com/att/cadi/User.java
new file mode 100644
index 0000000..6903cb3
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/User.java
@@ -0,0 +1,145 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import com.att.cadi.lur.LocalPermission;
+
+/**
+ * Class to hold info from the User Perspective.
+ * 
+ *
+ */
+public final class User<PERM extends Permission> {
+	private static Map<String,Permission> NULL_MAP = new HashMap<String,Permission>();
+	public Principal principal;
+	Map<String, Permission> perms ;
+	long permExpires;
+	private final long interval;
+	int count;
+	
+	// Note: This should only be used for Local RBAC (in memory)
+	public User(Principal principal) {
+		this.principal = principal;
+		perms = NULL_MAP;
+		permExpires = Long.MAX_VALUE; // Never.  Well, until 64 bits of millis since 1970 expires...
+		interval = 0L;
+		count = 0;
+	}
+
+	public User(Principal principal, long expireInterval) {
+		this.principal = principal;
+		perms = NULL_MAP;
+		expireInterval = Math.max(expireInterval, 0); // avoid < 1
+		interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL));
+		permExpires = 0;
+		count = 0;
+	}
+	
+	public void renewPerm() {
+		permExpires = System.currentTimeMillis()+interval;
+	}
+	
+	public long permExpires() {
+		return permExpires;
+	}
+	
+	public boolean permExpired() {
+		return System.currentTimeMillis() > permExpires;
+	}
+
+	public boolean noPerms() {
+		return perms==null || perms.values().size()==0; 
+	}
+	
+	public void setNoPerms() {
+		perms=NULL_MAP;
+		permExpires = System.currentTimeMillis() + interval;
+	}
+
+	public boolean permsUnloaded() {
+		return perms==null;
+	}
+
+	public synchronized void incCount() {
+		++count;
+	}
+	
+	public synchronized void resetCount() {
+		count=0;
+	}
+	
+	public Map<String,Permission> newMap() {
+		return new ConcurrentHashMap<String,Permission>();
+	}
+
+	public void add(LocalPermission permission) {
+		if(perms==NULL_MAP)perms=newMap();
+		perms.put(permission.getKey(),permission);
+	}
+
+	public void add(Map<String, Permission> newMap, PERM permission) {
+		newMap.put(permission.getKey(),permission);
+	}
+
+	public void setMap(Map<String, Permission> newMap) {
+		perms = newMap;
+	}
+
+	public boolean contains(Permission perm) {
+		for (Permission p : perms.values()) {
+			if (p.match(perm)) return true;
+		}
+		return false;
+	}
+	
+	public void copyPermsTo(List<Permission> sink) {
+		sink.addAll(perms.values());
+	}
+	
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		sb.append(principal.getName());
+		sb.append('|');
+		boolean first = true;
+		synchronized(perms) {
+			for(Permission gp : perms.values()) {
+				if(first) {
+					first = false;
+					sb.append(':');
+				} else {
+					sb.append(',');
+				}
+				sb.append(gp.getKey());
+			}
+		}
+		return sb.toString();
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/UserChain.java b/core/src/main/java/com/att/cadi/UserChain.java
new file mode 100644
index 0000000..90c47c1
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/UserChain.java
@@ -0,0 +1,44 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+/**
+ * Interface to add a User Chain String to Principal
+ * 
+ * 
+ * 
+ *  Where
+ *  APP is name suitable for Logging (i.e. official App Acronym) 
+ *  ID is official User or MechID, best if includes Identity Source (i.e. ab1234@csp.att.com)
+ *  Protocol is the Security protocol,
+ *  
+ *  Format:<ID>:<APP>:<protocol>[:AS][,<ID>:<APP>:<protocol>]*
+ *  
+ * 
+ *
+ */
+public interface UserChain  {
+	public enum Protocol {BasicAuth,Cookie,Cert,OAuth};
+	public String userChain();
+}
diff --git a/core/src/main/java/com/att/cadi/config/Config.java b/core/src/main/java/com/att/cadi/config/Config.java
new file mode 100644
index 0000000..dd8e56d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/Config.java
@@ -0,0 +1,815 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.UnknownHostException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.TimerTask;
+
+import com.att.cadi.AbsUserCache;
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CachingLur;
+import com.att.cadi.CadiException;
+import com.att.cadi.CredVal;
+import com.att.cadi.Locator;
+import com.att.cadi.Lur;
+import com.att.cadi.PropAccess;
+import com.att.cadi.Symm;
+import com.att.cadi.TrustChecker;
+import com.att.cadi.lur.EpiLur;
+import com.att.cadi.lur.LocalLur;
+import com.att.cadi.lur.NullLur;
+import com.att.cadi.taf.HttpEpiTaf;
+import com.att.cadi.taf.HttpTaf;
+import com.att.cadi.taf.basic.BasicHttpTaf;
+import com.att.cadi.taf.cert.X509Taf;
+import com.att.cadi.taf.dos.DenialOfServiceTaf;
+
+/**
+ * Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as
+ * Properties vs JavaBeans vs FilterConfigs...
+ * 
+ *
+ */
+public class Config {
+
+	private static final String HIDE_PASS = "***************";
+
+	public static final String UTF_8 = "UTF-8";
+
+	// Property Names associated with configurations.
+	// As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style
+	// configurations as well as property list style.
+	public static final String HOSTNAME = "hostname";
+	public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;)
+	public static final String CADI_LOGLEVEL = "cadi_loglevel";
+	public static final String CADI_LOGNAME = "cadi_logname";
+	public static final String CADI_KEYFILE = "cadi_keyfile";
+	public static final String CADI_KEYSTORE = "cadi_keystore";
+	public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password";
+	public static final String CADI_ALIAS = "cadi_alias";
+	public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url";
+
+	public static final String CADI_KEY_PASSWORD = "cadi_key_password";
+	public static final String CADI_TRUSTSTORE = "cadi_truststore";
+	public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password";
+	public static final String CADI_X509_ISSUERS = "cadi_x509_issuers";
+	public static final String CADI_TRUST_MASKS="cadi_trust_masks";
+	public static final String CADI_TRUST_PERM="cadi_trust_perm"; //  IDs with this perm can utilize the "AS " user concept
+	public static final String CADI_PROTOCOLS = "cadi_protocols";
+	public static final String CADI_NOAUTHN = "cadi_noauthn";
+	public static final String CADI_LOC_LIST = "cadi_loc_list";
+	
+	public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain";
+	public static final String CADI_USER_CHAIN = "USER_CHAIN";
+
+	
+	
+	public static final String CSP_DOMAIN = "csp_domain";
+	public static final String CSP_HOSTNAME = "csp_hostname";
+	public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
+	public static final String CSP_USER_HEADER = "CSP_USER";
+	public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
+    public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
+
+
+	public static final String TGUARD_ENV="tguard_env";
+	public static final String TGUARD_DOMAIN = "tguard_domain";
+	public static final String TGUARD_TIMEOUT = "tguard_timeout";
+	public static final String TGUARD_TIMEOUT_DEF = "5000";
+	public static final String TGUARD_CERTS = "tguard_certs"; // comma delimited SHA-256 finger prints
+//	public static final String TGUARD_DEVL_LOCALHOST = "tguard_devl_localhost";
+//	public static final String TGUARD_USER_HEADER = "TGUARD_USER";
+
+	public static final String LOCALHOST_ALLOW = "localhost_allow";
+	public static final String LOCALHOST_DENY = "localhost_deny";
+	
+	public static final String BASIC_REALM = "basic_realm";  // what is sent to the client 
+	public static final String BASIC_WARN = "basic_warn";  // Warning of insecure channel 
+	public static final String USERS = "local_users";
+	public static final String GROUPS = "local_groups";
+	public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use)
+	
+	public static final String AAF_ENV = "aaf_env";
+	public static final String AAF_ROOT_NS = "aaf_root_ns";
+	public static final String AAF_ROOT_COMPANY = "aaf_root_company";
+	public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
+	public static final String AAF_MECHID = "aaf_id";
+	public static final String AAF_MECHPASS = "aaf_password";
+	public static final String AAF_LUR_CLASS = "aaf_lur_class";
+	public static final String AAF_TAF_CLASS = "aaf_taf_class";
+	public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class";
+	public static final String AAF_LOCATOR_CLASS = "aaf_locator_class";
+	public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout";
+	public static final String AAF_CONN_TIMEOUT_DEF = "3000";
+	public static final String AAF_READ_TIMEOUT = "aaf_timeout";
+	public static final String AAF_READ_TIMEOUT_DEF = "5000";
+	public static final String AAF_USER_EXPIRES = "aaf_user_expires";
+	public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins
+	public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval";
+	public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds
+	public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count";
+	public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins
+	
+	public static final String AAF_HIGH_COUNT = "aaf_high_count";
+	public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries
+	public static final String AAF_PERM_MAP = "aaf_perm_map";
+	public static final String AAF_DEPLOYED_VERSION = "DEPLOYED_VERSION";
+	public static final String AAF_CERT_IDS = "aaf_cert_ids";
+	public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited
+	
+	public static final String GW_URL = "gw_url";
+	public static final String CM_URL = "cm_url";
+	public static final String CM_TRUSTED_CAS = "cm_trusted_cas";
+
+	public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern";
+	public static final String PATHFILTER_STACK = "pathfilter_stack";
+	public static final String PATHFILTER_NS = "pathfilter_ns";
+	public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg";
+
+	public static final String AFT_DME2_TRUSTSTORE_PASSWORD = "AFT_DME2_TRUSTSTORE_PASSWORD";
+	public static final String AFT_DME2_TRUSTSTORE = "AFT_DME2_TRUSTSTORE";
+	public static final String AFT_DME2_KEYSTORE_PASSWORD = "AFT_DME2_KEYSTORE_PASSWORD";
+	public static final String AFT_DME2_KEY_PASSWORD = "AFT_DME2_KEY_PASSWORD";
+	public static final String AFT_DME2_KEYSTORE = "AFT_DME2_KEYSTORE";
+	public static final String AFT_DME2_SSL_TRUST_ALL = "AFT_DME2_SSL_TRUST_ALL";
+	public static final String AFT_DME2_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_SSL_INCLUDE_PROTOCOLS";
+
+
+	// DME2 Client.  First property must be set to "false", and the others set in order to use SSL Client
+	public static final String AFT_DME2_CLIENT_IGNORE_SSL_CONFIG="AFT_DME2_CLIENT_IGNORE_SSL_CONFIG";
+	public static final String AFT_DME2_CLIENT_KEYSTORE = "AFT_DME2_CLIENT_KEYSTORE";
+	public static final String AFT_DME2_CLIENT_KEYSTORE_PASSWORD = "AFT_DME2_CLIENT_KEYSTORE_PASSWORD";
+	public static final String AFT_DME2_CLIENT_TRUSTSTORE = "AFT_DME2_CLIENT_TRUSTSTORE";
+	public static final String AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD = "AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD";
+	public static final String AFT_DME2_CLIENT_SSL_CERT_ALIAS = "AFT_DME2_CLIENT_SSL_CERT_ALIAS"; 
+	public static final String AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS";
+
+	
+	// This one should go unpublic
+	public static final String AAF_DEFAULT_REALM = "aaf_default_realm";
+	private static String defaultRealm="none";
+
+	public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support";
+	//public static final String AAF_DOMAIN_SUPPORT_DEF = ".com";
+	public static final String AAF_DOMAIN_SUPPORT_DEF = ".org";
+
+
+	public static void setDefaultRealm(Access access) throws CadiException {
+		try {
+			boolean hasCSP;
+			try {
+				Class.forName("com.att.cadi.taf.csp.CSPTaf");
+				hasCSP=true;
+			} catch(ClassNotFoundException e) {
+				hasCSP = logProp(access,Config.CSP_DOMAIN, null)!=null;
+			}
+			defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM,
+					hasCSP?"csp.att.com":
+					logProp(access,Config.BASIC_REALM,
+						logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName())
+						)
+					);
+		} catch (UnknownHostException e) {
+			//defaultRealm="none";
+		}
+	}
+	
+
+	public static HttpTaf configHttpTaf(Access access, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException {
+		/////////////////////////////////////////////////////
+		// Setup AAFCon for any following
+		/////////////////////////////////////////////////////
+		Object aafcon = null;
+		if(lur != null) {
+			Field f = null;
+			try {
+				f = lur.getClass().getField("aaf");
+				aafcon = f.get(lur);
+			} catch (Exception nsfe) {
+			}
+		}
+		// IMPORTANT!  Don't attempt to load AAF Connector if there is no AAF URL
+		String aafURL = access.getProperty(AAF_URL,null);
+		if(aafcon==null && aafURL!=null) {
+			aafcon = loadAAFConnector(access, aafURL);	
+		}
+		
+		HttpTaf taf;
+		// Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc)
+		String hostname = logProp(access, HOSTNAME,null);
+		if(hostname==null) {
+			try {
+				hostname = InetAddress.getLocalHost().getHostName();
+			} catch (UnknownHostException e1) {
+				throw new CadiException("Unable to determine Hostname",e1);
+			}
+		}
+		
+		access.log(Level.INIT, "Hostname set to",hostname);
+		// Get appropriate TAFs
+		ArrayList<HttpTaf> htlist = new ArrayList<HttpTaf>();
+
+		/////////////////////////////////////////////////////
+		// Add a Denial of Service TAF
+		// Note: how IPs and IDs are added are up to service type.
+		// They call "DenialOfServiceTaf.denyIP(String) or denyID(String)
+		/////////////////////////////////////////////////////
+		htlist.add(new DenialOfServiceTaf(access));
+
+		/////////////////////////////////////////////////////
+		// Configure LocalHost 
+		/////////////////////////////////////////////////////
+		
+		String truststore = logProp(access, CADI_TRUSTSTORE, access.getProperty("AFT_DME2_TRUSTSTORE", null));
+		if(truststore!=null) {
+			String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD, access.getProperty("AFT_DME2_TRUSTSTORE_PASSWORD",null));
+			if(truststore_pwd!=null) {
+				if(truststore_pwd.startsWith(Symm.ENC)) {
+					try {
+						truststore_pwd = access.decrypt(truststore_pwd,false);
+					} catch (IOException e) {
+						throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e);
+					}
+				}
+				try {
+					htlist.add(new X509Taf(access,lur));
+					access.log(Level.INIT,"Certificate Authorization enabled");
+				} catch (SecurityException e) {
+					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
+				} catch (IllegalArgumentException e) {
+					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
+				} catch (CertificateException e) {
+					access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e);
+				} catch (NoSuchAlgorithmException e) {
+					access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e);
+				}
+			}
+		} else {
+			access.log(Level.INIT,"Certificate Authorization not enabled");
+		}
+		
+		/////////////////////////////////////////////////////
+		// Configure Basic Auth (local content)
+		/////////////////////////////////////////////////////
+		String basic_realm = logProp(access, BASIC_REALM,null);
+		boolean basic_warn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE"));
+		if(basic_realm!=null && up!=null) {
+			access.log(Level.INIT,"Basic Authorization is enabled using realm",basic_realm);
+			// Allow warning about insecure channel to be turned off
+			if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
+					" There will be no additional warning if Basic Auth is used on an insecure channel"
+					);
+			String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins
+			long userExp = Long.parseLong(aafCleanup);
+
+			htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
+		} else {
+			access.log(Level.INIT,"Local Basic Authorization is disabled.  Enable by setting basic_realm=<appropriate realm, i.e. my.att.com>");
+		}
+		
+		/////////////////////////////////////////////////////
+		// Configure AAF Driven Basic Auth
+		/////////////////////////////////////////////////////
+		boolean getRemoteAAF = true;
+		if(additionalTafLurs!=null) {
+			for(Object o : additionalTafLurs) {
+				if(o.getClass().getSimpleName().equals("DirectAAFLur")) {
+					getRemoteAAF = false;
+					break;
+				}
+			}
+		}
+		HttpTaf aaftaf=null;
+		if(getRemoteAAF) {
+			if(aafcon==null) {
+				access.log(Level.INIT,"AAF Connection (AAFcon) is null.  Cannot create an AAF TAF");
+			} else if(aafURL==null) {
+				access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF");
+			} else {// There's an AAF_URL... try to configure an AAF 
+				String defName = aafURL.contains("version=2.0")?"com.att.cadi.aaf.v2_0.AAFTaf":"";
+				String aafTafClassName = logProp(access, AAF_TAF_CLASS,defName);
+				// Only 2.0 available at this time
+				if("com.att.cadi.aaf.v2_0.AAFTaf".equals(aafTafClassName)) { 
+					try {
+						Class<?> aafTafClass = loadClass(access,aafTafClassName);
+						Class<?> aafConClass = loadClass(access,"com.att.cadi.aaf.v2_0.AAFCon");
+	
+						Constructor<?> cstr = aafTafClass.getConstructor(aafConClass,boolean.class,AbsUserCache.class);
+						if(cstr!=null) {
+							aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn,lur);
+							if(aaftaf==null) {
+								access.log(Level.INIT,"ERROR! AAF TAF Failed construction.  NOT Configured");
+							} else {
+								access.log(Level.INIT,"AAF TAF Configured to ",aafURL);
+								// Note: will add later, after all others configured
+							}
+						}
+					} catch(Exception e) {
+						access.log(Level.INIT,"ERROR! AAF TAF Failed construction.  NOT Configured");
+					}
+				}
+			}
+		}
+		
+		
+		String alias = logProp(access, CADI_ALIAS,null);
+
+		/////////////////////////////////////////////////////
+		// Configure tGuard... (AT&T Client Repo)
+		/////////////////////////////////////////////////////
+		// TGUARD Environment, translated to any other remote Environment validation mechanism...
+		String tGuard_domain = logProp(access, TGUARD_DOMAIN,null);
+		String tGuard_env = logProp(access, TGUARD_ENV, null);
+
+		if(!("PROD".equals(tGuard_env) || "STAGE".equals(tGuard_env))) {
+			access.log(Level.INIT, "tGuard Authorization is disabled.  Enable by setting", TGUARD_ENV, "to \"PROD\" or \"STAGE\"");
+		} else if(tGuard_domain==null) {
+			access.log(Level.INIT,TGUARD_DOMAIN + " must be set:  tGuard Authorization is disabled.");
+		} else if(alias == null) {
+			access.log(Level.INIT,CADI_ALIAS + " must be set:  tGuard Authorization is disabled.");
+		} else {
+			try {
+				Class<?> tGuardClass = loadClass(access,"com.att.cadi.tguard.TGuardHttpTaf");
+				if(aaftaf!=null) {
+					Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, AbsUserCache.class});
+					htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {access,aaftaf}));
+					access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");
+				} else {
+					Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, int.class, int.class, int.class});
+					htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {
+							access,
+							Integer.parseInt(logProp(access, AAF_CLEAN_INTERVAL,AAF_CLEAN_INTERVAL_DEF)),
+							Integer.parseInt(logProp(access, AAF_HIGH_COUNT, AAF_HIGH_COUNT_DEF)),
+							Integer.parseInt(logProp(access, AAF_REFRESH_TRIGGER_COUNT, AAF_REFRESH_TRIGGER_COUNT_DEF))
+							}));
+					access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");
+				}
+			} catch(Exception e) {
+				access.log(e, Level.INIT,"tGuard Class cannot be loaded:  tGuard Authorization is disabled.");
+			}
+		}
+		
+		/////////////////////////////////////////////////////
+		// Adding BasicAuth (AAF) last, after other primary Cookie Based
+		// Needs to be before Cert... see below
+		/////////////////////////////////////////////////////
+		if(aaftaf!=null) {
+			htlist.add(aaftaf);
+		}
+
+
+		/////////////////////////////////////////////////////
+		// Any Additional Lurs passed in Constructor
+		/////////////////////////////////////////////////////
+		if(additionalTafLurs!=null) {
+			for(Object additional : additionalTafLurs) {
+				if(additional instanceof HttpTaf) {
+					htlist.add((HttpTaf)additional);
+					access.log(Level.INIT,additional);
+				}
+			}
+		}
+
+		/////////////////////////////////////////////////////
+		// Create EpiTaf from configured TAFs
+		/////////////////////////////////////////////////////
+		if(htlist.size()==1) {
+			// just return the one
+			taf = htlist.get(0);
+		} else {
+			HttpTaf[] htarray = new HttpTaf[htlist.size()];
+			htlist.toArray(htarray);
+			Locator<URI> locator = loadLocator(access, logProp(access, CADI_LOGINPAGE_URL, null));
+			
+			taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null
+			String level = logProp(access, CADI_LOGLEVEL, null);
+			if(level!=null) {
+				access.setLogLevel(Level.valueOf(level));
+			}
+		}
+		
+		return taf;
+	}
+	
+	public static String logProp(Access access,String tag, String def) {
+		String rv = access.getProperty(tag, def);
+		if(rv == null) {
+			access.log(Level.INIT,tag,"is not set");
+		} else {
+			access.log(Level.INIT,tag,"is set to",rv);
+		}
+		return rv;
+	}
+	
+	public static Lur configLur(Access access, Object ... additionalTafLurs) throws CadiException {
+		List<Lur> lurs = new ArrayList<Lur>();
+		
+		/////////////////////////////////////////////////////
+		// Configure a Local Property Based RBAC/LUR
+		/////////////////////////////////////////////////////
+		try {
+			String users = access.getProperty(USERS,null);
+			String groups = access.getProperty(GROUPS,null);
+
+			if(groups!=null || users!=null) {
+				LocalLur ll;
+				lurs.add(ll = new LocalLur(access, users, groups)); // note b64==null is ok.. just means no encryption.
+				
+				String writeto = access.getProperty(WRITE_TO,null);
+				if(writeto!=null) {
+					String msg = UsersDump.updateUsers(writeto, ll);
+					if(msg!=null) access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg);
+				}
+			}
+		} catch (IOException e) {
+			throw new CadiException(e);
+		}
+		
+		/////////////////////////////////////////////////////
+		// Configure the AAF Lur (if any)
+		/////////////////////////////////////////////////////
+		String aafURL = logProp(access,AAF_URL,null); // Trigger Property
+		String aaf_env = access.getProperty(AAF_ENV,null);
+		if(aaf_env == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL
+			int ec = aafURL.indexOf("envContext=");
+			if(ec>0) {
+				ec += 11; // length of envContext=
+				int slash = aafURL.indexOf('/', ec);
+				if(slash>0) {
+					aaf_env = aafURL.substring(ec, slash);
+					((PropAccess)access).setProperty(AAF_ENV, aaf_env);
+					access.printf(Level.INIT, "Setting aaf_env to %s from aaf_url value",aaf_env);
+				}
+			}
+		}
+			
+		if(aafURL==null) {
+			access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded");
+		} else {// There's an AAF_URL... try to configure an AAF
+			String aafLurClassStr = logProp(access,AAF_LUR_CLASS,"com.att.cadi.aaf.v2_0.AAFLurPerm");
+			////////////AAF Lur 2.0 /////////////
+			if(aafLurClassStr.startsWith("com.att.cadi.aaf.v2_0")) { 
+				try {
+					Object aafcon = loadAAFConnector(access, aafURL);
+					if(aafcon==null) {
+						access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object.");
+					} else {
+						Class<?> aafAbsAAFCon = loadClass(access, "com.att.cadi.aaf.v2_0.AAFCon");
+						Method mNewLur = aafAbsAAFCon.getMethod("newLur");
+						Object aaflur = mNewLur.invoke(aafcon);
+	
+						if(aaflur==null) {
+							access.log(Level.INIT,"ERROR! AAF LUR Failed construction.  NOT Configured");
+						} else {
+							access.log(Level.INIT,"AAF LUR Configured to ",aafURL);
+							lurs.add((Lur)aaflur);
+							String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null);
+							if(debugIDs !=null && aaflur instanceof CachingLur) {
+								((CachingLur<?>)aaflur).setDebug(debugIDs);
+							}
+						}
+					}
+				} catch (Exception e) {
+					access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors.");
+				}
+			} 
+		} 
+
+		/////////////////////////////////////////////////////
+		// Any Additional passed in Constructor
+		/////////////////////////////////////////////////////
+		if(additionalTafLurs!=null) {
+			for(Object additional : additionalTafLurs) {
+				if(additional instanceof Lur) {
+					lurs.add((Lur)additional);
+					access.log(Level.INIT, additional);
+				}
+			}
+		}
+
+		/////////////////////////////////////////////////////
+		// Return a Lur based on how many there are... 
+		/////////////////////////////////////////////////////
+		switch(lurs.size()) {
+			case 0: 
+				access.log(Level.INIT,"WARNING! No CADI LURs configured");
+				// Return a NULL Lur that does nothing.
+				return new NullLur();
+			case 1:
+				return lurs.get(0); // Only one, just return it, save processing
+			default:
+				// Multiple Lurs, use EpiLUR to handle
+				Lur[] la = new Lur[lurs.size()];
+				lurs.toArray(la);
+				return new EpiLur(la);
+		}
+	}
+	
+	private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2 = "com.att.cadi.aaf.v2_0.AAFConDME2";
+	private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP = "com.att.cadi.aaf.v2_0.AAFConHttp";
+	public static Object loadAAFConnector(Access access, String aafURL) {
+		Object aafcon = null;
+		Class<?> aafConClass = null;
+
+		try {
+			if(aafURL!=null) {
+				String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);
+				if(COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2.equals(aafConnector) || aafURL.contains("/service=")) {
+					aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2);
+					if(aafConClass!=null) {
+						Constructor<?> cons = aafConClass.getConstructor(PropAccess.class);
+						aafcon = cons.newInstance(access);
+					} else {
+						access.log(Level.ERROR, "URL contains '/service=', which requires DME2");
+					}
+				} else if(COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) {
+					aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);
+					for(Constructor<?> c : aafConClass.getConstructors()) {
+						List<Object> lo = new ArrayList<Object>();
+						for(Class<?> pc : c.getParameterTypes()) {
+							if(pc.equals(PropAccess.class)) {
+								lo.add(access);
+							} else if(pc.equals(Locator.class)) {
+								lo.add(loadLocator(access, aafURL));
+							} else {
+								continue;
+							}
+						}
+						if(c.getParameterTypes().length!=lo.size()) {
+							continue; // back to another Constructor
+						} else {
+							aafcon = c.newInstance(lo.toArray());
+						}
+						break;
+					}
+				}
+				if(aafcon!=null) {
+					String mechid = logProp(access,Config.AAF_MECHID, null);
+					String pass = access.getProperty(Config.AAF_MECHPASS, null);
+					if(mechid!=null && pass!=null) {
+						try {
+							Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class);
+							basicAuth.invoke(aafcon, mechid,pass);
+						} catch (NoSuchMethodException nsme) {
+							// it's ok, don't use
+						}
+					}
+				}
+			}
+		} catch (Exception e) {
+			access.log(e,"AAF Connector could not be constructed with given Constructors.");
+		}
+		
+		return aafcon;
+	}
+
+	public static Class<?> loadClass(Access access, String className) {
+		Class<?> cls=null;
+		try {
+			cls = access.classLoader().loadClass(className);
+		} catch (ClassNotFoundException cnfe) {
+			try {
+				cls = access.getClass().getClassLoader().loadClass(className);
+			} catch (ClassNotFoundException cnfe2) {
+				// just return null
+			}
+		}
+		return cls;
+	}
+
+	@SuppressWarnings("unchecked")
+	public static Locator<URI> loadLocator(Access access, String url) {
+		Locator<URI> locator = null;
+		if(url==null) {
+			access.log(Level.INIT,"No URL for AAF Login Page. Disabled");
+		} else {
+			if(url.contains("DME2RESOLVE")) {
+				try {
+					Class<?> lcls = loadClass(access,"com.att.cadi.locator.DME2Locator");
+					Class<?> dmcls = loadClass(access,"com.att.aft.dme2.api.DME2Manager");
+					Constructor<?> cnst = lcls.getConstructor(new Class[] {Access.class,dmcls,String.class});
+					locator = (Locator<URI>)cnst.newInstance(new Object[] {access,null,url});
+					access.log(Level.INFO, "DME2Locator enabled with " + url);
+				} catch (Exception e) {
+					access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires DME2. It is now disabled",e);
+				}
+			} else {
+				try {
+					Class<?> cls = loadClass(access,"com.att.cadi.locator.PropertyLocator");
+					Constructor<?> cnst = cls.getConstructor(new Class[] {String.class});
+					locator = (Locator<URI>)cnst.newInstance(new Object[] {url});
+					access.log(Level.INFO, "PropertyLocator enabled with " + url);
+				} catch (Exception e) {
+					access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires PropertyLocator. It is now disabled",e);
+				}
+			}
+		}
+		return locator;
+	}
+
+	/*
+	 * DME2 can only read Passwords as clear text properties.  Leaving in "System Properties" un-encrypted exposes these passwords
+	 */
+	public static class PasswordRemoval extends TimerTask {
+		private Access access;
+		
+		private final List<String> pws;
+
+		public PasswordRemoval(Access access) {
+			this.access = access;
+			pws = new ArrayList<String>();
+		}
+		
+		@Override
+		public void run() {
+			for(String key:pws) {
+				access.log(Level.INIT, "Scrubbing " + key);
+				System.clearProperty(key);
+			}
+		}		
+		public void add(String key) {
+			pws.add(key);
+		}
+	}
+
+	private static final String Y = "Y";
+
+	private static String[][] CONVERTER_STRINGS=new String[][] {
+			{AFT_DME2_KEYSTORE,CADI_KEYSTORE,null},
+			{AFT_DME2_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},
+			{AFT_DME2_KEY_PASSWORD,CADI_KEY_PASSWORD,null},
+			{AFT_DME2_TRUSTSTORE,CADI_TRUSTSTORE,null},
+			{AFT_DME2_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},
+			{AFT_DME2_CLIENT_KEYSTORE,CADI_KEYSTORE,null},
+			{AFT_DME2_CLIENT_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},
+			{AFT_DME2_CLIENT_TRUSTSTORE,CADI_TRUSTSTORE,null},
+			{AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},
+			{AFT_DME2_CLIENT_SSL_CERT_ALIAS,CADI_ALIAS,null},
+			{AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},
+			{"AFT_DME2_HOSTNAME",HOSTNAME,null},
+			{"AFT_LATITUDE",null,Y},
+			{"AFT_LONGITUDE",null,Y},
+			{"AFT_ENVIRONMENT",null,Y},
+			{"SCLD_PLATFORM",null,Y},
+			{"DME2_EP_REGISTRY_CLASS",null,Y},// for Developer local access
+			{"AFT_DME2_EP_REGISTRY_FS_DIR",null,Y},
+			{"DME2.DEBUG",null,null},
+			{"AFT_DME2_HTTP_EXCHANGE_TRACE_ON",null,null},
+			{"AFT_DME2_SSL_ENABLE",null,null},
+			{"AFT_DME2_SSL_WANT_CLIENT_AUTH",null,null},
+			{AFT_DME2_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},
+			{"AFT_DME2_SSL_VALIDATE_CERTS",null,null},
+			{AFT_DME2_CLIENT_IGNORE_SSL_CONFIG,null,null},
+			{"https.protocols",CADI_PROTOCOLS,Y},
+			};
+
+
+
+	public static Properties getDME2Props(PropAccess access) {
+		Properties dprops = new Properties();
+		String value = null;
+		boolean reqClientConfig = false;
+		for(String[] row : CONVERTER_STRINGS) {
+			value = access.getProperty(row[0],null);
+			if(value==null) {
+				value = System.getProperty(row[0]);
+				if(value==null && row[1]!=null) {
+					value = access.getProperty(row[1],null);
+					if(value == null) {
+						value = System.getProperty(row[1]);
+					}
+				}
+			}
+			if(value!=null) {
+				if(row[0].contains("_SSL_")) {
+					reqClientConfig = true;
+				}
+				if(row[0].startsWith("AFT") || row[0].startsWith("SCLD") || row[0].contains("DME2")) {
+					if(value.startsWith("enc:")) {
+						try {
+							value = access.decrypt(value, true);
+						} catch (IOException e) {
+							access.log(Level.ERROR, e);
+						}
+						System.setProperty(row[0], value);
+					} else if(Y.equals(row[2])) {
+						System.setProperty(row[0], value);
+						dprops.setProperty(row[0], value);
+					} else if(row[0].contains("PASSWORD") || row[0].contains("STORE")) {
+						System.setProperty(row[0], value);
+					} else {
+						dprops.setProperty(row[0], value);
+					}
+				}
+				
+			}
+			
+		}
+		
+		Properties sprops = System.getProperties();
+		if(reqClientConfig && sprops.getProperty(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) {
+			sprops.put(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG, "false");
+			replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE,AFT_DME2_TRUSTSTORE);
+			replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE_PASSWORD,AFT_DME2_TRUSTSTORE_PASSWORD);
+			replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE,AFT_DME2_CLIENT_TRUSTSTORE);
+			replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE_PASSWORD,AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD);
+		}
+		
+		if(sprops.getProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS)==null) {
+			sprops.setProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
+		}
+
+		if(sprops.getProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS)==null) {
+			sprops.setProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
+		}
+		
+		if(access.willLog(Level.DEBUG)) {
+			if(access instanceof PropAccess) {
+				access.log(Level.DEBUG,"Access Properties");
+				for(Entry<Object, Object> es : ((PropAccess)access).getProperties().entrySet()) {
+					access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),es.getValue().toString());
+				}
+			}
+			access.log(Level.DEBUG,"DME2 Properties()");
+			for(Entry<Object, Object> es : dprops.entrySet()) {
+				value = es.getValue().toString();
+				if(es.getKey().toString().contains("PASS")) {
+					if(value==null || !value.contains("enc:")) {
+						value = HIDE_PASS;
+					}
+				}
+				access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),value);
+			}
+			
+			access.log(Level.DEBUG,"System (AFT) Properties");
+			for(Entry<Object, Object> es : System.getProperties().entrySet()) {
+				if(es.getKey().toString().startsWith("AFT")) {
+					value = es.getValue().toString();
+					if(es.getKey().toString().contains("PASS")) {
+						if(value==null || !value.contains("enc:")) {
+							value = HIDE_PASS;
+						}
+					}
+					access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),value);
+				}
+			}
+		}
+		// Cover any not specific AFT props
+		String key;
+		for(Entry<Object, Object> es : access.getProperties().entrySet()) {
+			if((key=es.getKey().toString()).startsWith("AFT_") && 
+					!key.contains("PASSWORD") &&
+					dprops.get(key)==null) {
+				dprops.put(key, es.getValue());
+			}
+		}
+		return dprops;
+	}
+	
+	private static void replaceKeyWithTrust(Properties props, String ks, String ts) {
+		String value;
+		if(props.get(ks)==null && (value=props.getProperty(ts))!=null) {
+			props.put(ks,value);
+			props.remove(ts);
+		}
+	}
+	// Set by CSP, or is hostname.
+	public static String getDefaultRealm() {
+		return defaultRealm;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/config/Get.java b/core/src/main/java/com/att/cadi/config/Get.java
new file mode 100644
index 0000000..d6bb35b
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/Get.java
@@ -0,0 +1,98 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+import java.lang.reflect.Method;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+
+public interface Get {
+	public String get(String name, String def, boolean print);
+	
+	
+	/**
+	 * A class for Getting info out of "JavaBean" format
+	 *
+	 */
+	public static class Bean implements Get {
+		private Object bean;
+		private Class<?> bc;
+		private Class<?>[] params;
+		private Object[] args;
+		
+		public Bean(Object bean) {
+			this.bean = bean;
+			bc = bean.getClass();
+			params = new Class<?>[0]; // note, this will allow to go out of scope after config
+			args = new Object[0];
+		}
+		
+		public String get(String name, String def, boolean print) {
+			String str = null;
+			String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1);
+			try {
+				Method meth = bc.getMethod(gname, params);
+				Object obj = meth.invoke(bean, args);
+				str = obj==null?null:obj.toString(); // easy string convert... 
+			} catch (Exception e) {
+			}
+			
+			// Take def if nothing else
+			if(str==null) {
+				str = def;
+				// don't log defaults
+			} else {
+				str = str.trim(); // this is vital in Property File based values, as spaces can hide easily
+			}
+			// Note: Can't log during configuration
+			return str;
+		}
+	}
+
+	public static Get NULL = new Get() {
+		public String get(String name, String def, boolean print) {
+			return def;
+		}
+	};
+
+	public static class AccessGet implements Get {
+		private Access access;
+		public AccessGet(Access access) {
+			this.access = access;
+		}
+		public String get(String name, String def, boolean print) {
+			String gotten = access.getProperty(name, def);
+			if(print) {
+				if(gotten == null) {
+					access.log(Level.INIT,name, "is not set");
+				} else {
+					access.log(Level.INIT,name, "is set to", gotten);
+				}
+			}
+			return gotten;
+		}
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/config/GetAccess.java b/core/src/main/java/com/att/cadi/config/GetAccess.java
new file mode 100644
index 0000000..bdd6afd
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/GetAccess.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+import com.att.cadi.PropAccess;
+
+public class GetAccess extends PropAccess {
+	private final Get getter;
+	
+	public GetAccess(Get getter) {
+		super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)});
+		this.getter = getter;
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#getProperty(java.lang.String, java.lang.String)
+	 */
+	@Override
+	public String getProperty(String tag, String def) {
+		String rv;
+		rv = super.getProperty(tag, null);
+		if(rv==null && getter!=null) {
+			rv = getter.get(tag, null, true);
+		}
+		return rv==null?def:rv;
+	}
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#getProperty(java.lang.String)
+	 */
+	@Override
+	public String getProperty(String tag) {
+		String rv;
+		rv = super.getProperty(tag, null);
+		if(rv==null && getter!=null) {
+			rv = getter.get(tag, null, true);
+		}
+		return rv;
+	}
+
+	public Get get() {
+		return getter;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/config/MultiGet.java b/core/src/main/java/com/att/cadi/config/MultiGet.java
new file mode 100644
index 0000000..a304319
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/MultiGet.java
@@ -0,0 +1,44 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+public class MultiGet implements Get {
+    private Get[] getters;
+
+    public MultiGet(Get ... getters) {
+        this.getters = getters;
+    }
+
+    @Override
+    public String get(String name, String def, boolean print) {
+        String str;
+        for(Get getter : getters) {
+            str = getter.get(name, null, print);
+            if(str!=null) 
+                return str;
+        }
+        return def;
+    }
+
+}
diff --git a/core/src/main/java/com/att/cadi/config/SecurityInfo.java b/core/src/main/java/com/att/cadi/config/SecurityInfo.java
new file mode 100644
index 0000000..a1ef35b
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/SecurityInfo.java
@@ -0,0 +1,244 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.rmi.AccessException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.util.MaskFormatException;
+import com.att.cadi.util.NetMask;
+
+public class SecurityInfo {
+	private static final String SECURITY_ALGO = "RSA";
+	private static final String HTTPS_PROTOCOLS = "https.protocols";
+	private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
+
+	public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
+	public static final String REGEX_COMMA = "\\s*,\\s*";
+	public static final String SslKeyManagerFactoryAlgorithm;
+	
+	private SSLSocketFactory scf;
+	private X509KeyManager[] km;
+	private X509TrustManager[] tm;
+	public final String default_alias;
+	private NetMask[] trustMasks;
+	private SSLContext ctx;
+	private HostnameVerifier maskHV;
+
+	// Change Key Algorithms for IBM's VM.  Could put in others, if needed.
+	static {
+		if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) {
+			SslKeyManagerFactoryAlgorithm = "IbmX509";
+		} else {
+			SslKeyManagerFactoryAlgorithm = "SunX509";
+		}
+	}
+	
+
+	public SecurityInfo(final Access access) throws GeneralSecurityException, IOException {
+		// reuse DME2 Properties for convenience if specific Properties don't exist
+		String keyStore = access.getProperty(Config.CADI_KEYSTORE,
+				access.getProperty(Config.AFT_DME2_KEYSTORE,null));
+		String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD,
+				access.getProperty(Config.AFT_DME2_KEYSTORE_PASSWORD, null));
+		keyStorePasswd = keyStorePasswd==null?null:access.decrypt(keyStorePasswd,false);
+		String trustStore = access.getProperty(Config.CADI_TRUSTSTORE,
+				access.getProperty(Config.AFT_DME2_TRUSTSTORE, null));
+		String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD,
+				access.getProperty(Config.AFT_DME2_TRUSTSTORE_PASSWORD,null));
+		trustStorePasswd = trustStorePasswd==null?null:access.decrypt(trustStorePasswd,false);
+		default_alias = access.getProperty(Config.CADI_ALIAS, 
+				access.getProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS,null));
+		
+		String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD,null);
+		keyPasswd = keyPasswd==null?keyStorePasswd:access.decrypt(keyPasswd,false);
+		String tips=access.getProperty(Config.CADI_TRUST_MASKS, null);
+		if(tips!=null) {
+			access.log(Level.INIT,"Explicitly accepting valid X509s from",tips);
+			String[] ipsplit = tips.split(REGEX_COMMA);
+			trustMasks = new NetMask[ipsplit.length];
+			for(int i=0;i<ipsplit.length;++i) {
+				try {
+					trustMasks[i]=new NetMask(ipsplit[i]);
+				} catch (MaskFormatException e) {
+					throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS,e);
+				}
+			}
+		}
+		String https_protocols = Config.logProp(access,Config.CADI_PROTOCOLS, 
+				access.getProperty(Config.AFT_DME2_SSL_INCLUDE_PROTOCOLS, 
+					access.getProperty(HTTPS_PROTOCOLS,HTTPS_PROTOCOLS_DEFAULT)
+					));
+		System.setProperty(HTTPS_PROTOCOLS,https_protocols);
+		System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, https_protocols);
+		
+		KeyManagerFactory kmf = KeyManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
+		File file;
+
+
+		if(keyStore==null || keyStorePasswd == null) { 
+			km = new X509KeyManager[0];
+		} else {
+			ArrayList<X509KeyManager> kmal = new ArrayList<X509KeyManager>();
+			for(String ksname : keyStore.split(REGEX_COMMA)) {
+				file = new File(ksname);
+				String keystoreFormat;
+				if(ksname.endsWith("pkcs12")) {
+					keystoreFormat = "PKCS12";
+				} else {
+					keystoreFormat = "JKS";
+				}
+				if(file.exists()) {
+					FileInputStream fis = new FileInputStream(file);
+					try {
+						KeyStore ks = KeyStore.getInstance(keystoreFormat);
+						ks.load(fis, keyStorePasswd.toCharArray());
+						kmf.init(ks, keyPasswd.toCharArray());
+					} finally {
+						fis.close();
+					}
+				}
+			}
+			for(KeyManager km : kmf.getKeyManagers()) {
+				if(km instanceof X509KeyManager) {
+					kmal.add((X509KeyManager)km);
+				}
+			}
+			km = new X509KeyManager[kmal.size()];
+			kmal.toArray(km);
+		}
+
+		TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
+		if(trustStore!=null) {
+			for(String tsname : trustStore.split(REGEX_COMMA)) {
+				file = new File(tsname);
+				if(file.exists()) {
+					FileInputStream fis = new FileInputStream(file);
+					try {
+						KeyStore ts = KeyStore.getInstance("JKS");
+						ts.load(fis, trustStorePasswd.toCharArray());
+						tmf.init(ts); 
+					} finally {
+						fis.close();
+					}
+				}
+			}
+			TrustManager tms[] = tmf.getTrustManagers();
+			tm = new X509TrustManager[tms==null?0:tms.length];
+			for(int i=0;i<tms.length;++i) {
+				try {
+					tm[i]=(X509TrustManager)tms[i];
+				} catch (ClassCastException e) {
+					access.log(Level.WARN, "Non X509 TrustManager", tm[i].getClass().getName(),"skipped in SecurityInfo");
+				}
+			}
+		}
+		
+		if(trustMasks!=null) {
+			final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
+			HttpsURLConnection.setDefaultHostnameVerifier(maskHV = new HostnameVerifier() {
+				@Override
+				public boolean verify(final String urlHostName, final SSLSession session) {
+					try {
+						// This will pick up /etc/host entries as well as DNS
+						InetAddress ia = InetAddress.getByName(session.getPeerHost());
+						for(NetMask tmask : trustMasks) {
+							if(tmask.isInNet(ia.getHostAddress())) {
+								return true;
+							}
+						}
+					} catch (UnknownHostException e) {
+						// It's ok. do normal Verify
+					}
+					return origHV.verify(urlHostName,session);
+				};
+			});
+		}
+		ctx = SSLContext.getInstance("TLS");
+		ctx.init(km, tm, null);
+		SSLContext.setDefault(ctx);
+		scf = ctx.getSocketFactory();
+	}
+
+	/**
+	 * @return the scf
+	 */
+	public SSLSocketFactory getSSLSocketFactory() {
+		return scf;
+	}
+
+	public SSLContext getSSLContext() {
+		return ctx;
+	}
+
+	/**
+	 * @return the km
+	 */
+	public X509KeyManager[] getKeyManagers() {
+		return km;
+	}
+
+	public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
+		for(X509TrustManager xtm : tm) {
+			xtm.checkClientTrusted(certarr, SECURITY_ALGO);
+		}
+	}
+
+	public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
+		for(X509TrustManager xtm : tm) {
+			xtm.checkServerTrusted(certarr, SECURITY_ALGO);
+		}
+	}
+
+	public void setSocketFactoryOn(HttpsURLConnection hsuc) {
+		hsuc.setSSLSocketFactory(scf);
+		if(maskHV!=null && !maskHV.equals(hsuc.getHostnameVerifier())) {
+			hsuc.setHostnameVerifier(maskHV);
+		}
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/config/SecurityInfoC.java b/core/src/main/java/com/att/cadi/config/SecurityInfoC.java
new file mode 100644
index 0000000..5e2fd54
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/SecurityInfoC.java
@@ -0,0 +1,45 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import com.att.cadi.Access;
+import com.att.cadi.SecuritySetter;
+
+
+public class SecurityInfoC<CLIENT> extends SecurityInfo {
+	public SecuritySetter<CLIENT> defSS;
+
+	public SecurityInfoC(Access access) throws GeneralSecurityException, IOException {
+		super(access);
+	}
+
+	public SecurityInfoC<CLIENT> set(SecuritySetter<CLIENT> defSS) {
+		this.defSS = defSS;
+		return this;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/config/UsersDump.java b/core/src/main/java/com/att/cadi/config/UsersDump.java
new file mode 100644
index 0000000..7d47b7e
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/config/UsersDump.java
@@ -0,0 +1,159 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.config;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.util.Date;
+import java.util.HashSet;
+
+import com.att.cadi.AbsUserCache;
+import com.att.cadi.lur.LocalLur;
+
+public class UsersDump {
+
+	/**
+	 * @param args
+	 */
+	public static boolean write(OutputStream os, AbsUserCache<?> lur) {
+		PrintStream ps;
+		if(os instanceof PrintStream) {
+			ps = (PrintStream)os;
+		} else {
+			ps = new PrintStream(os);
+		}
+		try {
+			ps.println("<?xml version='1.0' encoding='utf-8'?>");
+			ps.println("<!--");
+			ps.print(  "     Code Generated Tomcat Users and Roles from AT&T LUR on ");
+			ps.println(new Date());
+			ps.println(  "-->");
+			ps.println("<tomcat-users>");
+
+			// We loop through Users, but want to write Groups first... therefore, save off print
+			StringBuilder sb = new StringBuilder();
+			
+			// Obtain all unique role names
+			HashSet<String> groups = new HashSet<String>();
+			for(AbsUserCache<?>.DumpInfo di : lur.dumpInfo()) {
+				sb.append("\n  <user username=\"");
+				sb.append(di.user);
+				sb.append("\" roles=\"");
+				boolean first = true;
+				for(String role : di.perms) {
+					groups.add(role);
+					if(first)first = false;
+					else sb.append(',');
+					sb.append(role);
+				}
+				sb.append("\"/>");
+
+			}
+
+			// Print roles
+			for(String group : groups) {
+				ps.print("  <role rolename=\"");
+				ps.print(group);
+				ps.println("\"/>");
+			}
+	
+			ps.println(sb);
+
+			ps.println("</tomcat-users>");
+			ps.flush();
+		} catch (Throwable t) {
+			t.printStackTrace(ps);
+			return false;
+		}
+		return true;
+	}
+	
+	/**
+	 * 
+	 * Note: This method returns a String if there's an error, or null if ok.
+	 * This unusual style is necessitated by the fact that any Exceptions thrown are likely to 
+	 * be unlogged and hidden from view, making debugging almost impossible.
+	 * 
+	 * @param writeto
+	 * @param up
+	 * @return
+	 */
+	public static String updateUsers(String writeto, LocalLur up) {
+		// Dump a Tomcat-user.xml lookalike (anywhere)
+		if(writeto!=null) {
+			// First read content
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			if(UsersDump.write(baos, up)) {
+				byte[] postulate = baos.toByteArray();
+				// now get contents of file
+				File file = new File(writeto);
+				boolean writeIt;
+				if(file.exists()) {
+					try {
+						FileInputStream fis = new FileInputStream(file);
+						byte[] orig = new byte[(int)file.length()];
+						try {
+							fis.read(orig);
+						} finally {
+							fis.close();
+						}
+						// Starting at third "<" (<tomcat-users> line)
+						int startA=0, startB=0;
+						for(int i=0;startA<orig.length && i<3;++startA) if(orig[startA]=='<')++i;
+						for(int i=0;startB<orig.length && i<3;++startB) if(postulate[startB]=='<')++i;
+						
+						writeIt=orig.length-startA!=postulate.length-startB; // first, check if remaining length is the same
+						while(!writeIt && startA<orig.length && startB<postulate.length) {
+							if(orig[startA++]!=postulate[startB++])writeIt = true;
+						}
+					} catch (Exception e) {
+						writeIt = true;
+					}
+				} else {
+					writeIt = true;
+				}
+				
+				if(writeIt) {
+					try {
+						FileOutputStream fos = new FileOutputStream(file);
+						try {
+							fos.write(postulate);
+						} finally {
+							fos.close();
+						}
+					} catch (IOException e) {
+						return e.getMessage();
+					}
+				}
+			}
+		}
+		return null; // no message means ok.
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/AUTHZ.java b/core/src/main/java/com/att/cadi/filter/AUTHZ.java
new file mode 100644
index 0000000..8f33105
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/AUTHZ.java
@@ -0,0 +1,38 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.servlet.Servlet;
+
+@Target({TYPE})
+@Retention(RUNTIME)
+public @interface AUTHZ {
+	Class<? extends Servlet> value();
+}
diff --git a/core/src/main/java/com/att/cadi/filter/AUTHZServlet.java b/core/src/main/java/com/att/cadi/filter/AUTHZServlet.java
new file mode 100644
index 0000000..dab6b47
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/AUTHZServlet.java
@@ -0,0 +1,101 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import java.io.IOException;
+
+import javax.servlet.Servlet;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * 
+ *
+ */
+public class AUTHZServlet<S extends Servlet> implements Servlet {
+	private String[] roles;
+	private Servlet delegate;
+
+	protected AUTHZServlet(Class<S> cls) {
+		try {
+			delegate = cls.newInstance();
+		} catch (Exception e) {
+			delegate = null;
+		}
+		RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class);
+		if(rolesAllowed == null) {
+			roles = null;
+		} else {
+			roles = rolesAllowed.value();
+		}
+	}
+	
+	public void init(ServletConfig sc) throws ServletException {
+		if(delegate == null) throw new ServletException("Invalid Servlet Delegate");
+		delegate.init(sc);
+	}
+	
+	public ServletConfig getServletConfig() {
+		return delegate.getServletConfig();
+	}
+
+	public String getServletInfo() {
+		return delegate.getServletInfo();
+	}
+
+	public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
+		if(roles==null) {
+			delegate.service(req,resp);
+		} else { // Validate
+			try {
+				HttpServletRequest hreq = (HttpServletRequest)req;
+				boolean proceed = false;
+				for(String role : roles) {
+					if(hreq.isUserInRole(role)) {
+						proceed = true;
+						break;
+					}
+				}
+				if(proceed) {
+					delegate.service(req,resp);
+				} else {
+					//baseRequest.getServletContext().log(hreq.getUserPrincipal().getName()+" Refused " + roles);
+					((HttpServletResponse)resp).sendError(403); // forbidden
+				}
+			} catch(ClassCastException e) {
+				throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse");
+			}
+		}
+	}
+
+	public void destroy() {
+		delegate.destroy();
+	}
+
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/AccessGetter.java b/core/src/main/java/com/att/cadi/filter/AccessGetter.java
new file mode 100644
index 0000000..a36b7c7
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/AccessGetter.java
@@ -0,0 +1,38 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import com.att.cadi.Access;
+import com.att.cadi.config.Get;
+
+public class AccessGetter implements Get {
+	private final Access access;
+	public AccessGetter(Access access) {
+		this.access = access;
+	}
+	public String get(String name, String def, boolean print) {
+		return access.getProperty(name, def);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/CadiAccess.java b/core/src/main/java/com/att/cadi/filter/CadiAccess.java
new file mode 100644
index 0000000..c7a9250
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/CadiAccess.java
@@ -0,0 +1,244 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+
+import com.att.cadi.Access;
+import com.att.cadi.Symm;
+import com.att.cadi.config.Config;
+import com.att.cadi.config.Get;
+
+public class CadiAccess implements Access {
+	// constants for a couple of very commonly used strings.
+	protected static final String FROM = "from";
+	protected static final String FOR = "for";
+
+	// Properties derived from <pass> sources (could be property files, Valve Configurations, Filter
+	// configs, etc. 
+	protected Properties props;
+
+	// Will we write Logs?
+	protected Level willWrite = Level.INFO;
+	
+	protected ServletContext context;
+	protected Get getter = Get.NULL; // replace with Derived Class getter
+	private Symm symm;
+
+	public CadiAccess(Map<String, Object> map) {
+		if(map!=null && !map.isEmpty()) {
+			props = new Properties();
+			for(Entry<String, Object> es : map.entrySet()) {
+				Object v = es.getValue();
+				if(v!=null) {
+					props.put(es.getKey(), v.toString());
+				}
+			}
+			Object keyfile = props.get(Config.CADI_KEYFILE);
+			if(keyfile!=null) {
+				try {
+					FileInputStream fis = new FileInputStream(keyfile.toString());
+					symm = Symm.obtain(fis);
+				} catch (Exception e) {
+				}
+			}
+
+		}
+	}
+	
+	public Level willWrite() {
+		return willWrite;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level)
+	 */
+	@Override
+	public boolean willLog(Level level) {
+		return willWrite.compareTo(level)<=0;
+	}
+
+	/**
+	 * Add the "Level" to the Buildline for Logging types that don't specify, or straight Streams, etc.  Then buildline
+	 * 
+	 * Build a line of code onto a StringBuilder based on Objects.  Analyze whether 
+	 * spaces need including.
+	 *
+	 * @param level
+	 * @param sb
+	 * @param elements
+	 * @return
+	 */
+	public final static StringBuilder buildLine(Level level, StringBuilder sb, Object[] elements) {
+		sb.append(level.name());
+		return buildLine(sb,elements);
+	}
+	
+	/*
+	 * Build a line of code onto a StringBuilder based on Objects.  Analyze whether 
+	 * spaces need including.
+	 * 
+	 * @param sb
+	 * @param elements
+	 * @return
+	 */
+	public final static StringBuilder buildLine(StringBuilder sb, Object[] elements) {
+		sb.append(' ');
+		String str;
+		boolean notFirst = false;
+		for(Object o : elements) {
+			if(o!=null) {
+				str = o.toString();
+				
+				if(str.length()>0) {
+					if(notFirst && shouldAddSpace(str,true) && shouldAddSpace(sb,false)) {
+						sb.append(' ');
+					} else {
+						notFirst=true;
+					}
+					sb.append(str);
+				}
+			}
+		}
+		return sb;
+	}
+	
+	private static boolean shouldAddSpace(CharSequence c,boolean start) {
+		if(c.length()>0)
+			switch(c.charAt(start?0:c.length()-1)) {
+				case ' ':
+				case '\t':
+				case '\n':
+				case '\'':
+				case '"':
+				case '|':
+					return false;
+			}
+		return true;
+	}
+
+	/**
+	 * Standard mechanism for logging, given being within a Servlet Context
+	 * 
+	 * Here, we treat
+	 * 
+	 * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup 
+	 * scenarios)
+	 *
+	 */
+	public void log(Level level, Object... elements) {
+		if(willWrite.compareTo(level)<=0) {
+			StringBuilder sb = buildLine(level, new StringBuilder(),elements);
+			if(context==null) {
+				System.out.println(sb.toString());
+			} else {
+				context.log(sb.toString());
+			}
+		}
+	}
+
+	/**
+	 * Standard mechanism for logging an Exception, given being within a Servlet Context, etc
+	 * 
+	 * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup 
+	 * scenarios)
+	 *
+	 */
+	public void log(Exception e, Object... elements) {
+		if(willWrite.compareTo(Level.ERROR)<=0) {
+			StringBuilder sb = buildLine(Level.ERROR, new StringBuilder(),elements);
+		
+			if(context==null) {
+				sb.append(e.toString());
+				System.out.println(sb.toString());
+			} else {
+				context.log(sb.toString(),e);
+			}
+		}
+	}
+	
+	public void setLogLevel(Level level) {
+		willWrite = level;
+	}
+	
+	/**
+	 * Pass back the classloader of the Servlet Context, if it exists. Otherwise, get the classloader
+	 * of this object.
+	 */
+	public ClassLoader classLoader() { // Use the Classloader that Context was created with
+		return (context==null?this:context).getClass().getClassLoader();
+	}
+
+	/**
+	 * Get the Property from Context
+	 */
+	public String getProperty(String string, String def) {
+		String rv = null;
+
+        if ( props != null )
+            rv = props.getProperty( string, def );
+        
+		if(rv==null) {
+            rv = context.getInitParameter(string);
+		}
+		return rv==null?def:rv;
+
+	}
+
+	public void load(InputStream is) throws IOException {
+		if(this.props==null) {
+			this.props = new Properties();
+		}
+		this.props.load(is);
+		symm = Symm.obtain(this);
+	}
+
+	public String decrypt(String encrypted, boolean anytext) throws IOException {
+		if(symm==null) {
+			String keyfile = getter.get(Config.CADI_KEYFILE, null, true);
+			if(keyfile!=null) {
+				FileInputStream fis = new FileInputStream(keyfile);
+				symm=Symm.obtain(fis);
+				fis.close();
+			}
+		}
+		return (symm!=null && encrypted!=null && (anytext || encrypted.startsWith(Symm.ENC)))
+			? symm.depass(encrypted)
+			: encrypted;
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object[] elements) {
+		// TODO Auto-generated method stub
+		
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/CadiFilter.java b/core/src/main/java/com/att/cadi/filter/CadiFilter.java
new file mode 100644
index 0000000..578cbba
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/CadiFilter.java
@@ -0,0 +1,306 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CadiException;
+import com.att.cadi.CadiWrap;
+import com.att.cadi.Lur;
+import com.att.cadi.PropAccess;
+import com.att.cadi.ServletContextAccess;
+import com.att.cadi.TrustChecker;
+import com.att.cadi.config.Config;
+import com.att.cadi.config.Get;
+import com.att.cadi.taf.TafResp;
+import com.att.cadi.taf.TafResp.RESP;
+
+/**
+ * CadiFilter
+ * 
+ * This class implements Servlet Filter, and ties together CADI implementations
+ * 
+ * This class can be used in a standard J2EE Servlet manner.  Optimal usage is for POJO operations, where
+ * one can enforce this Filter being first and primary.  Depending on the Container, it 
+ * may be more effective, in some cases, to utilize features that allow earlier determination of 
+ * AUTHN (Authorization).  An example would be "Tomcat Valve".  These implementations, however, should
+ * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes.
+ * 
+ * 
+ *
+ */
+public class CadiFilter implements Filter {
+	private static CadiHTTPManip httpChecker;
+	private static String[] pathExceptions;
+	private static List<Pair> mapPairs;
+	private Access access;
+	private Object[] additionalTafLurs;
+	private static int count=0;
+	
+	public Lur getLur() {
+		return httpChecker.getLur();
+	}
+	
+	/**
+	 * Construct a viable Filter
+	 * 
+	 * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on 
+	 * them at a later time.  Therefore, this object creates with an object that denies all access
+	 * until appropriate Init happens, just in case the container lets something slip by in the meantime.
+	 * 
+	 */
+	public CadiFilter() {
+		additionalTafLurs = CadiHTTPManip.noAdditional;
+	}
+
+	/**
+	 * This constructor to be used when directly constructing and placing in HTTP Engine
+	 * 
+	 * @param access
+	 * @param moreTafLurs
+	 * @throws ServletException 
+	 */
+	public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException {
+		additionalTafLurs = moreTafLurs;
+		init(new AccessGetter(this.access = access));
+	}
+
+
+	/**
+	 * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it
+	 * @param init
+	 * @param access
+	 * @param moreTafLurs
+	 * @throws ServletException
+	 */
+	public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException {
+		this.access = access;
+		if(init) {
+			init(new AccessGetter(access));
+		}
+		additionalTafLurs = moreTafLurs;
+	}
+
+	/**
+	 * Init
+	 * 
+	 * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a
+	 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
+	 * mechanism already.
+	 */
+	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions
+	public void init(FilterConfig filterConfig) throws ServletException {
+		// need the Context for Logging, instantiating ClassLoader, etc
+		ServletContextAccess sca=new ServletContextAccess(filterConfig); 
+		if(access==null) {
+			access = sca;
+		}
+		
+		// Set Protected getter with base Access, for internal class instantiations
+		init(new FCGet(access, sca.context(), filterConfig));
+	}
+	
+
+   private void init(Get getter) throws ServletException {
+        // Start with the assumption of "Don't trust anyone".
+	   TrustChecker tc = TrustChecker.NOTRUST; // default position
+	   try {
+		   @SuppressWarnings("unchecked")
+		   Class<TrustChecker> ctc = (Class<TrustChecker>) Class.forName("com.att.cadi.aaf.v2_0.AAFTrustChecker");
+		   if(ctc!=null) {
+			   Constructor<TrustChecker> contc = ctc.getConstructor(Access.class);
+			   if(contc!=null) {
+				   tc = contc.newInstance(access);
+			   }
+		   }
+	   } catch (Exception e) {
+		   access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
+	   }
+       
+        
+        // Synchronize, because some instantiations call init several times on the same object
+        // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.
+		synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {
+			++count;
+			if(httpChecker == null) {
+				if(access==null) {
+					access = new PropAccess();
+				}
+				try {
+					httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs);
+				} catch (CadiException e1) {
+					throw new ServletException(e1);
+				}
+			} else if(access==null) {
+				access= httpChecker.getAccess();
+			}
+
+			/*
+			 * Setup Authn Path Exceptions
+			 */
+			if(pathExceptions==null) {
+				String str = getter.get(Config.CADI_NOAUTHN, null, true);
+				if(str!=null) {
+					pathExceptions = str.split("\\s*:\\s*");
+				}
+			}
+	
+			/* 
+			 * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions
+			 */
+			if(mapPairs==null) {
+				String str = getter.get(Config.AAF_PERM_MAP, null, true);
+				if(str!=null) {
+					String mstr = getter.get(Config.AAF_PERM_MAP, null, true);
+					if(mstr!=null) {
+						String map[] = mstr.split("\\s*:\\s*");
+						if(map.length>0) {
+							MapPermConverter mpc=null;
+							int idx;
+							mapPairs = new ArrayList<Pair>();
+							for(String entry : map) {
+								if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
+									access.log(Level.INIT,"Loading Perm Conversions for:",entry);
+									mapPairs.add(new Pair(entry,mpc=new MapPermConverter()));
+								} else {
+									if(mpc!=null) {
+										mpc.map().put(entry.substring(0,idx),entry.substring(idx+1));
+									} else {
+										access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped");
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+
+		// Remove Getter
+        getter = Get.NULL;
+	}
+
+	/**
+	 * Containers call "destroy" when time to cleanup 
+	 */
+	public void destroy() {
+		// Synchronize, in case multiCadiFilters are used.
+		synchronized(CadiHTTPManip.noAdditional) {
+			if(--count<=0 && httpChecker!=null) {
+				httpChecker.destroy();
+				httpChecker=null;
+				access=null;
+				pathExceptions=null;
+			}
+		}
+	}
+
+	/**
+	 * doFilter
+	 * 
+	 * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and
+	 * only call the next item in the filterChain if request is suitably Authenticated.
+	 */
+	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		try {
+			HttpServletRequest hreq = (HttpServletRequest)request;
+			if(noAuthn(hreq)) {
+				chain.doFilter(request, response);
+			} else {
+				HttpServletResponse hresp = (HttpServletResponse)response;
+				TafResp tresp = httpChecker.validate(hreq, hresp);
+				if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
+						CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));
+						if(httpChecker.notCadi(cw, hresp)) {
+							chain.doFilter(cw,response);
+						}
+				}						
+			}
+		} catch (ClassCastException e) {
+			throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e);
+		}
+	}
+
+
+	/** 
+	 * If PathExceptions exist, report if these should not have Authn applied.
+	 * @param hreq
+	 * @return
+	 */
+	private boolean noAuthn(HttpServletRequest hreq) {
+		if(pathExceptions!=null) {
+			String pi = hreq.getPathInfo();
+			if(pi==null) return false; // JBoss sometimes leaves null
+			for(String pe : pathExceptions) {
+				if(pi.startsWith(pe))return true;
+			}
+		}
+		return false;
+	}
+	
+	/**
+	 * Get Converter by Path
+	 */
+	private PermConverter getConverter(HttpServletRequest hreq) {
+		if(mapPairs!=null) {
+			String pi = hreq.getPathInfo();
+			if(pi!=null) {
+			for(Pair p: mapPairs) {
+				if(pi.startsWith(p.name))return p.pc;
+			}
+			}
+		}
+		return NullPermConverter.singleton();
+	}
+	
+	/**
+	 * store PermConverters by Path prefix
+	 *
+	 */
+	private class Pair {
+		public Pair(String key, PermConverter pc) {
+			name = key;
+			this.pc = pc;
+		}
+		public String name;
+		public PermConverter pc;
+	}
+
+}
+
diff --git a/core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java b/core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java
new file mode 100644
index 0000000..821dae9
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java
@@ -0,0 +1,228 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CadiException;
+import com.att.cadi.CadiWrap;
+import com.att.cadi.Connector;
+import com.att.cadi.CredVal;
+import com.att.cadi.Lur;
+import com.att.cadi.Taf;
+import com.att.cadi.TrustChecker;
+import com.att.cadi.config.Config;
+import com.att.cadi.lur.EpiLur;
+import com.att.cadi.taf.HttpTaf;
+import com.att.cadi.taf.TafResp;
+import com.att.cadi.util.UserChainManip;
+
+/**
+ * Encapsulate common HTTP Manipulation Behavior.  It will appropriately set
+ * HTTPServletResponse for Redirect or Forbidden, as needed.
+ * 
+ * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
+ * are created and destroyed regularly.
+ * 
+ *
+ *
+ */
+public class CadiHTTPManip {
+	private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
+	private static final String METH = "OPTIONS";
+	private static final String CADI = "/cadi/";
+	private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
+	private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
+	private static final String CADI_LOG_SET = "/cadi/log/set/";
+	private Access access;
+	private HttpTaf taf;
+	private CredVal up;
+	private Lur lur;
+	private String thisPerm,companyPerm,aaf_id;
+	
+	public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
+
+
+	public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+		synchronized(CADI) {
+			this.access = access;
+//			Get getter = new AccessGetter(access);
+			Config.setDefaultRealm(access);
+	
+			aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null));
+			if(aaf_id==null) {
+				access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS);
+			} else {
+				access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id);
+			}
+			String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
+			if(ns!=null) {
+				thisPerm = ns+ACCESS_CADI_CONTROL;
+				int dot = ns.indexOf('.');
+				if(dot>=0) {
+					int dot2=ns.indexOf('.',dot+1);
+					if(dot2<0) {
+						dot2=dot;
+					}
+					companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
+				} else {
+					companyPerm = "com"+ACCESS_CADI_CONTROL;
+				}
+			} else {
+				thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
+			}
+			
+			if(con!=null) { // try to reutilize connector
+				List<Lur> ll = null;
+				for(Object tl : additionalTafLurs) {
+					if(tl instanceof Lur) {
+						if(ll==null) {
+							ll = new ArrayList<Lur>();
+							ll.add(con.newLur());
+						}
+						ll.add((Lur)tl);
+					}
+				}
+				if(ll==null) {
+					lur = con.newLur();
+				} else {
+					lur = new EpiLur((Lur[])ll.toArray());
+				}
+			} else {
+				lur = Config.configLur(access, additionalTafLurs);
+			}
+			tc.setLur(lur);
+			if(lur instanceof EpiLur) {
+				up = ((EpiLur)lur).getUserPassImpl();
+			} else if(lur instanceof CredVal) {
+				up = (CredVal)lur;
+			} else {
+				up = null;
+			}
+			taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs);
+		}
+	}
+
+	public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException {
+		TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
+		switch(tresp.isAuthenticated()) {
+			case IS_AUTHENTICATED:
+				access.printf(Level.INFO,"Authenticated: %s from %s:%d"
+						, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+				break;
+			case TRY_AUTHENTICATING:
+				switch (tresp.authenticate()) {
+					case IS_AUTHENTICATED:
+						access.printf(Level.INFO,"Authenticated: %s from %s:%d"
+								, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+						break;
+					case HTTP_REDIRECT_INVOKED:
+						access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
+						break;
+					case NO_FURTHER_PROCESSING:
+						access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
+								, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+						hresp.sendError(403, tresp.desc()); // Forbidden
+						break;
+
+					default:
+						access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
+								, hreq.getRemoteAddr(), hreq.getRemotePort());
+						hresp.sendError(403, tresp.desc()); // Forbidden
+				}
+				break;
+			case NO_FURTHER_PROCESSING:
+				access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", 
+						tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+				hresp.sendError(403, "Access Denied"); // FORBIDDEN
+				break;
+			default:
+				access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
+						, hreq.getRemoteAddr(), hreq.getRemotePort());
+				hresp.sendError(403, "Access Denied"); // FORBIDDEN
+		}
+		return tresp;
+	}
+	
+	public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
+		
+		String pathInfo = req.getPathInfo();
+		if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
+			if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
+				try {
+					if(pathInfo.contains(CADI_CACHE_PRINT)) {
+						resp.getOutputStream().println(lur.toString());
+						resp.setStatus(200);
+						return false;
+					} else if(pathInfo.contains(CADI_CACHE_CLEAR)) {
+						StringBuilder report = new StringBuilder();
+						lur.clear(req.getUserPrincipal(), report);
+						resp.getOutputStream().println(report.toString());
+						resp.setStatus(200);
+						return false;
+					} else if(pathInfo.contains(CADI_LOG_SET))  {
+						Level l;
+						int slash = pathInfo.lastIndexOf('/');
+						String level = pathInfo.substring(slash+1);
+						try {
+							l = Level.valueOf(level);
+							access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
+							access.setLogLevel(l);
+						} catch (IllegalArgumentException e) {
+							access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
+						}
+						return false;
+					}
+				} catch (IOException e) {
+					access.log(e);
+				}
+			}
+		}
+		return true;
+	}
+
+	public Lur getLur() {
+		return lur;
+	}
+	
+	public void destroy() {
+		access.log(Level.INFO,"CadiHttpChecker destroyed.");
+		if(lur!=null) {
+			lur.destroy();
+			lur=null;
+		}
+	}
+
+	public Access getAccess() {
+		return access;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/FCGet.java b/core/src/main/java/com/att/cadi/filter/FCGet.java
new file mode 100644
index 0000000..97840d4
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/FCGet.java
@@ -0,0 +1,78 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.config.Get;
+
+/*
+ * A private method to query the Filter config and if not exists, return the default.  This
+ * cleans up the initialization code.
+ */
+class FCGet implements Get {
+	/**
+	 * 
+	 */
+	private final Access access;
+	private FilterConfig filterConfig;
+	private ServletContext context;
+
+	public FCGet(Access access, ServletContext context, FilterConfig filterConfig) {
+		this.access = access;
+		this.context = context;
+		this.filterConfig = filterConfig;
+	}
+
+	public String get(String name, String def, boolean print) {
+		String str = null;
+		// Try Server Context First
+		if(context!=null) {
+			str = context.getInitParameter(name);
+		}
+		
+		// Try Filter Context next
+		if(str==null && filterConfig != null) {
+			str = filterConfig.getInitParameter(name);
+		}
+		
+		if(str==null) {
+			str = access.getProperty(name, def);
+		}
+		// Take def if nothing else
+		if(str==null) {
+			str = def;
+			// don't log defaults
+		} else {
+			str = str.trim(); // this is vital in Property File based values, as spaces can hide easily
+			if(print) {
+				access.log(Level.INFO,"Setting", name, "to", str);
+			}
+		}
+		return str;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/filter/MapPermConverter.java b/core/src/main/java/com/att/cadi/filter/MapPermConverter.java
new file mode 100644
index 0000000..19aeb18
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/MapPermConverter.java
@@ -0,0 +1,56 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class MapPermConverter implements PermConverter {
+	private HashMap<String,String> map;
+
+	/**
+	 * Create with colon separated name value pairs
+	 *  i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=...
+	 *  
+	 * @param value
+	 */
+	public MapPermConverter() {
+		map = new HashMap<String,String>();
+	}
+
+	/**
+	 * use to instantiate entries 
+	 * 
+	 * @return
+	 */
+	public Map<String,String> map() {
+		return map;
+	}
+
+	public String convert(String minimal) {
+		String rv = map.get(minimal);
+		return rv==null?minimal:rv;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/NullPermConverter.java b/core/src/main/java/com/att/cadi/filter/NullPermConverter.java
new file mode 100644
index 0000000..07c565d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/NullPermConverter.java
@@ -0,0 +1,44 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+
+/**
+ * A NullPermConverter 
+ * 
+ * Obey the PermConverter Interface, but passed in "minimal" String is not converted.
+ * 
+ *
+ */
+public class NullPermConverter implements PermConverter {
+
+	private NullPermConverter() {}
+	private static final NullPermConverter singleton = new NullPermConverter();
+	public static NullPermConverter singleton() {return singleton;}
+
+	public String convert(String minimal) {
+		return minimal;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/filter/PathFilter.java b/core/src/main/java/com/att/cadi/filter/PathFilter.java
new file mode 100644
index 0000000..3ea6536
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/PathFilter.java
@@ -0,0 +1,184 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.config.Config;
+
+/**
+ * PathFilter
+ * 
+ * This class implements Servlet Filter, and uses AAF to validate access to a Path.
+ * 
+ * This class can be used in a standard J2EE Servlet manner.
+ *  
+ *
+ */
+public class PathFilter implements Filter {
+	private ServletContext context;
+	private String aaf_type;
+	private String not_authorized_msg;
+	private final Log log;
+
+	/**
+	 * Construct a viable Filter for installing in Container WEB.XML, etc.
+	 * 
+	 */
+	public PathFilter() {
+		log = new Log() {
+			public void info(String ... msg) {
+				context.log(build("INFO:",msg));
+			}
+			public void audit(String ... msg) {
+				context.log(build("AUDIT:",msg));
+			}
+			private String build(String type, String []msg) {
+				StringBuilder sb = new StringBuilder(type);
+				for(String s : msg) {
+					sb.append(' ');
+					sb.append(s);
+				}
+				return sb.toString();
+			}
+		
+		};
+	}
+	
+	/**
+	 * Filter that can be constructed within Java
+	 * @param access
+	 */
+	public PathFilter(final Access access) {
+		log = new Log() {
+			public void info(String ... msg) {
+				access.log(Level.INFO, (Object[])msg);
+			}
+			public void audit(String ... msg) {
+				access.log(Level.AUDIT, (Object[])msg);
+			}
+		};
+	}
+	
+	/**
+	 * Init
+	 * 
+	 * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a
+	 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
+	 * mechanism already.
+	 */
+	public void init(FilterConfig filterConfig) throws ServletException {
+		// need the Context for Logging, instantiating ClassLoader, etc
+		context = filterConfig.getServletContext();
+		StringBuilder sb = new StringBuilder();
+		StringBuilder err = new StringBuilder(); 
+		Object attr = context.getAttribute(Config.PATHFILTER_NS);
+		if(attr==null) {
+			err.append("PathFilter - pathfilter_ns is not set");
+		} else {
+			sb.append(attr.toString()); 
+		}
+
+		attr = context.getAttribute(Config.PATHFILTER_STACK);
+		if(attr==null) {
+			log.info("PathFilter - No pathfilter_stack set, ignoring");
+		} else {
+			sb.append('.');
+			sb.append(attr.toString());
+		}
+
+		attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);
+		if(attr==null) {
+			log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");
+			sb.append(".urlpattern");
+		} else {
+			sb.append('.');
+			sb.append(attr.toString());
+		}
+
+		log.info("PathFilter - AAF Permission Type is",sb.toString());
+		
+		sb.append('|');
+		
+		aaf_type = sb.toString();
+
+		attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);
+		if(attr==null) {
+			not_authorized_msg = "Forbidden - Not Authorized to access this Path";
+		} else {
+			not_authorized_msg = attr.toString();
+		}
+
+		if(err.length()>0) {
+			throw new ServletException(err.toString());
+		}
+	}
+
+	private interface Log {
+		public void info(String ... msg);
+		public void audit(String ... msg);
+	}
+
+	/**
+	 * doFilter
+	 * 
+	 * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and
+	 * only call the next item in the filterChain if request is suitably Authenticated.
+	 */
+	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		HttpServletRequest hreq = (HttpServletRequest)request;
+		HttpServletResponse hresp = (HttpServletResponse)response;
+		String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod();
+		if(hreq.isUserInRole(perm)) {
+			chain.doFilter(request, response);
+		} else {
+			log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm);
+			hresp.sendError(403,not_authorized_msg);
+		}
+	}
+
+	/**
+	 * Containers call "destroy" when time to cleanup 
+	 */
+	public void destroy() {
+		log.info("PathFilter destroyed.");
+	}
+
+
+
+}
+
diff --git a/core/src/main/java/com/att/cadi/filter/PermConverter.java b/core/src/main/java/com/att/cadi/filter/PermConverter.java
new file mode 100644
index 0000000..e5bfcb7
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/PermConverter.java
@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.filter;
+
+/**
+ * Convert a simplistic, single string Permission into an Enterprise Scoped Perm
+ * 
+ *
+ */
+public interface PermConverter {
+	public String convert(String minimal);
+}
diff --git a/core/src/main/java/com/att/cadi/filter/RolesAllowed.java b/core/src/main/java/com/att/cadi/filter/RolesAllowed.java
new file mode 100644
index 0000000..ec350fd
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/RolesAllowed.java
@@ -0,0 +1,56 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+/**
+ * RolesAllowed 
+ * 
+ * 
+ * Similar to Java EE's Spec from Annotations 1.1, 2.8
+ * 
+ * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined
+ * sense of permissions hierarchy.  The same mechanism, however, can easily be achieved on single Servlet/Handlers in
+ * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation
+ * 
+ */
+package com.att.cadi.filter;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+/**
+ * JASPI Style Annotation of RolesAllowed when the coding style is desired but actually including all 
+ * JEE jars is not. If using actual JASPI, use official @interface classes, not this one...
+ * 
+ */
+@Target({TYPE})
+@Retention(RUNTIME)
+public @interface RolesAllowed {
+	/**
+	 * Security role of the implementation, which doesn't have to be an EJB or CORBA like object.  Can be just a
+	 * Handler
+	 * @return
+	 */
+	String[] value();
+}
diff --git a/core/src/main/java/com/att/cadi/filter/ServletImpl.java b/core/src/main/java/com/att/cadi/filter/ServletImpl.java
new file mode 100644
index 0000000..3db6d4e
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/filter/ServletImpl.java
@@ -0,0 +1,56 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+/**
+ * RolesAllowed 
+ * 
+ * 
+ * Similar to Java EE's Spec from Annotations 1.1, 2.8
+ * 
+ * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined
+ * sense of permissions hierarchy.  The same mechanism, however, can easily be achieved on single Servlet/Handlers in
+ * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation
+ * 
+ */
+package com.att.cadi.filter;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.servlet.Servlet;
+
+/**
+ * 
+ */
+@Target({TYPE})
+@Retention(RUNTIME)
+public @interface ServletImpl {
+	/**
+	 * Security role of the implementation, which doesn't have to be an EJB or CORBA like object.  Can be just a
+	 * Handler
+	 * @return
+	 */
+	Class<? extends Servlet> value();
+}
diff --git a/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
new file mode 100644
index 0000000..03a7961
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.GetCred;
+import com.att.cadi.Symm;
+
+public class ConfigPrincipal implements Principal, GetCred {
+	private String name;
+	private byte[] cred;
+	private String content;
+
+	public ConfigPrincipal(String name, String passwd) {
+		this.name = name;
+		this.cred = passwd.getBytes();
+		content = null;
+	}
+
+	public ConfigPrincipal(String name, byte[] cred) {
+		this.name = name;
+		this.cred = cred;
+		content = null;
+	}
+
+	public String getName() {
+		return name;
+	}
+	
+	public byte[] getCred() {
+		return cred;
+	}
+
+	public String toString() {
+		return name;
+	}
+	
+	public String getAsBasicAuthHeader() throws IOException {
+		if(content ==null) {
+			String s = name + ':' + new String(cred);
+			content = "Basic " + Symm.base64.encode(s);  
+		} else if(!content.startsWith("Basic ")) { // content is the saved password from construction
+			String s = name + ':' + content;
+			content = "Basic " + Symm.base64.encode(s);  
+		}
+		return content;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/lur/EpiLur.java b/core/src/main/java/com/att/cadi/lur/EpiLur.java
new file mode 100644
index 0000000..de6c057
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/EpiLur.java
@@ -0,0 +1,168 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.security.Principal;
+import java.util.List;
+
+import com.att.cadi.CachingLur;
+import com.att.cadi.CadiException;
+import com.att.cadi.CredVal;
+import com.att.cadi.Lur;
+import com.att.cadi.Permission;
+
+/**
+ * EpiLUR
+ * 
+ * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed.
+ * 
+ * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of 
+ * LURs that will be accomplished.
+ * 
+ * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have
+ * different Caching requirements.  For instance, the Local User Repo (with stand alone names), never expire, but might be
+ * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals 
+ * 
+ *
+ */
+public final class EpiLur implements Lur {
+	private final Lur[] lurs;
+	
+	/**
+	 * EpiLur constructor
+	 * 
+	 * Construct the EpiLur from variable TAF parameters
+	 * @param lurs
+	 * @throws CadiException
+	 */
+	public EpiLur(Lur ... lurs) throws CadiException{
+		this.lurs = lurs;
+		if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor");
+	}
+
+	public boolean fish(Principal bait, Permission pond) {
+		if(pond==null) {
+			return false;
+		}
+		boolean rv = false;
+		Lur lur;
+		for(int i=0;!rv && i<lurs.length;++i) {
+			rv = (lur = lurs[i]).fish(bait, pond);
+			if(!rv && lur.handlesExclusively(pond)) break;
+		}
+		return rv;
+	}
+
+	public void fishAll(Principal bait, List<Permission> permissions) {
+		for(Lur lur : lurs) {
+			lur.fishAll(bait, permissions);
+		}
+	}
+
+	public void destroy() {
+		for(Lur lur : lurs) {
+			lur.destroy();
+		}
+	}
+
+	/**
+	 * Return the first Lur (if any) which also implements UserPass 
+	 * @return
+	 */
+	public CredVal getUserPassImpl() {
+		for(Lur lur : lurs) {
+			if(lur instanceof CredVal) {
+				return (CredVal)lur;
+			}
+		}
+		return null;
+	}
+
+	// Never needed... Only EpiLur uses...
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+	
+	/**
+	 * Get Lur for index.  Returns null if out of range
+	 * @param idx
+	 * @return
+	 */
+	public Lur get(int idx) {
+		if(idx>=0 && idx<lurs.length) {
+			return lurs[idx];
+		}
+		return null;
+	}
+
+	public boolean supports(String userName) {
+		for(Lur l : lurs) {
+			if(l.supports(userName))return true;
+		}
+		return false;
+	}
+
+	public void remove(String id) {
+		for(Lur l : lurs) {
+			if(l instanceof CachingLur) {
+				((CachingLur<?>)l).remove(id);
+			}
+		}
+	}
+	
+	public Lur subLur(Class<? extends Lur> cls ) {
+		for(Lur l : lurs) {
+			if(l.getClass().isAssignableFrom(cls)) {
+				return l;
+			}
+		}
+		return null;
+	}
+
+	@Override
+	public Permission createPerm(String p) {
+		return new LocalPermission(p);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
+	 */
+	@Override
+	public void clear(Principal p, StringBuilder report) {
+		for(Lur lur : lurs) {
+			lur.clear(p, report);
+		}
+	}
+	
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		for(Lur lur : lurs) {
+			sb.append(lur.getClass().getSimpleName());
+			sb.append(": Report\n");
+			sb.append(lur.toString());
+			sb.append('\n');
+		}
+		return sb.toString();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/lur/LocalLur.java b/core/src/main/java/com/att/cadi/lur/LocalLur.java
new file mode 100644
index 0000000..80b302a
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/LocalLur.java
@@ -0,0 +1,202 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+
+import com.att.cadi.AbsUserCache;
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CredVal;
+import com.att.cadi.Hash;
+import com.att.cadi.Permission;
+import com.att.cadi.StrLur;
+import com.att.cadi.User;
+import com.att.cadi.config.Config;
+
+
+/**
+ * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.
+ * 
+ *
+ */
+public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {
+	public static final String SEMI = "\\s*;\\s*";
+	public static final String COLON = "\\s*:\\s*";
+	public static final String COMMA = "\\s*,\\s*";
+	public static final String PERCENT = "\\s*%\\s*";
+	
+	// Use to quickly determine whether any given group is supported by this LUR
+	private final Set<String> supportingGroups;
+	private String supportedRealm; 
+	
+	/**
+	 * Construct by building structure, see "build"
+	 * 
+	 * Reconstruct with "build"
+	 * 
+	 * @param userProperty
+	 * @param groupProperty
+	 * @param decryptor
+	 * @throws IOException
+	 */
+	public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {
+		super(access, 0, 0, Integer.MAX_VALUE);  // data doesn't expire
+		supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");
+		supportingGroups = new TreeSet<String>();
+		
+		if(userProperty!=null) {
+			// For each User name...
+			for(String user : userProperty.trim().split(SEMI)) {
+				String[] us = user.split(COLON,2);
+				String[] userpass = us[0].split(PERCENT,2);
+				String u;
+				User<LocalPermission> usr;
+				if(userpass.length>1) {
+					if(userpass.length>0 && userpass[0].indexOf('@')<0) {
+						userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
+					}
+
+					u = userpass[0];
+					byte[] pass = access.decrypt(userpass[1], true).getBytes();
+					usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));
+				} else {
+					u = us[0];
+					usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));
+				}
+				addUser(usr);
+				access.log(Level.INIT, "Local User:",usr.principal);
+				
+				if(us.length>1) {
+					Map<String, Permission> newMap = usr.newMap();
+					for(String group : us[1].split(COMMA)) {
+						supportingGroups.add(group);
+						usr.add(newMap,new LocalPermission(group));
+					}
+					usr.setMap(newMap);
+				}
+			}
+		}
+		if(groupProperty!=null) {
+			// For each Group name...
+			for(String group : groupProperty.trim().split(SEMI)) {
+				String[] gs = group.split(COLON,2);
+				if(gs.length>1) {
+					supportingGroups.add(gs[0]);
+					LocalPermission p = new LocalPermission(gs[0]);
+					// Add all users (known by comma separators)	
+					
+					for(String grpMem : gs[1].split(COMMA)) {
+						// look for password, if so, put in passMap
+						String[] userpass = grpMem.split(PERCENT,2);
+						if(userpass.length>0 && userpass[0].indexOf('@')<0) {
+							userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
+						}
+						User<LocalPermission> usr = getUser(userpass[0]);
+						if(userpass.length>1) {
+							byte[] pass = access.decrypt(userpass[1], true).getBytes();
+							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));
+							else usr.principal=new ConfigPrincipal(userpass[0],pass);
+						} else {
+							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));
+						}
+						usr.add(p);
+						access.log(Level.INIT, "Local User:",usr.principal);
+					}
+				}
+			}
+		}
+	}
+	
+	public boolean validate(String user, CredVal.Type type, byte[] cred) {
+		User<LocalPermission> usr = getUser(user);
+		switch(type) {
+			case PASSWORD:
+				// covers null as well as bad pass
+				if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {
+					return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());
+				}
+				break;
+		}
+		return false;
+	}
+
+	//	@Override
+	public boolean fish(Principal bait, Permission pond) {
+		if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
+				User<LocalPermission> user = getUser(bait);
+				return user==null?false:user.contains((LocalPermission)pond);
+			}
+		return false;
+	}
+
+	public boolean fish(String bait, Permission pond) {
+		if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
+			User<LocalPermission> user = getUser(bait);
+			return user==null?false:user.contains((LocalPermission)pond);
+		}
+		return false;
+	}
+
+	// We do not want to expose the actual Group, so make a copy.
+	public void fishAll(Principal bait, List<Permission> perms) {
+		if(supports(bait.getName())) {
+			User<LocalPermission> user = getUser(bait);
+			if(user!=null) {
+				user.copyPermsTo(perms);
+			}
+		}
+	}
+
+	public void fishAll(String bait, List<Permission> perms) {
+		if(supports(bait)) {
+			User<LocalPermission> user = getUser(bait);
+			if(user!=null) {
+				user.copyPermsTo(perms);
+			}
+		}
+	}
+
+	public boolean supports(String userName) {
+		return userName!=null && userName.endsWith(supportedRealm);
+	}
+
+	public boolean handlesExclusively(Permission pond) {
+		return supportingGroups.contains(pond.getKey());
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
+	 */
+	@Override
+	public Permission createPerm(String p) {
+		return new LocalPermission(p);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/lur/LocalPermission.java b/core/src/main/java/com/att/cadi/lur/LocalPermission.java
new file mode 100644
index 0000000..8fdaec2
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/LocalPermission.java
@@ -0,0 +1,52 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import com.att.cadi.Permission;
+
+public class LocalPermission implements Permission {
+	private String key;
+	
+	public LocalPermission(String role) {
+		this.key = role;
+	}
+	
+	public String getKey() {
+		return key;
+	}
+
+	public String toString() {
+		return key;
+	}
+
+	public boolean match(Permission p) {
+		return key.equals(p.getKey());
+	}
+
+	public String permType() {
+		return "LOCAL";
+	}
+	
+	
+}
diff --git a/core/src/main/java/com/att/cadi/lur/NullLur.java b/core/src/main/java/com/att/cadi/lur/NullLur.java
new file mode 100644
index 0000000..91fb7bb
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/lur/NullLur.java
@@ -0,0 +1,89 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur;
+
+import java.security.Principal;
+import java.util.List;
+
+import com.att.cadi.Lur;
+import com.att.cadi.Permission;
+
+public class NullLur implements Lur {
+	private static final Permission NULL = new Permission() {
+		@Override
+		public String permType() {
+			return "";
+		}
+
+		@Override
+		public String getKey() {
+			return "";
+		}
+
+		@Override
+		public boolean match(Permission p) {
+			return false;
+		}};
+
+	public boolean fish(Principal bait, Permission pond) {
+		// Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own
+//		System.err.println("CADI's LUR has not been configured, but is still being called.  Access is being denied");
+		return false;
+	}
+
+	public void fishAll(Principal bait,	List<Permission> permissions) {
+	}
+
+	public void destroy() {
+	}
+
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+
+	public boolean supports(String userName) {
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
+	 */
+	@Override
+	public Permission createPerm(String p) {
+		return NULL;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
+	 */
+	@Override
+	public void clear(Principal p, StringBuilder report) {
+		report.append(NullLur.class.getSimpleName());
+		report.append('\n');
+	}
+	
+	public String toString() {
+		return NullLur.class.getSimpleName() + '\n';
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/principal/BasicPrincipal.java b/core/src/main/java/com/att/cadi/principal/BasicPrincipal.java
new file mode 100644
index 0000000..58f7d71
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/BasicPrincipal.java
@@ -0,0 +1,118 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Date;
+
+import com.att.cadi.BasicCred;
+import com.att.cadi.GetCred;
+import com.att.cadi.Symm;
+
+public class BasicPrincipal extends BearerPrincipal implements GetCred {
+	private static byte[] basic = "Basic ".getBytes();
+
+	private String name = null;
+	private String shortName = null;
+	private byte[] cred = null;
+	
+	private long created;
+
+	public BasicPrincipal(String content,String domain) throws IOException {
+		created = System.currentTimeMillis();
+		ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
+		// Read past "Basic ", ensuring it starts with it.
+		for(int i=0;i<basic.length;++i) {
+			if(bis.read()!=basic[i]) {
+				name=content;
+				cred = null;
+				return;
+			}
+		}
+		BasicOS bos = new BasicOS(content.length());
+		Symm.base64.decode(bis,bos); // note: writes directly to name until ':'
+		if(name==null) throw new IOException("Invalid Coding");
+		else cred = bos.toCred();
+		int at;
+		if((at=name.indexOf('@'))>0) {
+			domain=name.substring(at+1);
+			shortName=name.substring(0, at);
+		} else {
+			shortName = name;
+			name = name + '@' + domain;
+		}
+	}
+	
+	public BasicPrincipal(BasicCred bc, String domain) {
+		name = bc.getUser();
+		cred = bc.getCred();
+	}
+
+	private class BasicOS extends OutputStream {
+		private boolean first = true;
+		private ByteArrayOutputStream baos;
+		
+		public BasicOS(int size) {
+			baos = new ByteArrayOutputStream(size);
+		}
+
+		@Override
+		public void write(int b) throws IOException {
+			if(b==':' && first) {
+				first = false;
+				name = new String(baos.toByteArray());
+				baos.reset(); // 
+			} else {
+				baos.write(b);
+			}
+		}
+		
+		private byte[] toCred() {
+			return baos.toByteArray();
+		}
+	}
+	
+	public String getName() {
+		return name;
+	}
+	
+	public String getShortName() {
+		return shortName;
+	}
+	
+	public byte[] getCred() {
+		return cred;
+	}
+	
+	public long created() {
+		return created;
+	}
+
+	public String toString() {
+		return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/principal/BearerPrincipal.java b/core/src/main/java/com/att/cadi/principal/BearerPrincipal.java
new file mode 100644
index 0000000..11bc22a
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/BearerPrincipal.java
@@ -0,0 +1,37 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.security.Principal;
+
+public abstract class BearerPrincipal implements Principal {
+	private String bearer = null;
+	public BearerPrincipal setBearer(String bearer) {
+		this.bearer = bearer;
+		return this;
+	}
+	public String getBearer() {
+		return bearer;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java b/core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java
new file mode 100644
index 0000000..36c75b8
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.security.Principal;
+
+/**
+ * Indicate a CSP Principal that is trusted as a CSPPrincipal.  
+ *
+ */
+public interface CSPPrincipal_T extends Principal {
+
+}
diff --git a/core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java b/core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java
new file mode 100644
index 0000000..37c6a83
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java
@@ -0,0 +1,66 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.io.IOException;
+
+import com.att.cadi.BasicCred;
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.taf.HttpTaf;
+
+/**
+ * Cached Principals need to be able to revalidate in the Background
+ * 
+ *
+ */
+public class CachedBasicPrincipal extends BasicPrincipal implements CachedPrincipal {
+	private final HttpTaf creator;
+	private long timeToLive;
+	private long expires;
+
+	public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) {
+		super(bc, domain);
+		this.creator = creator;
+		this.timeToLive = timeToLive;
+		expires = System.currentTimeMillis()+timeToLive;
+	}
+	
+	public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException {
+		super(content, domain);
+		this.creator = creator;
+		this.timeToLive = timeToLive;
+		expires = System.currentTimeMillis()+timeToLive;
+	}
+
+	public CachedPrincipal.Resp revalidate() {
+		Resp resp = creator.revalidate(this);
+		if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive;
+		return resp;
+	}
+
+	public long expires() {
+		return expires;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java b/core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java
new file mode 100644
index 0000000..aa610d3
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java
@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+public class TGuardPrincipal extends BearerPrincipal {
+
+	private String name, tresp;
+
+	public TGuardPrincipal(String tresp) {
+		this.tresp=tresp;
+	}
+
+	/**
+	 * TODO Need to figure out what Organizations TGuard entities should be part of.  
+	 * 
+	 */
+	public String getName() {
+		if(name==null) {
+			String temp = get("iv-user");
+			if(temp==null)return null;
+			StringBuilder sb = new StringBuilder();
+			int at = temp.indexOf('@');
+			if(at<0) {
+				sb.append(temp);
+			} else {
+				sb.append(temp.substring(0, at));
+			}
+			if(temp.endsWith("@uverse.com"))sb.append("@uverse.tguard.att.com");
+			else if(temp.endsWith("@att.com"))sb.append("@com.tguard.att.com");
+			else if(temp.endsWith("@att.net"))sb.append("@net.tguard.att.com");
+			else sb.append("@tguard.att.com");
+			name = sb.toString();
+		}
+		return name;
+	}
+
+	/**
+	 * Get a value from a named TGuard Property
+	 * 
+	 * TGuard response info is very dynamic.  They can add new properties at any time, so we dare not code field names for these values.
+	 * @param key
+	 * @return
+	 */
+	public String get(String key) {
+		if(key==null)return null;
+		int idx=0,equal=0,amp=0;
+		while(idx>=0 && (equal = tresp.indexOf('=',idx))>=0) {
+			amp = tresp.indexOf('&',equal);
+			if(key.regionMatches(0, tresp, idx, equal-idx)) {
+				return amp>=0?tresp.substring(equal+1, amp):tresp.substring(equal+1); 
+			}
+			idx=amp+(amp>0?1:0);
+		}
+		return null;
+	}
+
+	public String info() {
+		return tresp;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java b/core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java
new file mode 100644
index 0000000..97907ac
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.security.Principal;
+
+/**
+ * Indicate a TGuard Principal that is trusted as a TGuardPrincipal.  
+ *
+ */
+public interface TGuardPrincipal_T extends Principal {
+
+}
diff --git a/core/src/main/java/com/att/cadi/principal/TrustPrincipal.java b/core/src/main/java/com/att/cadi/principal/TrustPrincipal.java
new file mode 100644
index 0000000..67b76c6
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/TrustPrincipal.java
@@ -0,0 +1,68 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.security.Principal;
+
+import com.att.cadi.UserChain;
+
+public class TrustPrincipal extends BearerPrincipal implements UserChain {
+	private final String name;
+	private final Principal original;
+	private String userChain;
+	
+	public TrustPrincipal(final Principal actual, final String asName) {
+		this.original = actual;
+		name = asName.trim();
+		if(actual instanceof UserChain) {
+			UserChain uc = (UserChain)actual;
+			userChain = uc.userChain();
+		} else if(actual instanceof X509Principal) {
+			userChain="x509";
+		} else if(actual instanceof BasicPrincipal) {
+			userChain="BAth";
+		} else {
+			userChain = actual.getClass().getSimpleName();
+		}
+	}
+	
+	@Override
+	public String getName() {
+		return name;
+	}
+	
+	public String getOrigName() {
+		return original.getName() + '[' + userChain + ']';
+	}
+
+	@Override
+	public String userChain() {
+		return userChain;
+	}
+	
+	public Principal original() {
+		return original;
+	}
+	
+}
diff --git a/core/src/main/java/com/att/cadi/principal/X509Principal.java b/core/src/main/java/com/att/cadi/principal/X509Principal.java
new file mode 100644
index 0000000..8e17033
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/principal/X509Principal.java
@@ -0,0 +1,93 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.principal;
+
+import java.io.IOException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.regex.Pattern;
+
+import com.att.cadi.GetCred;
+
+public class X509Principal extends BearerPrincipal implements GetCred {
+	private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
+	private byte[] content;  
+	private X509Certificate cert;
+	private String name;
+
+	public X509Principal(String identity, X509Certificate cert, byte[] content) {
+		name = identity;
+		this.content = content;
+		this.cert = cert;
+	}
+	
+	public X509Principal(X509Certificate cert, byte[] content) throws IOException {
+		this.content=content;
+		this.cert = cert;
+		String subj = cert.getSubjectDN().getName();
+		int cn = subj.indexOf("OU=");
+		if(cn>=0) {
+			cn+=3;
+			int space = subj.indexOf(',',cn);
+			if(space>=0) {
+				String id = subj.substring(cn, space);
+				if(pattern.matcher(id).matches()) {
+					name = id;
+				}
+			}
+		}
+		if(name==null)
+			throw new IOException("X509 does not have Identity as CN");
+		
+	}
+	
+	
+	public String getAsHeader() throws IOException {
+		try {
+			if(content==null) 
+				content=cert.getEncoded();
+		} catch (CertificateEncodingException e) {
+			throw new IOException(e);
+		}
+		return "X509 " + content;
+	}
+	
+	public String toString() {
+		return "X509 Authentication for " + name;
+	}
+
+
+	public byte[] getCred() {
+		try {
+			return content==null?(content=cert.getEncoded()):content;
+		} catch (CertificateEncodingException e) {
+			return null;
+		}
+	}
+
+
+	public String getName() {
+		return name;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/AbsTafResp.java b/core/src/main/java/com/att/cadi/taf/AbsTafResp.java
new file mode 100644
index 0000000..94d2e5d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/AbsTafResp.java
@@ -0,0 +1,117 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.security.Principal;
+
+import com.att.cadi.Access;
+
+/**
+ * AbsTafResp
+ * 
+ * Base class for TafResp (TAF Response Objects)
+ *
+ */
+public abstract class AbsTafResp implements TafResp {
+
+	protected final String desc;
+	protected final Principal principal;
+	protected final Access access;
+
+	/**
+	 * AbsTafResp
+	 * 
+	 * Set and hold
+	 * Description (for logging)
+	 * Principal (as created by derived class)
+	 * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc)
+	 *  
+	 * @param access
+	 * @param principal
+	 * @param description
+	 */
+	public AbsTafResp(Access access, Principal principal, String description) {
+		this.access = access;
+		this.principal = principal;
+		this.desc = description;
+	}
+
+	/**
+	 * isValid()
+	 * 
+	 * Respond in the affirmative if the TAF was able to Authenticate
+	 */
+	public boolean isValid() {
+		return principal!=null;
+	}
+
+	/**
+	 * desc()
+	 * 
+	 * Respond with description of response as given by the TAF  
+	 */
+	public String desc() {
+		return desc;
+	}
+
+	/**
+	 * isAuthenticated()
+	 * 
+	 * Respond with the TAF's code of whether Authenticated, or suggested next steps
+	 * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF.  The TAF can overload
+	 * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this
+	 * is some sort of security breach (i.e. Denial of Service)  
+	 */
+	public RESP isAuthenticated() {
+		return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED;
+	}
+
+	/**
+	 * getPrincipal()
+	 * 
+	 * Return the principal created by the TAF based on Authentication. 
+	 * 
+	 * Returns "null" if Authentication failed (no principal)
+	 */
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+	/**
+	 * getAccess()
+	 * 
+	 * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated.
+	 */
+	public Access getAccess() {
+		return access;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.taf.TafResp#isFailedAttempt()
+	 */
+	public boolean isFailedAttempt() {
+		return false;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/taf/EpiTaf.java b/core/src/main/java/com/att/cadi/taf/EpiTaf.java
new file mode 100644
index 0000000..d3f5493
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/EpiTaf.java
@@ -0,0 +1,85 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import com.att.cadi.CadiException;
+import com.att.cadi.Taf;
+
+/**
+ * EpiTAF
+ * 
+ * Short for "Epic TAF". Be able to run through a series of TAFs to obtain the validation needed.
+ * 
+ * OK, the name could probably be better as "Tafs", like it was originally, but the pun was too
+ * irresistible for this author to pass up.
+ * 
+ *
+ */
+public class EpiTaf implements Taf {
+	private Taf[] tafs;
+	
+	/**
+	 * EpiTaf constructor
+	 * 
+	 * Construct the EpiTaf from variable TAF parameters
+	 * @param tafs
+	 * @throws CadiException
+	 */
+	public EpiTaf(Taf ... tafs) throws CadiException{
+		this.tafs = tafs;
+		if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor");
+	}
+
+	/**
+	 * validate
+	 * 
+	 * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it 
+	 * a human behind an interface, or a server behind a protocol).
+	 * 
+	 * If there is no TAF that can authenticate, respond with the first TAF that suggests it can
+	 * establish an Authentication conversation (TRY_AUTHENTICATING).
+	 * 
+	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
+	 */
+	public TafResp validate(LifeForm reading, String... info) {
+		TafResp tresp,firstTryAuth=null;
+		for(Taf taf : tafs) {
+			tresp = taf.validate(reading, info);
+			switch(tresp.isAuthenticated()) {
+				case TRY_ANOTHER_TAF:
+					break;
+				case TRY_AUTHENTICATING:
+					if(firstTryAuth==null)firstTryAuth=tresp;
+					break;
+				default:
+					return tresp;
+			}
+		}
+
+		// No TAFs configured, at this point.  It is safer at this point to be "not validated", 
+		// rather than "let it go"
+		return firstTryAuth == null?NullTafResp.singleton():firstTryAuth;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java b/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
new file mode 100644
index 0000000..7f6d9af
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
@@ -0,0 +1,186 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.CachedPrincipal.Resp;
+import com.att.cadi.CadiException;
+import com.att.cadi.Locator;
+import com.att.cadi.Taf.LifeForm;
+import com.att.cadi.TrustChecker;
+
+/**
+ * HttpEpiTaf
+ * 
+ * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials
+ * 
+ *
+ */
+public class HttpEpiTaf implements HttpTaf {
+	private HttpTaf[] tafs;
+	private Access access;
+	private Locator<URI> locator;
+	private TrustChecker trustChecker;
+	
+	/**
+	 * HttpEpiTaf constructor
+	 * 
+	 * Construct the HttpEpiTaf from variable Http specific TAF parameters
+
+	 * @param tafs
+	 * @throws CadiException
+	 */
+	public HttpEpiTaf(Access access, Locator<URI> locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{
+		this.tafs = tafs;
+		this.access = access;
+		this.locator = locator;
+		this.trustChecker = tc;
+		// Establish what Header Property to look for UserChain/Trust Props 
+//		trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT);
+
+		if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor");
+	}
+
+	/**
+	 * validate
+	 * 
+	 * Respond with the first Http specific TAF to authenticate user based on variable info 
+	 * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol).
+	 * 
+	 * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can
+	 * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP
+	 * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm 
+	 * submission
+	 * 
+	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
+	 */
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		// Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings
+		if(reading==LifeForm.LFN) {
+			reading = tricorderScan(req);
+		}
+		TafResp tresp=null, firstTry = null;
+		List<Redirectable> redirectables = null;
+		
+		for(HttpTaf taf : tafs) {
+			tresp = taf.validate(reading, req, resp);
+			switch(tresp.isAuthenticated()) {
+				case TRY_ANOTHER_TAF:
+					break; // and loop
+				case TRY_AUTHENTICATING:
+					if(tresp instanceof Redirectable) {
+						if(redirectables==null) {
+							redirectables = new ArrayList<Redirectable>();
+						}
+						redirectables.add((Redirectable)tresp);
+					} else if(firstTry==null) {
+						firstTry = tresp;
+					}
+					break; 
+				case IS_AUTHENTICATED:
+					tresp = trustChecker.mayTrust(tresp, req);
+					return tresp;
+				default:
+					return tresp;
+			}
+		}
+		
+		// If No TAFs configured, at this point.  It is safer at this point to be "not validated", 
+		// rather than "let it go"
+		// Note: if exists, there will always be more than 0 entries, according to above code
+		if(redirectables==null) {
+			return firstTry!=null?firstTry:NullTafResp.singleton();
+		}
+		
+		// If there is one Tryable entry then return it
+		if(redirectables.size()>1) {
+			return LoginPageTafResp.create(access,locator,resp,redirectables);
+		} else {
+			return redirectables.get(0);
+		}
+	}
+	
+	public boolean revalidate(Principal prin) throws Exception {
+		return false;
+	}
+
+	/*
+	 * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind
+	 * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical 
+	 * id (SiliconBasedLifeForm)?  This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs
+	 */
+	private LifeForm tricorderScan(HttpServletRequest req) {
+		// For simplicity's sake, we'll say Humans use FQDNs, not IPs.
+		
+		String auth = req.getParameter("Authentication");
+		if(auth!=null) {
+			if("BasicAuth".equals(auth)) {
+				return LifeForm.SBLF;
+			}
+		}
+		// Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are.
+		// If mechanical frameworks are found that populate this, then more advanced analysis may be required
+		//  1/22/2013
+		String agent = req.getHeader("User-Agent");
+		if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent
+			return LifeForm.CBLF;                      
+		return LifeForm.SBLF;							// notably skips "curl","wget", (which is desired behavior.  We don't want to try CSP, etc on these)
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		Resp resp;
+		for(HttpTaf taf : tafs) {
+			resp = taf.revalidate(prin);
+			switch(resp) {
+				case NOT_MINE:
+					break;
+				default:
+					return resp;
+			}
+		}
+		return Resp.NOT_MINE;
+	}
+
+	/**
+	 * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE
+	 * like Eclipse.
+	 */
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		for(HttpTaf ht : tafs) {
+			sb.append(ht.toString());
+			sb.append(". ");
+		}
+		return sb.toString();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/HttpTaf.java b/core/src/main/java/com/att/cadi/taf/HttpTaf.java
new file mode 100644
index 0000000..4270a81
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/HttpTaf.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.Taf.LifeForm;
+
+/**
+ * A TAF which is in a specific HTTP environment in which the engine implements 
+ * javax Servlet.
+ * 
+ * Using the Http Request and Response interfaces takes the effort out of implementing in almost any kind of
+ * HTTP Container or Engine.
+ *  
+ *
+ */
+public interface HttpTaf {
+	/**
+	 * validate
+	 * 
+	 * Validate the Request, and respond with created TafResp object.
+	 * 
+	 * @param reading
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp);
+	
+	/**
+	 * Re-Validate Credential
+	 * 
+	 * @param prin
+	 * @return
+	 */
+	public CachedPrincipal.Resp revalidate(CachedPrincipal prin);
+}
diff --git a/core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java b/core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java
new file mode 100644
index 0000000..d9da3fa
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java
@@ -0,0 +1,88 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.Locator;
+import com.att.cadi.Locator.Item;
+
+public class LoginPageTafResp extends AbsTafResp {
+	private final HttpServletResponse httpResp;
+	private final String loginPageURL;
+
+	private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) {
+		super(access, null, "Multiple Possible HTTP Logins available.  Redirecting to Login Choice Page");
+		httpResp = resp;
+		this.loginPageURL = loginPageURL;
+	}
+
+	@Override
+	public RESP authenticate() throws IOException {
+		httpResp.sendRedirect(loginPageURL);
+		return RESP.HTTP_REDIRECT_INVOKED;
+	}
+	
+	@Override
+	public RESP isAuthenticated() {
+		return RESP.TRY_AUTHENTICATING;
+	}
+	
+	public static TafResp create(Access access, Locator<URI> locator, final HttpServletResponse resp, List<Redirectable> redir) {
+		if(locator!=null) {
+			try {
+				Item item = locator.best();
+				URI uri = locator.get(item);
+				if(uri!=null) {
+					StringBuilder sb = new StringBuilder(uri.toString());
+					String query = uri.getQuery();
+					boolean first = query==null || query.length()==0;
+					int count=0;
+					for(Redirectable t : redir) {
+						if(first) {
+							sb.append('?');
+							first=false;
+						}
+						else sb.append('&');
+						sb.append(t.get());
+						++count;
+					}
+					if(count>0)return new LoginPageTafResp(access, resp, sb.toString());
+				}
+			} catch (Exception e) {
+				access.log(e, "Error deriving Login Page location");
+			}
+		} else if(!redir.isEmpty()) { 
+			access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf");
+			return redir.get(0);
+		}
+		return NullTafResp.singleton();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/NullTaf.java b/core/src/main/java/com/att/cadi/taf/NullTaf.java
new file mode 100644
index 0000000..ec4a15b
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/NullTaf.java
@@ -0,0 +1,65 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.CachedPrincipal.Resp;
+import com.att.cadi.Taf;
+
+
+/**
+ * This TAF is set at the very beginning of Filters and Valves so that if any configuration issues hit while
+ * starting, the default behavior is to shut down traffic rather than leaving an open hole
+ * 
+ *
+ */
+public class NullTaf implements Taf, HttpTaf {
+	// Singleton Pattern
+	public NullTaf() {}
+
+	/**
+	 * validate 
+	 * 
+	 * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
+	 */
+	public TafResp validate(LifeForm reading, String... info) {
+		return NullTafResp.singleton();
+	}
+
+	/**
+	 * validate 
+	 * 
+	 * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
+	 */
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		return NullTafResp.singleton();
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		return Resp.NOT_MINE;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/NullTafResp.java b/core/src/main/java/com/att/cadi/taf/NullTafResp.java
new file mode 100644
index 0000000..c95b195
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/NullTafResp.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.Access;
+
+/**
+ * A Null Pattern for setting responses to "Deny" before configuration is setup.
+ *
+ */
+class NullTafResp implements TafResp {
+	private NullTafResp(){}
+	
+	private static TafResp singleton = new NullTafResp();
+	
+	public static TafResp singleton() {
+		return singleton;
+	}
+	
+	public boolean isValid() {
+		return false;
+	}
+	
+	public RESP isAuthenticated() {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+	
+	public String desc() {
+		return "All Authentication denied";
+	}
+	
+	public RESP authenticate() throws IOException {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+
+	public Principal getPrincipal() {
+		return null;
+	}
+
+	public Access getAccess() {
+		return Access.NULL;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.taf.TafResp#isFailedAttempt()
+	 */
+	public boolean isFailedAttempt() {
+		return true;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/PuntTafResp.java b/core/src/main/java/com/att/cadi/taf/PuntTafResp.java
new file mode 100644
index 0000000..d9f9b67
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/PuntTafResp.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.Access;
+
+/**
+ * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of
+ * request.  It is always the same object, so there is no cost for memory, etc.
+ *
+ */
+public class PuntTafResp implements TafResp {
+	private PuntTafResp(){}
+	
+	private static TafResp singleton = new PuntTafResp();
+	
+	public static TafResp singleton() {
+		return singleton;
+	}
+	
+	public boolean isValid() {
+		return false;
+	}
+	
+	public RESP isAuthenticated() {
+		return RESP.TRY_ANOTHER_TAF;
+	}
+	
+	public String desc() {
+		return "This Taf can or will not handle this authentication";
+	}
+	
+	public RESP authenticate() throws IOException {
+		return RESP.TRY_ANOTHER_TAF;
+	}
+
+	public Principal getPrincipal() {
+		return null;
+	}
+
+	public Access getAccess() {
+		return NullTafResp.singleton().getAccess();
+	}
+
+	public boolean isFailedAttempt() {
+		return false;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/Redirectable.java b/core/src/main/java/com/att/cadi/taf/Redirectable.java
new file mode 100644
index 0000000..e83e7ce
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/Redirectable.java
@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+public interface Redirectable extends TafResp {
+	/**
+	 * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu
+	 * example:
+	 * "Global Login=https://xxxx....."
+	 */
+	public String get();
+}
diff --git a/core/src/main/java/com/att/cadi/taf/TafResp.java b/core/src/main/java/com/att/cadi/taf/TafResp.java
new file mode 100644
index 0000000..3a1a6f4
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/TafResp.java
@@ -0,0 +1,95 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.Access;
+import com.att.cadi.CadiException;
+
+/**
+ * Response from Taf objects, which inform users what has happened and/or what should be done
+ * 
+ *
+ */
+public interface TafResp {
+	public static enum RESP {
+		IS_AUTHENTICATED, 
+		NO_FURTHER_PROCESSING, 
+		TRY_AUTHENTICATING, 
+		TRY_ANOTHER_TAF,
+		FAIL, 
+		// A note was made to avoid the response REDIRECT.  However, I have deemed that it is 
+		// unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP
+		// Service code to exit without modifying the Response any further.
+		// Therefore, I have changed this to indicate what HAS happened, with should accommodate 
+		// both positions.  JG 10/18/2012
+//		public static final int HTTP_REDIRECT_INVOKED = 11;
+		HTTP_REDIRECT_INVOKED,
+		HAS_PROCESSED};
+	
+	/**
+	 * Basic success check
+	 * @return
+	 */
+	public boolean isValid();
+	
+	/**
+	 *  String description of what has occurred (for logging/exceptions)
+	 * @return
+	 */
+	public String desc();
+	
+	/**
+	 * Check Response
+	 * @return
+	 */
+	public RESP isAuthenticated();
+
+	/**
+	 * Authenticate, returning FAIL or Other Valid indication
+	 * 
+	 * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately.
+	 * @return
+	 * @throws CadiException 
+	 */
+	public RESP authenticate() throws IOException;
+
+	/**
+	 * Once authenticated, this object should hold a Principal created from the authorization
+	 * @return
+	 */
+	public Principal getPrincipal();
+
+	/**
+	 * get the Access object which created this object, allowing the responder to appropriate Log, etc
+	 */
+	public Access getAccess();
+	
+	/**
+	 * Be able to check if part of a Failed attempt
+	 */
+	public boolean isFailedAttempt();
+}
diff --git a/core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java b/core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java
new file mode 100644
index 0000000..127450c
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java
@@ -0,0 +1,78 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.Access;
+
+public class TrustNotTafResp implements TafResp {
+	private final TafResp delegate;
+	private final String desc;
+	
+	public TrustNotTafResp(final TafResp delegate, final String desc) {
+		this.delegate = delegate;
+		this.desc = desc;
+	}
+	
+	@Override
+	public boolean isValid() {
+		return false;
+	}
+
+	@Override
+	public String desc() {
+		return desc;
+	}
+
+	@Override
+	public RESP isAuthenticated() {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+
+	@Override
+	public RESP authenticate() throws IOException {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+
+	@Override
+	public Principal getPrincipal() {
+		return delegate.getPrincipal();
+	}
+
+	@Override
+	public Access getAccess() {
+		return delegate.getAccess();
+	}
+
+	@Override
+	public boolean isFailedAttempt() {
+		return true;
+	}
+	
+	public String toString() {
+		return desc();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/TrustTafResp.java b/core/src/main/java/com/att/cadi/taf/TrustTafResp.java
new file mode 100644
index 0000000..27c6034
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/TrustTafResp.java
@@ -0,0 +1,80 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.Access;
+
+public class TrustTafResp implements TafResp {
+	private final TafResp delegate;
+	private final Principal principal;
+	private final String desc;
+	
+	public TrustTafResp(final TafResp delegate, final Principal principal, final String desc) {
+		this.delegate = delegate;
+		this.principal = principal;
+		this.desc = desc + ' ' + delegate.desc();
+	}
+	
+	@Override
+	public boolean isValid() {
+		return delegate.isValid();
+	}
+
+	@Override
+	public String desc() {
+		return desc;
+	}
+
+	@Override
+	public RESP isAuthenticated() {
+		return delegate.isAuthenticated();
+	}
+
+	@Override
+	public RESP authenticate() throws IOException {
+		return delegate.authenticate();
+	}
+
+	@Override
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+	@Override
+	public Access getAccess() {
+		return delegate.getAccess();
+	}
+
+	@Override
+	public boolean isFailedAttempt() {
+		return delegate.isFailedAttempt();
+	}
+	
+	public String toString() {
+		return principal.getName() + " by trust of " + desc();
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java b/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java
new file mode 100644
index 0000000..672c463
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java
@@ -0,0 +1,160 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.basic;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.BasicCred;
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.CachedPrincipal.Resp;
+import com.att.cadi.CredVal;
+import com.att.cadi.CredVal.Type;
+import com.att.cadi.Taf;
+import com.att.cadi.principal.BasicPrincipal;
+import com.att.cadi.principal.CachedBasicPrincipal;
+import com.att.cadi.taf.HttpTaf;
+import com.att.cadi.taf.TafResp;
+import com.att.cadi.taf.TafResp.RESP;
+import com.att.cadi.taf.dos.DenialOfServiceTaf;
+
+/**
+ * BasicHttpTaf
+ * 
+ * This TAF implements the "Basic Auth" protocol.  
+ * 
+ * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted.  
+ * This is because the expectation, when designed years ago, was that it would only be used in 
+ * conjunction with SSL (https).  It is common, however, for users to ignore this on the assumption that
+ * their internal network is secure, or just ignorance.  Therefore, a WARNING will be printed
+ * when the HTTP Channel is not encrypted (unless explicitly turned off).
+ * 
+ *
+ */
+public class BasicHttpTaf implements HttpTaf {
+	private Access access;
+	private String realm;
+	private CredVal rbac;
+	private boolean warn;
+	private long timeToLive;
+	
+	public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) {
+		this.access = access;
+		this.realm = realm;
+		this.rbac = rbac;
+		this.warn = turnOnWarning;
+		this.timeToLive = timeToLive;
+	}
+
+	/**
+	 * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.  
+	 * @see Taf
+	 */
+	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		// See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately
+		if(req instanceof BasicCred) {
+			BasicCred bc = (BasicCred)req;
+			if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null
+				if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) {
+					return DenialOfServiceTaf.respDenyID(access,bc.getUser());
+				}
+				CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
+				// ONLY FOR Last Ditch DEBUGGING... 
+				// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
+				if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred())) {
+					return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
+				} else {
+					//TODO may need timed retries in a given time period
+					return new BasicHttpTafResp(access,null,buildMsg(bp,req,"User/Pass combo invalid for ",bc.getUser()), 
+							RESP.TRY_AUTHENTICATING,resp,realm,true);
+				}
+			}
+		}
+		// Get User/Password from Authorization Header value
+		String authz = req.getHeader("Authorization");
+		if(authz != null && authz.startsWith("Basic ")) {
+			if(warn&&!req.isSecure()) {
+				access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
+			}
+			try {
+				CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);
+				if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
+					return DenialOfServiceTaf.respDenyID(access,ba.getName());
+				}
+
+				// ONLY FOR Last Ditch DEBUGGING... 
+				// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
+				if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())) {
+					return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
+				} else {
+					//TODO may need timed retries in a given time period
+					return new BasicHttpTafResp(access,null,buildMsg(ba,req,"User/Pass combo invalid"), 
+							RESP.TRY_AUTHENTICATING,resp,realm,true);
+				}
+			} catch (IOException e) {
+				String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');
+				access.log(Level.INFO,msg);
+				return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
+			}
+		}
+		return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
+	}
+	
+	protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
+		StringBuilder sb = new StringBuilder();
+		for(Object s : msg) {
+			sb.append(s.toString());
+		}
+		if(pr!=null) {
+			sb.append(" for ");
+			sb.append(pr.getName());
+		}
+		sb.append(" from ");
+		sb.append(req.getRemoteAddr());
+		sb.append(':');
+		sb.append(req.getRemotePort());
+		return sb.toString();
+	}
+
+	@Override
+	public Resp revalidate(CachedPrincipal prin) {
+		if(prin instanceof BasicPrincipal) {
+			BasicPrincipal ba = (BasicPrincipal)prin;
+			if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
+				return Resp.UNVALIDATED;
+			}
+			return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())?Resp.REVALIDATED:Resp.UNVALIDATED;
+		}
+		return Resp.NOT_MINE;
+	}
+	
+	public String toString() {
+		return "Basic Auth enabled on realm: " + realm;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java b/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java
new file mode 100644
index 0000000..c768587
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.basic;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.taf.AbsTafResp;
+import com.att.cadi.taf.TafResp;
+
+public class BasicHttpTafResp extends AbsTafResp implements TafResp {
+	private HttpServletResponse httpResp;
+	private String realm;
+	private RESP status;
+	private final boolean wasFailed;
+	
+	public BasicHttpTafResp(Access access, Principal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) {
+		super(access,principal, description);
+		httpResp = resp;
+		this.realm = realm;
+		this.status = status;
+		this.wasFailed = wasFailed;
+	}
+
+	public RESP authenticate() throws IOException {
+		httpResp.setStatus(401); // Unauthorized	
+		httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"');
+		return RESP.HTTP_REDIRECT_INVOKED;
+	}
+
+	public RESP isAuthenticated() {
+		return status;
+	}
+
+	public boolean isFailedAttempt() {
+		return wasFailed;
+	}
+
+
+}
diff --git a/core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java b/core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java
new file mode 100644
index 0000000..6e46481
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.cert;
+
+import java.security.Principal;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface CertIdentity {
+	/**
+	 * identity from X509Certificate Object and/or certBytes
+	 * 
+	 * If you have both, include them.  If you only have one, leave the other null, and it will be generated if needed
+	 * 
+	 * The Request is there to obtain Header or Attribute info of ultimate user
+	 * 
+	 * @param req
+	 * @param cert
+	 * @param certBytes
+	 * @return
+	 * @throws CertificateException 
+	 */
+	public Principal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException;
+}
diff --git a/core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java b/core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java
new file mode 100644
index 0000000..3435d52
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java
@@ -0,0 +1,53 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.cert;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import com.att.cadi.Access;
+import com.att.cadi.taf.AbsTafResp;
+import com.att.cadi.taf.TafResp;
+
+public class X509HttpTafResp extends AbsTafResp implements TafResp {
+	private RESP status;
+	
+	public X509HttpTafResp(Access access, Principal principal, String description, RESP status) {
+		super(access, principal, description);
+ 		this.status = status;
+	}
+
+	public RESP authenticate() throws IOException {
+		return RESP.TRY_ANOTHER_TAF;
+	}
+
+	public RESP isAuthenticated() {
+		return status;
+	}
+
+	public String toString() {
+		return status.name();
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/taf/cert/X509Taf.java b/core/src/main/java/com/att/cadi/taf/cert/X509Taf.java
new file mode 100644
index 0000000..cb93046
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/cert/X509Taf.java
@@ -0,0 +1,258 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.Signature;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+
+import javax.net.ssl.TrustManagerFactory;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.CachedPrincipal.Resp;
+import com.att.cadi.CadiException;
+import com.att.cadi.Lur;
+import com.att.cadi.Symm;
+import com.att.cadi.Taf.LifeForm;
+import com.att.cadi.config.Config;
+import com.att.cadi.config.SecurityInfoC;
+import com.att.cadi.config.SecurityInfo;
+import com.att.cadi.lur.LocalPermission;
+import com.att.cadi.principal.TGuardPrincipal;
+import com.att.cadi.principal.X509Principal;
+import com.att.cadi.taf.HttpTaf;
+import com.att.cadi.taf.TafResp;
+import com.att.cadi.taf.TafResp.RESP;
+import com.att.cadi.util.Split;
+
+public class X509Taf implements HttpTaf {
+	
+	public static final CertificateFactory certFactory;
+	public static final MessageDigest messageDigest;
+	public static final TrustManagerFactory tmf;
+	private Access access;
+	private CertIdentity[] certIdents;
+	private Lur lur;
+	private ArrayList<String> cadiIssuers;
+	private String env;
+	private SecurityInfo si;
+
+	static {
+		try {
+			certFactory = CertificateFactory.getInstance("X.509");
+			messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone
+			tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm);
+		} catch (Exception e) {
+			throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e);
+		}
+	}
+	
+	public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException {
+		this.access = access;
+		env = access.getProperty(Config.AAF_ENV,null);
+		if(env==null) {
+			throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set.");
+		}
+		this.lur = lur;
+		this.cadiIssuers = new ArrayList<String>();
+		for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "CN=ATT CADI Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT CADI Issuing CA 02, OU=CSO, O=ATT, C=US").split(":")) {
+			cadiIssuers.add(ci);
+		}
+		try {
+			Class<?> dci = access.classLoader().loadClass("com.att.authz.cadi.DirectCertIdentity");
+			CertIdentity temp[] = new CertIdentity[cis.length+1];
+			System.arraycopy(cis, 0, temp, 1, cis.length);
+			temp[0] = (CertIdentity) dci.newInstance();
+			certIdents=temp;
+		} catch (Exception e) {
+			certIdents = cis;
+		}
+		
+		try {
+			si = new SecurityInfo(access);
+		} catch (GeneralSecurityException | IOException e1) {
+			throw new CadiException(e1);
+		}
+	}
+
+	public static final X509Certificate getCert(byte[] certBytes) throws CertificateException {
+		ByteArrayInputStream bais = new ByteArrayInputStream(certBytes);
+		return (X509Certificate)certFactory.generateCertificate(bais);
+	}
+
+	public static final byte[] getFingerPrint(byte[] ba) {
+		MessageDigest md;
+		try {
+			md = (MessageDigest)messageDigest.clone();
+		} catch (CloneNotSupportedException e) {
+			// should never get here
+			return new byte[0];
+		}
+		md.update(ba);
+		return md.digest();
+	}
+
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		// Check for Mutual SSL
+		try {
+			X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
+			if(certarr!=null && certarr.length>0) {
+				si.checkClientTrusted(certarr);
+				// Note: If the Issuer is not in the TrustStore, it's not added to the Cert list
+				if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) {
+					String x500 = certarr[0].getSubjectDN().getName();
+					int ou=x500.indexOf("OU=");
+					if(ou>0) {
+						ou+=3;
+						int comma = x500.indexOf(',',ou);
+						if(comma>0) {
+							String id= x500.substring(ou,comma);
+							String idenv[] = id.split(":");
+							if(idenv.length==1 || (idenv.length>1 && env.equals(idenv[1]))) {
+								return new X509HttpTafResp(access, 
+									new X509Principal(idenv[0], certarr[0],null), 
+										id + " validated by CADI x509", RESP.IS_AUTHENTICATED);
+							}
+						}
+					}
+				}
+			}
+
+			byte[] array = null;
+			byte[] certBytes = null;
+			X509Certificate cert=null;
+			String responseText=null;
+			String authHeader = req.getHeader("Authorization");
+
+			if(certarr!=null) {  // If cert !=null, Cert is Tested by Mutual Protocol.
+				if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity
+					return new X509HttpTafResp(access, null, "Certificate verified, but another Identity is presented", RESP.TRY_ANOTHER_TAF);
+				}
+				cert = certarr[0];
+				responseText = ", validated by Mutual SSL Protocol";
+			} else {		 // If cert == null, Get Declared Cert (in header), but validate by having them sign something
+				if(authHeader != null && authHeader.startsWith("x509 ")) {
+					ByteArrayOutputStream baos = new ByteArrayOutputStream(authHeader.length());
+					try {
+						array = authHeader.getBytes();
+						ByteArrayInputStream bais = new ByteArrayInputStream(array);
+						Symm.base64noSplit.decode(bais, baos, 5);
+						certBytes = baos.toByteArray();
+						cert = getCert(certBytes);
+						
+						/** 
+						 * Identity from CERT if well know CA and specific encoded information
+						 */
+						// If found Identity doesn't work, try SignedStuff Protocol
+//									cert.checkValidity();
+//									cert.--- GET FINGERPRINT?
+						String stuff = req.getHeader("Signature");
+						if(stuff==null) 
+							return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF);
+						String data = req.getHeader("Data"); 
+//									if(data==null) 
+//										return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF);
+
+						// Note: Data Pos shows is "<signatureType> <data>"
+//									int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm
+						// Get Signature 
+						bais = new ByteArrayInputStream(stuff.getBytes());
+						baos = new ByteArrayOutputStream(stuff.length());
+						Symm.base64noSplit.decode(bais, baos);
+						array = baos.toByteArray();
+//									Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature
+						
+						Signature sig = Signature.getInstance(cert.getSigAlgName()); 
+						sig.initVerify(cert.getPublicKey());
+						sig.update(data.getBytes());
+						if(!sig.verify(array)) {
+							access.log(Level.ERROR, "Signature doesn't Match");
+							return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
+						}
+						responseText = ", validated by Signed Data";
+					} catch (Exception e) {
+						access.log(e, "Exception while validating Cert");
+						return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
+					}
+					
+				} else {
+					return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF);
+				}
+			}
+
+			// A cert has been found, match Identify
+			Principal prin=null;
+			
+			for(int i=0;prin==null && i<certIdents.length;++i) {
+				if((prin=certIdents[i].identity(req, cert, certBytes))!=null) {
+					responseText = prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText;
+//					xresp = new X509HttpTafResp(
+//								access,
+//								prin,
+//								prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText,
+//								RESP.IS_AUTHENTICATED);
+					
+				}
+			}
+
+			// if Principal is found, check for "AS_USER" and whether this entity is trusted to declare
+			if(prin!=null) {
+				String as_user=req.getHeader(Config.CADI_USER_CHAIN);
+				if(as_user!=null) {
+					if(as_user.startsWith("TGUARD ") && lur.fish(prin, new LocalPermission("com.att.aaf.trust|"+prin.getName()+"|tguard"))) {
+						prin = new TGuardPrincipal(as_user.substring(7));
+						responseText=prin.getName() + " set via trust of " + responseText;
+					}
+				}
+				return new X509HttpTafResp(
+					access,
+					prin,
+					responseText,
+					RESP.IS_AUTHENTICATED);
+			}
+		} catch(Exception e) {
+			return new X509HttpTafResp(access, null, e.getMessage(), RESP.TRY_ANOTHER_TAF);	
+		}
+	
+		return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		return null;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java b/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java
new file mode 100644
index 0000000..88a6721
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java
@@ -0,0 +1,371 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.dos;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.CachedPrincipal.Resp;
+import com.att.cadi.CadiException;
+import com.att.cadi.Taf.LifeForm;
+import com.att.cadi.taf.HttpTaf;
+import com.att.cadi.taf.PuntTafResp;
+import com.att.cadi.taf.TafResp;
+import com.att.cadi.taf.TafResp.RESP;
+
+public class DenialOfServiceTaf implements HttpTaf {
+	private static Map<String, Counter> deniedIP=null, deniedID=null;
+	private Access access;
+	private static File dosIP, dosID;
+	
+	/**
+	 * 
+	 * @param hostname
+	 * @param prod
+	 * @throws CadiException
+	 */
+	public DenialOfServiceTaf(Access access) throws CadiException {
+		this.access = access;
+		if(dosIP==null || dosID == null) {
+			String dirStr;
+			if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {
+				dosIP = new File(dirStr+"/dosIP");
+				readIP();
+				dosID = new File(dirStr+"/dosID");
+				readID();
+			}
+		}
+	}
+
+	public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
+		// Performance, when not needed
+		if(deniedIP != null) {
+			String ip;
+			Counter c = deniedIP.get(ip=req.getRemoteAddr());
+			if(c!=null) {
+				c.inc();
+				return respDenyIP(access,ip);
+			}
+		}
+		
+		// Note:  Can't process Principal, because this is the first TAF, and no Principal is created.
+		// Other TAFs use "isDenied()" on this Object to validate.
+		return PuntTafResp.singleton();
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		// We always return NOT MINE, because DOS Taf does not ever validate
+		return Resp.NOT_MINE;
+	}
+
+	/*
+	 *  for use in Other TAFs, before they attempt backend validation of 
+	 */
+	public static Counter isDeniedID(String identity) {
+		if(deniedID!=null) {
+			return deniedID.get(identity);
+		}
+		return null;
+	}
+	
+	/**
+	 *  
+	 */
+	public static Counter isDeniedIP(String ipvX) {
+		if(deniedID!=null) {
+			return deniedID.get(ipvX);
+		}
+		return null;
+	}
+
+	/**
+	 * Return of "True" means IP has been added.
+	 * Return of "False" means IP already added.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean denyIP(String ip) {
+		boolean rv = false;
+		if(deniedIP==null) {
+			deniedIP = new HashMap<String,Counter>();
+			deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
+			rv= true;
+		} else if(deniedIP.get(ip)==null) {
+			deniedIP.put(ip, new Counter(ip));
+			rv = true;
+		}
+		if(rv) {
+			writeIP();
+		}
+		return rv;
+	}
+	
+	private static void writeIP() {
+		if(dosIP!=null && deniedIP!=null) {
+			if(deniedIP.isEmpty()) {
+				if(dosIP.exists()) {
+					dosIP.delete();
+				}
+			} else {
+				PrintStream fos;
+				try {
+					fos = new PrintStream(new FileOutputStream(dosIP,false));
+					try {
+						for(String ip: deniedIP.keySet()) {
+							fos.println(ip);
+						}
+					} finally {
+						fos.close();
+					}
+				} catch (IOException e) {
+					e.printStackTrace(System.err);
+				}
+			}
+		}
+	}
+	
+	private static void readIP() {
+		if(dosIP!=null && dosIP.exists()) {
+			BufferedReader br;
+			try {
+				br = new BufferedReader(new FileReader(dosIP));
+				if(deniedIP==null) {
+					deniedIP=new HashMap<String,Counter>();
+				}
+
+				try {
+					String line;
+					while((line=br.readLine())!=null) {
+						deniedIP.put(line, new Counter(line));
+					}
+				} finally {
+					br.close();
+				}
+			} catch (IOException e) {
+				e.printStackTrace(System.err);
+			}
+		}
+	}
+
+
+	/**
+	 * Return of "True" means IP has was removed.
+	 * Return of "False" means IP wasn't being denied.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean removeDenyIP(String ip) {
+		if(deniedIP!=null && deniedIP.remove(ip)!=null) {
+			writeIP();
+			if(deniedIP.isEmpty()) {
+				deniedIP=null;
+			}
+			return true;
+		}
+		return false;
+	}
+
+	/**
+	 * Return of "True" means ID has been added.
+	 * Return of "False" means ID already added.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean denyID(String id) {
+		boolean rv = false;
+		if(deniedID==null) {
+			deniedID = new HashMap<String,Counter>();
+			deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
+			rv = true;
+		} else if(deniedID.get(id)==null) {
+			deniedID.put(id, new Counter(id));
+			rv = true;
+		}
+		if(rv) {
+			writeID();
+		}
+		return rv;
+
+	}
+
+	private static void writeID() {
+		if(dosID!=null && deniedID!=null) {
+			if(deniedID.isEmpty()) {
+				if(dosID.exists()) {
+					dosID.delete();
+				}
+			} else {
+				PrintStream fos;
+				try {
+					fos = new PrintStream(new FileOutputStream(dosID,false));
+					try {
+						for(String ip: deniedID.keySet()) {
+							fos.println(ip);
+						}
+					} finally {
+						fos.close();
+					}
+				} catch (IOException e) {
+					e.printStackTrace(System.err);
+				}
+			}
+		}
+	}
+
+	private static void readID() {
+		if(dosID!=null && dosID.exists()) {
+			BufferedReader br;
+			try {
+				br = new BufferedReader(new FileReader(dosID));
+				if(deniedID==null) {
+					deniedID=new HashMap<String,Counter>();
+				}
+				try {
+					String line;
+					while((line=br.readLine())!=null) {
+						deniedID.put(line, new Counter(line));
+					}
+				} finally {
+					br.close();
+				}
+			} catch (IOException e) {
+				e.printStackTrace(System.err);
+			}
+		}
+	}
+
+	/**
+	 * Return of "True" means ID has was removed.
+	 * Return of "False" means ID wasn't being denied.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean removeDenyID(String id) {
+		if(deniedID!=null && deniedID.remove(id)!=null) { 
+			writeID();
+			if(deniedID.isEmpty()) {
+				deniedID=null;
+			}
+
+			return true;
+		}
+		return false;
+	}
+	
+	public List<String> report() {
+		int initSize = 0;
+		if(deniedIP!=null)initSize+=deniedIP.size();
+		if(deniedID!=null)initSize+=deniedID.size();
+		ArrayList<String> al = new ArrayList<String>(initSize);
+		if(deniedID!=null) {
+			for(Counter c : deniedID.values()) {
+				al.add(c.toString());
+			}
+		}
+		if(deniedIP!=null) {
+			for(Counter c : deniedIP.values()) {
+				al.add(c.toString());
+			}
+		}
+		return al;
+	}
+	
+	public static class Counter {
+		private final String name; 
+		private int count = 0;
+		private Date first;
+		private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
+		
+		public Counter(String name) {
+			this.name = name;
+			first = null;
+			last = 0L;
+			count = 0;
+		}
+		
+		public String getName() {
+			return name;
+		}
+		
+		public int getCount() {
+			return count;
+		}
+
+		public long getLast() {
+			return last;
+		}
+		
+		/*
+		 * Only allow Denial of ServiceTaf to increment
+		 */
+		private synchronized void inc() {
+			++count;
+			last = System.currentTimeMillis();
+			if(first==null) {
+				first = new Date(last);
+			}
+		}
+		
+		public String toString() {
+			if(count==0) 
+				return name + " is on the denied list, but has not attempted Access"; 
+			else 
+				return 
+					name +
+					" has been denied " +
+					count +
+					" times since " +
+					first +
+					".  Last denial was " +
+					new Date(last);
+		}
+	}
+
+	public static TafResp respDenyID(Access access, String identity) {
+		return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
+	}
+	
+	public static TafResp respDenyIP(Access access, String ip) {
+		return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java b/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java
new file mode 100644
index 0000000..7cbbf73
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.dos;
+
+import java.io.IOException;
+
+import com.att.cadi.Access;
+import com.att.cadi.taf.AbsTafResp;
+
+public class DenialOfServiceTafResp extends AbsTafResp  {
+	private RESP ect;  // Homage to Arethra Franklin
+
+	public DenialOfServiceTafResp(Access access, RESP resp, String description ) {
+		super(access, null, description);
+		ect = resp;
+	}
+
+	// Override base behavior of checking Principal and trying another TAF
+	@Override
+	public RESP isAuthenticated() {
+		return ect;
+	}
+	
+
+	public RESP authenticate() throws IOException {
+		return ect;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
new file mode 100644
index 0000000..89500a6
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
@@ -0,0 +1,131 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.localhost;
+
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.SocketException;
+import java.net.UnknownHostException;
+import java.util.Enumeration;
+import java.util.TreeSet;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import com.att.cadi.Access;
+import com.att.cadi.Access.Level;
+import com.att.cadi.CachedPrincipal;
+import com.att.cadi.CachedPrincipal.Resp;
+import com.att.cadi.Taf;
+import com.att.cadi.taf.HttpTaf;
+import com.att.cadi.taf.TafResp;
+import com.att.cadi.taf.TafResp.RESP;
+
+/**
+ * Implement the ability to utilize LocalHost as a TAF.
+ * 
+ * Configure with two properties, 
+ * 	localhost.deny
+ *  localhost.accept
+ *  
+ * 1) If localhost.deny==true, then no localhost requests are allowed
+ * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the
+ *   chain, but don't treat localhost as an acceptable credential)
+ * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed, 
+ * to run, are treated as validated.  This is primarily for Developer purposes.
+ *   
+ * 
+ *
+ */
+public class LocalhostTaf implements HttpTaf {
+	private TafResp isLocalHost,isNotLocalHost;
+	private static final TreeSet<String> addrSet;
+	
+	static {
+		addrSet = new TreeSet<String>();
+		try {
+			for(Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) {
+				NetworkInterface ni = en.nextElement();
+				for(Enumeration<InetAddress> eia = ni.getInetAddresses();eia.hasMoreElements();) {
+					InetAddress ia = eia.nextElement();
+					addrSet.add(ia.getHostAddress());
+				}
+			}
+		} catch (SocketException e) {
+		}
+		
+	}
+
+	public LocalhostTaf(Access access, boolean accept, boolean isDenied) {
+		String hostname = access.getProperty("hostname",null);
+		if(hostname !=null) {
+			try {
+				addrSet.add(InetAddress.getByName(hostname).getHostAddress());
+			} catch (UnknownHostException e) {
+				access.log(e,"Unknown Host");
+			}
+		}
+		
+		if(isDenied) {
+			access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic");
+		} else {
+			access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ",
+					(accept?"and will treat them as authenticated":"but will require other authentication"));
+		}
+		// Set the appropriate behavior for when ID coming in is from localhost
+		isLocalHost = isDenied?	
+			new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"):
+			accept?
+				new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"):
+				new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed");
+		isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost");
+	}
+
+//	@Override
+	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		String remote = req.getRemoteAddr();
+		return addrSet.contains(remote)
+			?isLocalHost
+			:isNotLocalHost;
+	}
+
+	/** 
+	 * This function used for other TAFs (i.e. CSP, which can't work on localhost address)
+	 * 
+	 * @param address
+	 * @return
+	 */
+	public static boolean isLocalAddress(String address) {
+		return addrSet.contains(address);
+	}
+	
+	public String toString() {
+		return "Localhost TAF activated: " + isLocalHost.desc();
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		// shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid...
+		return Resp.REVALIDATED;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java
new file mode 100644
index 0000000..29ddf92
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java
@@ -0,0 +1,82 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.taf.localhost;
+
+import java.security.Principal;
+
+import com.att.cadi.Access;
+import com.att.cadi.taf.TafResp;
+
+public class LocalhostTafResp implements TafResp {
+	private RESP action;
+	private String description;
+	private final static Principal principal = new Principal() {
+		private String name = System.getProperty("user.name")+"@localhost";
+//		@Override
+		public String getName() {
+			return name;
+		}
+	};
+
+	private Access access;
+	
+	public LocalhostTafResp(Access access, RESP state, String desc) {
+		action = state;
+		description = desc;
+		this.access = access;
+	}
+	
+//	@Override
+	public boolean isValid() {
+		return action == RESP.IS_AUTHENTICATED;
+	}
+
+//	@Override
+	public String desc() {
+		return description;
+	}
+
+//	@Override
+	public RESP authenticate() {
+		return action;
+	}
+	
+	public RESP isAuthenticated() {
+		return action;
+	}
+
+//	@Override
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+	public Access getAccess() {
+		return access;
+	}
+
+	public boolean isFailedAttempt() {
+		return false;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/util/Chmod.java b/core/src/main/java/com/att/cadi/util/Chmod.java
new file mode 100644
index 0000000..9991616
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/Chmod.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+import java.io.File;
+import java.io.IOException;
+
+public interface Chmod {
+	public void chmod(File f) throws IOException;
+	
+	public static final Chmod to755 = new Chmod() {
+		public void chmod(File f) throws IOException {
+			f.setExecutable(true, false);
+			f.setExecutable(true, true);
+			f.setReadable(true, false);
+			f.setReadable(true, true);
+			f.setWritable(false, false);
+			f.setWritable(true, true);
+		}
+	};
+
+	public static final Chmod to644 = new Chmod() {
+		public void chmod(File f) throws IOException {
+			f.setExecutable(false, false);
+			f.setExecutable(false, true);
+			f.setReadable(true, false);
+			f.setReadable(true, true);
+			f.setWritable(false, false);
+			f.setWritable(true, true);
+		}
+	};
+
+	public static final Chmod to400 = new Chmod() {
+		public void chmod(File f) throws IOException {
+			f.setExecutable(false, false);
+			f.setExecutable(false, true);
+			f.setReadable(false, false);
+			f.setReadable(true, true);
+			f.setWritable(false, false);
+			f.setWritable(false, true);
+		}
+	};
+}
diff --git a/core/src/main/java/com/att/cadi/util/JsonOutputStream.java b/core/src/main/java/com/att/cadi/util/JsonOutputStream.java
new file mode 100644
index 0000000..f85efa4
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/JsonOutputStream.java
@@ -0,0 +1,91 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class JsonOutputStream extends OutputStream {
+	private static final byte[] TWO_SPACE = "  ".getBytes();
+	private OutputStream os;
+	private boolean closeable;
+	private int indent = 0;
+	private int prev,ret=0;
+
+	public JsonOutputStream(OutputStream os) {
+		// Don't close these, or dire consequences.
+		closeable = !os.equals(System.out) && !os.equals(System.err);
+		this.os = os;
+	}
+
+	@Override
+	public void write(int b) throws IOException {
+		if(ret=='\n') {
+			ret = 0;
+			if(prev!=',' || (b!='{' && b!='[')) {
+				os.write('\n');
+				for(int i=0;i<indent;++i) {
+					os.write(TWO_SPACE);
+				}
+			}
+		}
+		switch(b) {
+			case '{':
+			case '[':	
+					ret = '\n';
+					++indent;
+					break;
+			case '}':
+			case ']': 
+					--indent;
+					os.write('\n');
+					for(int i=0;i<indent;++i) {
+						os.write(TWO_SPACE);
+					}
+					break;
+			case ',':
+					ret = '\n';
+					break;
+					
+		}
+		os.write(b);
+		prev = b;
+	}
+	public void resetIndent() {
+		indent = 1;
+	}
+
+	@Override
+	public void flush() throws IOException {
+		os.flush();
+	}
+
+	@Override
+	public void close() throws IOException {
+		if(closeable) {
+			os.close();
+		}
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/util/MaskFormatException.java b/core/src/main/java/com/att/cadi/util/MaskFormatException.java
new file mode 100644
index 0000000..7a8c773
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/MaskFormatException.java
@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+@SuppressWarnings("serial")
+public class MaskFormatException extends Exception {
+
+	public MaskFormatException(String string) {
+			super(string);
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/util/MyConsole.java b/core/src/main/java/com/att/cadi/util/MyConsole.java
new file mode 100644
index 0000000..eb148ee
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/MyConsole.java
@@ -0,0 +1,30 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+public interface MyConsole {
+	public String readLine(String fmt, Object ... args);
+	public char[] readPassword(String fmt, Object ... args);
+	public void printf(String fmt, Object ...args);
+}
diff --git a/core/src/main/java/com/att/cadi/util/NetMask.java b/core/src/main/java/com/att/cadi/util/NetMask.java
new file mode 100644
index 0000000..befed88
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/NetMask.java
@@ -0,0 +1,101 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+/* 
+ * NetMask - a class to quickly validate whether a given IP is part of a mask, as defined by bytes or standard String format.
+ * 
+ * Needs the IPV6 Mask Builder. 
+ */
+public class NetMask {
+	private long mask;
+
+	public NetMask(byte[] inBytes) {
+		mask = derive(inBytes);
+	}
+	
+	public NetMask(String string) throws MaskFormatException {
+		mask = derive(string,true);
+	}
+	
+	public boolean isInNet(byte[] inBytes) {
+		long addr = derive(inBytes);
+		return (mask & addr) == addr;
+	}
+	
+	public boolean isInNet(String str) {
+		long addr;
+		try {
+			addr = derive(str,false);
+			return (mask & addr) == addr;
+		} catch (MaskFormatException e) {
+			// will not hit this code;
+			return false;
+		}
+	}
+
+	public static long derive(byte[] inBytes) {
+		long addr = 0L;
+		int offset = inBytes.length*8;
+		for(int i=0;i<inBytes.length;++i) {
+			addr&=(inBytes[i]<<offset);
+			offset-=8;
+		}
+		return addr;
+	}
+
+	public static long derive(String str, boolean check) throws MaskFormatException {
+		long rv=0L;
+		int idx=str.indexOf(':');
+		int slash = str.indexOf('/');
+
+		if(idx<0) { // Not IPV6, so it's IPV4... Is there a mask of 123/254?
+			idx=str.indexOf('.');
+			int offset = 24;
+			int end = slash>=0?slash:str.length();
+			int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32;
+			if(check && bits>32) {
+				throw new MaskFormatException("Invalid Mask Offset in IPV4 Address");
+			}
+			int prev = 0;
+			long lbyte;
+			while(prev<end) {
+				if(idx<0) {
+					idx = end;
+				}
+				lbyte = Long.parseLong(str.substring(prev, idx));
+				if(check && (lbyte>255 || lbyte<0)) {
+					throw new MaskFormatException("Invalid Byte in IPV4 Address");
+				}
+				rv|=lbyte<<offset;
+				prev = ++idx;
+				idx=str.indexOf('.',prev);
+				offset-=8;
+			}
+			rv|=0x00000000FFFFFFFFL>>bits;
+		}
+		return rv;
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/util/Split.java b/core/src/main/java/com/att/cadi/util/Split.java
new file mode 100644
index 0000000..4a695fb
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/Split.java
@@ -0,0 +1,92 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+/**
+ * Split by Char, optional Trim
+ *
+ * Note: Copied from Inno to avoid linking issues.
+ * Note: I read the String split and Pattern split code, and we can do this more efficiently for a single Character
+ * 
+ * 8/20/2015
+ */
+
+public class Split {
+	  public static String[] split(char c, String value) {
+		  // Count items to preallocate Array (memory alloc is more expensive than counting twice)
+		  int count,idx;
+		  for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);
+		  String[] rv = new String[count];
+		  if(count==1) {
+			  rv[0]=value;
+		  } else {
+			  int last=0;
+			  count=-1;
+			  for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) {
+				  rv[++count]=value.substring(last,idx);
+				  last = ++idx;
+			  }
+			  rv[++count]=value.substring(last);
+		  }
+		  return rv;
+	  }
+
+	  public static String[] splitTrim(char c, String value) {
+		  // Count items to preallocate Array (memory alloc is more expensive than counting twice)
+		  int count,idx;
+		  for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);
+		  String[] rv = new String[count];
+		  if(count==1) {
+			  rv[0]=value.trim();
+		  } else {
+			  int last=0;
+			  count=-1;
+			  for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) {
+				  rv[++count]=value.substring(last,idx).trim();
+				  last = ++idx;
+			  }
+			  rv[++count]=value.substring(last).trim();
+		  }
+		  return rv;
+	  }
+
+	  public static String[] splitTrim(char c, String value, int size) {
+		  int idx;
+		  String[] rv = new String[size];
+		  if(size==1) {
+			  rv[0]=value.trim();
+		  } else {
+			  int last=0;
+			  int count=-1;
+			  size-=2;
+			  for(idx=value.indexOf(c);idx>=0 && count<size;idx=value.indexOf(c,idx)) {
+				  rv[++count]=value.substring(last,idx).trim();
+				  last = ++idx;
+			  }
+			  rv[++count]=value.substring(last).trim();
+		  }
+		  return rv;
+	  }
+
+}
diff --git a/core/src/main/java/com/att/cadi/util/SubStandardConsole.java b/core/src/main/java/com/att/cadi/util/SubStandardConsole.java
new file mode 100644
index 0000000..3d57332
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/SubStandardConsole.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+// Substandard, because System.in doesn't do Passwords..
+public class SubStandardConsole implements MyConsole {
+	BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
+	@Override
+	public String readLine(String fmt, Object... args) {
+		String rv;
+		try {
+			System.out.printf(fmt,args);
+			rv = br.readLine();
+			if(args.length==1 && rv.length()==0) {
+				rv = args[0].toString();
+			}
+		} catch (IOException e) {
+			System.err.println("uh oh...");
+			rv = "";
+		}
+		return rv;
+	}
+
+	@Override
+	public char[] readPassword(String fmt, Object... args) {
+		try {
+			System.out.printf(fmt,args);
+			return br.readLine().toCharArray();
+		} catch (IOException e) {
+			System.err.println("uh oh...");
+			return new char[0];
+		}
+	}
+
+	@Override
+	public void printf(String fmt, Object... args) {
+		System.out.printf(fmt, args);
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/util/TheConsole.java b/core/src/main/java/com/att/cadi/util/TheConsole.java
new file mode 100644
index 0000000..60f3f79
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/TheConsole.java
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+public class TheConsole implements MyConsole {
+	@Override
+	public String readLine(String fmt, Object... args) {
+		String rv = System.console().readLine(fmt, args);
+		if(args.length>0 && args[0]!=null && rv.length()==0) {
+			rv = args[0].toString();
+		}
+		return rv;
+	}
+
+	@Override
+	public char[] readPassword(String fmt, Object... args) {
+		return System.console().readPassword(fmt, args);
+	}
+	
+	public static boolean implemented() {
+		return System.console()!=null;
+	}
+
+	@Override
+	public void printf(String fmt, Object... args) {
+		System.console().printf(fmt, args);
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/util/UserChainManip.java b/core/src/main/java/com/att/cadi/util/UserChainManip.java
new file mode 100644
index 0000000..89851aa
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/UserChainManip.java
@@ -0,0 +1,79 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+import com.att.cadi.UserChain;
+
+public class UserChainManip {
+	/** 
+	    Build an element in the correct format for UserChain.
+		Format:<APP>:<ID>:<protocol>[:AS][,<APP>:<ID>:<protocol>]*
+		@see UserChain
+	*/ 
+	public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) {
+		boolean mayAs;
+		if(!(mayAs=sb.length()==0)) {
+			sb.append(',');
+		}
+		sb.append(app);
+		sb.append(':');
+		sb.append(id);
+		sb.append(':');
+		sb.append(proto.name());
+		if(as && mayAs) {
+			sb.append(":AS");
+		}
+		return sb;
+	}
+	
+	public static String idToNS(String id) {
+		if(id==null) {
+			return "";
+		} else {
+			StringBuilder sb = new StringBuilder();
+			char c;
+			int end;
+			boolean first = true;
+			for(int idx = end = id.length()-1;idx>=0;--idx) {
+				if((c = id.charAt(idx))=='@' || c=='.')  {
+					if(idx<end) {
+						if(first) {
+							first = false;
+						} else {
+							sb.append('.');
+						}
+						for(int i=idx+1;i<=end;++i) {
+							sb.append(id.charAt(i));
+						}
+					}
+					end=idx-1;
+					if(c=='@') {
+						break;
+					}
+				}
+			}
+			return sb.toString();
+		}
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/util/Vars.java b/core/src/main/java/com/att/cadi/util/Vars.java
new file mode 100644
index 0000000..b712e31
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/util/Vars.java
@@ -0,0 +1,122 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.util;
+
+import java.util.List;
+
+public class Vars {
+	/**
+	 * Simplified Conversion based on typical use of getting AT&T style RESTful Error Messages
+	 * @param text
+	 * @param vars
+	 * @return
+	 */
+	public static String convert(final String text, final List<String> vars) {
+		String[] array = new String[vars.size()];
+		StringBuilder sb = new StringBuilder();
+		convert(sb,text,vars.toArray(array));
+		return sb.toString();
+	}
+	/**
+	 * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format
+	 * If "holder" is passed in, it is built with full Message extracted (typically for Logging)
+	 * @param holder
+	 * @param text
+	 * @param vars
+	 * @return
+	 */
+	public static String convert(final StringBuilder holder, final String text, final String ... vars) {
+		StringBuilder sb = null;
+		int idx,index=0,prev = 0;
+		
+		if(text.contains("%s")) {
+			sb = new StringBuilder();
+		}
+		
+		StringBuilder[] sbs = new StringBuilder[] {sb,holder};
+		boolean replace, clearIndex = false;
+		int c;
+		while((idx=text.indexOf('%',prev))>=0) {
+			replace = false;
+			if(clearIndex) {
+				index=0;
+			}
+			if(sb!=null) {
+				sb.append(text,prev,idx);
+			}
+			if(holder!=null) {
+				holder.append(text,prev,idx);
+			}
+			
+			boolean go = true;
+			while(go) {
+				if(text.length()>++idx) {
+					switch(c=text.charAt(idx)) {
+						case '0': case '1': case '2': case '3': case '4': 
+						case '5': case '6': case '7': case '8': case '9':
+							index *=10;
+							index +=(c-'0');
+							clearIndex=replace=true;
+							continue;
+						case 's':
+							++index;
+							replace = true;
+							continue;
+						default:
+							break;
+					}
+				}
+				prev = idx;
+				go=false;
+				if(replace) {
+					if(sb!=null) {
+						sb.append('%');
+						sb.append(index);
+					}
+					if(index<=vars.length) {
+						if(holder!=null) {
+							holder.append(vars[index-1]);
+						}
+					}
+				} else {
+					for(StringBuilder s : sbs) {
+						if(s!=null) {
+							s.append("%");
+						}
+					}
+				}
+			}
+		}
+		
+		if(sb!=null) {
+			sb.append(text,prev,text.length());
+		}
+		if(holder!=null) {
+			holder.append(text,prev,text.length());
+		}
+
+		return sb==null?text:sb.toString();
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/wsse/Action.java b/core/src/main/java/com/att/cadi/wsse/Action.java
new file mode 100644
index 0000000..a9b171c
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/wsse/Action.java
@@ -0,0 +1,38 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse;
+
+/**
+ * Interface to specify an action deep within a parsing tree on a local object
+ * 
+ * We use a Generic so as to be flexible on create what that object actually is.  This is passed in at the
+ * root "parse" call of Match.  Similar to a "Visitor" Pattern, this object is passed upon reaching the right
+ * point in a parse tree.
+ * 
+ *
+ * @param <OUTPUT>
+ */
+interface Action<OUTPUT> {
+	public boolean content(OUTPUT output, String text);
+}
diff --git a/core/src/main/java/com/att/cadi/wsse/Match.java b/core/src/main/java/com/att/cadi/wsse/Match.java
new file mode 100644
index 0000000..657976a
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/wsse/Match.java
@@ -0,0 +1,131 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Match Class allows you to build an automatic Tree of StAX (or StAX like) 
+ * Objects for frequent use.
+ * 
+ * OBJECT is a type which you which to do some end Actions on, similar to a Visitor pattern, see Action
+ * 
+ * Note: We have implemented with XReader and XEvent, rather than StAX for performance reasons.
+ * 
+ * @see Action
+ * @see Match
+ * @see XEvent
+ * @see XReader
+ * 
+ *
+ * @param <OUTPUT>
+ */
+//@SuppressWarnings("restriction")
+public class Match<OUTPUT> {
+	private QName qname;
+	private Match<OUTPUT>[] next;
+	private Match<OUTPUT> prev;
+	private Action<OUTPUT> action = null;
+	private boolean stopAfter;
+	private boolean exclusive;
+	
+
+	@SafeVarargs
+	public Match(String ns, String name, Match<OUTPUT> ... next) {
+		this.qname = new QName(ns,name);
+		this.next = next;
+		stopAfter = exclusive = false;
+		for(Match<OUTPUT> m : next) { // add the possible tags to look for
+			if(!m.stopAfter)m.prev = this;
+		}
+	}
+	
+	public Match<OUTPUT> onMatch(OUTPUT output, XReader reader) throws XMLStreamException {
+		while(reader.hasNext()) {
+			XEvent event = reader.nextEvent();
+			switch(event.getEventType()) {
+				case XMLEvent.START_ELEMENT:
+					QName e_qname = event.asStartElement().getName();
+					//System.out.println("Start - " + e_qname);
+					boolean match = false;
+					for(Match<OUTPUT> m : next) {
+						if(e_qname.equals(m.qname)) {
+							match=true;
+							if(m.onMatch(output, reader)==null) {
+								return null; // short circuit Parsing
+							}
+							break;
+						}
+					}
+					if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in
+						return null;
+					break;
+				case XMLEvent.CHARACTERS:
+					//System.out.println("Data - " +event.asCharacters().getData());
+					if(action!=null) {
+						if(!action.content(output,event.asCharacters().getData())) {
+							return null;
+						}
+					}
+					break;
+				case XMLEvent.END_ELEMENT:
+					//System.out.println("End - " + event.asEndElement().getName());
+					if(event.asEndElement().getName().equals(qname)) {
+						return prev;
+					}
+					break;
+				case XMLEvent.END_DOCUMENT:
+					return null; // Exit Chain
+			}
+		}
+		return this;
+	}
+
+	/**
+	 * When this Matched Tag has completed, Stop parsing and end
+	 * @return
+	 */
+	public Match<OUTPUT> stopAfter() {
+		stopAfter = true;
+		return this;
+	}
+	
+	/**
+	 * Mark that this Object MUST be matched at this level or stop parsing and end
+	 * 
+	 * @param action
+	 * @return
+	 */
+	public Match<OUTPUT> exclusive() {
+		exclusive = true;
+		return this;
+	}
+
+	public Match<OUTPUT> set(Action<OUTPUT> action) {
+		this.action = action;
+		return this;
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/wsse/WSSEParser.java b/core/src/main/java/com/att/cadi/wsse/WSSEParser.java
new file mode 100644
index 0000000..dd8af4d
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/wsse/WSSEParser.java
@@ -0,0 +1,87 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.xml.stream.XMLStreamException;
+
+import com.att.cadi.BasicCred;
+
+
+/**
+ * WSSE Parser
+ * 
+ * Read the User and Password from WSSE Formatted SOAP Messages 
+ * 
+ * This class uses StAX so that processing is stopped as soon as the Security User/Password are read into BasicCred, or the Header Ends
+ * 
+ * This class is intended to be created once (or very few times) and reused as much as possible.
+ * 
+ * It is as thread safe as StAX parsing is.
+ * 
+ */
+public class WSSEParser {
+	private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/";
+	private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+	private Match<BasicCred> parseTree;
+	//private XMLInputFactory inputFactory;
+
+	public WSSEParser() {
+		// soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username]
+		parseTree = new Match<BasicCred>(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is
+			new Match<BasicCred>(SOAP_NS,"Envelope",
+				new Match<BasicCred>(SOAP_NS,"Header",
+					new Match<BasicCred>(WSSE_NS,"Security",
+						new Match<BasicCred>(WSSE_NS,"UsernameToken",
+							new Match<BasicCred>(WSSE_NS,"Password").set(new Action<BasicCred>() {
+								public boolean content(BasicCred bc,String text) {
+									bc.setCred(text.getBytes());
+									return true;
+								}
+							}),
+							new Match<BasicCred>(WSSE_NS,"Username").set(new Action<BasicCred>() {
+								public boolean content(BasicCred bc,String text) {
+									bc.setUser(text);
+									return true;
+								}
+							})
+						).stopAfter() // if found, end when UsernameToken ends (no further processing needed)
+					)
+				).stopAfter() // Stop Processing when Header Ends
+			).exclusive()// Envelope must match Header, and no other.  FYI, Body comes after Header short circuits (see above), so it's ok
+		).exclusive(); // root must be Envelope
+		//inputFactory = XMLInputFactory.newInstance();
+	}
+	
+	public XMLStreamException parse(BasicCred bc, InputStream is) throws IOException {
+		try {
+			parseTree.onMatch(bc, new XReader(is));
+			return null;
+		} catch (XMLStreamException e) {
+			return e;
+		}
+	}
+}
diff --git a/core/src/main/java/com/att/cadi/wsse/XEvent.java b/core/src/main/java/com/att/cadi/wsse/XEvent.java
new file mode 100644
index 0000000..d023519
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/wsse/XEvent.java
@@ -0,0 +1,136 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * XEvent
+ * 
+ * This mechanism mimics a minimal portion of StAX "XMLEvent", enough to work with minimal XReader.
+ * 
+ * We implement the same interface, as much as minimally necessary, as XMLEvent for these small usages so as to
+ * be interchangeable in the future, if so desired
+ * 
+ *
+ */
+// @SuppressWarnings("restriction")
+public abstract class XEvent {
+
+	public abstract int getEventType();
+
+	public StartElement asStartElement() {
+		return (StartElement)this;
+	}
+
+	public Characters asCharacters() {
+		return (Characters)this;
+	}
+
+	public EndElement asEndElement() {
+		return (EndElement)this;
+	}
+
+    public static abstract class NamedXEvent extends XEvent {
+    	private QName qname;
+
+    	public NamedXEvent(QName qname) {
+    		this.qname = qname;
+    	}
+    	
+		public QName getName() {
+    		return qname;
+    	}
+    }
+	public static class StartElement extends NamedXEvent {
+
+		public StartElement(String ns, String tag) {
+			super(new QName(ns,tag));
+		}
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.START_ELEMENT;
+		}
+	}
+
+	public static class EndElement extends NamedXEvent {
+		public EndElement(String ns, String tag) {
+			super(new QName(ns,tag));
+		}
+		
+		@Override
+		public int getEventType() {
+			return XMLEvent.END_ELEMENT;
+		}
+	}
+
+	public static class Characters extends XEvent {
+		private String data;
+
+		public Characters(String data) {
+			this.data = data;
+		}
+		@Override
+		public int getEventType() {
+			return XMLEvent.CHARACTERS;
+		}
+
+		public String getData() {
+			return data;
+		}
+	}
+	
+	public static class StartDocument extends XEvent {
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.START_DOCUMENT;
+		}
+		
+	}
+
+	public static class EndDocument extends XEvent {
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.END_DOCUMENT;
+		}
+		
+	}
+	public static class Comment extends XEvent {
+		public final String value;
+		public Comment(String value) {
+			this.value = value;
+		}
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.COMMENT;
+		}
+	
+	}
+
+}
diff --git a/core/src/main/java/com/att/cadi/wsse/XReader.java b/core/src/main/java/com/att/cadi/wsse/XReader.java
new file mode 100644
index 0000000..135b28c
--- /dev/null
+++ b/core/src/main/java/com/att/cadi/wsse/XReader.java
@@ -0,0 +1,417 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Stack;
+
+import javax.xml.stream.XMLStreamException;
+
+/**
+ * XReader
+ * This class works similarly as StAX, except StAX has more behavior than is needed.  That would be ok, but 
+ * StAX also was Buffering in their code in such as way as to read most if not all the incoming stream into memory,
+ * defeating the purpose of pre-reading only the Header
+ * 
+ * This Reader does no back-tracking, but is able to create events based on syntax and given state only, leaving the
+ * Read-ahead mode of the InputStream up to the other classes.
+ * 
+ * At this time, we only implement the important events, though if this is good enough, it could be expanded, perhaps to 
+ * replace the original XMLReader from StAX.
+ * 
+ *
+ */
+// @SuppressWarnings("restriction")
+public class XReader {
+	private XEvent curr,another;
+	private InputStream is;
+	private ByteArrayOutputStream baos;
+	private int state, count, last;
+	
+	private Stack<Map<String,String>> nsses;
+	
+	public XReader(InputStream is) {
+		this.is = is;
+		curr = another = null;
+		baos = new ByteArrayOutputStream();
+		state = BEGIN_DOC; 
+		count = 0;
+		nsses = new Stack<Map<String,String>>();
+	}
+	
+	public boolean hasNext() throws XMLStreamException {
+		if(curr==null) {
+			curr = parse();
+		}
+		return curr!=null;
+	}
+
+	public XEvent nextEvent() {
+		XEvent xe = curr;
+		curr = null;
+		return xe;
+	}
+
+	// 
+	// State Flags
+	//
+	// Note: The State of parsing XML can be complicated.  There are too many to cleanly keep in "booleans".  Additionally,
+	// there are certain checks that can be better made with Bitwise operations within switches
+	// Keeping track of state this way also helps us to accomplish logic without storing any back characters except one
+	private final static int BEGIN_DOC=  0x000001;
+	private final static int DOC_TYPE=   0x000002;
+	private final static int QUESTION_F= 0x000004;
+	private final static int QUESTION =  0x000008;
+	private final static int START_TAG = 0x000010;
+	private final static int END_TAG = 	 0x000020;
+	private final static int VALUE=		 0x000040;
+	private final static int COMMENT =   0x001000;
+	private final static int COMMENT_E = 0x002000;
+	private final static int COMMENT_D1 =0x010000;
+	private final static int COMMENT_D2 =0x020000;
+	private final static int COMMENT_D3 =0x040000;
+	private final static int COMMENT_D4 =0x080000;
+	// useful combined Comment states
+	private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2;
+	private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4;
+	
+	
+	private XEvent parse() throws XMLStreamException {
+		Map<String,String> nss = nsses.isEmpty()?null:nsses.peek();
+
+		XEvent rv;
+		if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not 
+								 // immediately returned.  Save for next parse.  If necessary, this could be turned into
+								 // a FIFO storage, but a single reference is enough for now.
+			another = null;      // "rv" is now set for the Event, and will be returned.  Set to Null.
+		} else {
+			boolean go = true;
+			int c=0;
+			
+			try {
+				while(go && (c=is.read())>=0) {
+					++count;
+					switch(c) {
+						case '<': // Tag is opening
+							state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc
+							XEvent cxe = null;
+							if(baos.size()>0) { // If there are any characters between tags, we send as Character Event
+								String chars = baos.toString().trim();  // Trim out WhiteSpace before and after
+								if(chars.length()>0) { // don't send if Characters were only whitespace
+									cxe = new XEvent.Characters(chars);
+									baos.reset();
+									go = false;
+								}
+							}
+							last = c;  // make sure "last" character is set for use in "ParseTag"
+							Tag t = parseTag(); // call subroutine to process the tag as a unit
+							String ns;
+							switch(t.state&(START_TAG|END_TAG)) {
+								case START_TAG:
+										nss = getNss(nss,t); 			// Only Start Tags might have NS Attributes   
+																		// Get any NameSpace elements from tag.  If there are, nss will become 
+																		// a new Map with all the previous NSs plus the new.  This provides 
+																		// scoping behavior when used with the Stack
+									// drop through on purpose
+								case END_TAG:
+									ns = t.prefix==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists)
+									break;
+								default:
+									ns = "";
+							}
+							if(ns==null)
+								throw new XMLStreamException("Invalid Namespace Prefix at " + count);
+							go = false;
+							switch(t.state) { // based on 
+							  case DOC_TYPE: 
+								  rv = new XEvent.StartDocument();
+								  break;
+							  case COMMENT:
+								  rv = new XEvent.Comment(t.value);
+								  break;
+							  case START_TAG:
+								  rv = new XEvent.StartElement(ns,t.name);
+								  nsses.push(nss);				// Change potential scope for Namespace
+								  break;
+							  case END_TAG:
+								  rv = new XEvent.EndElement(ns,t.name);
+								  nss = nsses.pop();			// End potential scope for Namespace
+								  break;
+							  case START_TAG|END_TAG:			// This tag is both start/end  aka <myTag/>
+								  rv = new XEvent.StartElement(ns,t.name);
+								  if(last=='/')another = new XEvent.EndElement(ns,t.name);
+							}
+							if(cxe!=null) {     // if there is a Character Event, it actually should go first.  ow.
+								another = rv;   // Make current Event the "another" or next event, and 
+								rv = cxe;		// send Character Event now
+							}
+							break;
+						case ' ':
+						case '\t':
+						case '\n':
+							if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore 
+								break;
+							}
+							// fallthrough on purpose
+						default:
+							if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML
+								throw new XMLStreamException("Parse Error: This is not an XML Doc");
+							}
+							baos.write(c); // save off Characters
+					}
+					last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \"
+				}
+			} catch (IOException e) {
+				throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX)
+			}
+			if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { 			   // Normally, end of stream is ok, however, we need to know if the 
+				throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it 
+			}														   // hasn't yet been determined to be an XML Doc
+		}
+		return rv;
+	}
+	
+	/**
+	 * parseTag
+	 * 
+	 * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the 
+	 * higher level Parsing effort
+	 * @return
+	 * @throws IOException
+	 * @throws XMLStreamException
+	 */
+	private Tag parseTag() throws IOException, XMLStreamException {
+		Tag tag = null;
+		boolean go = true;
+		state = 0;
+		int c, quote=0; // If "quote" is 0, then we're not in a quote.  We set ' (in pretag) or " in attribs accordingly to denote quoted
+		String prefix=null,name=null,value=null;
+		baos.reset();
+		
+		while(go && (c=is.read())>=0) {
+			++count;
+			if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \
+				if(c==quote && last!='\\') {
+					quote=0;
+				} else {
+					baos.write(c);
+				}
+			} else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment
+				switch(c) {
+					case '-':
+						switch(state) { // XML has a complicated Quote set... <!-- --> ... we keep track if each has been met with flags. 
+							case COMMENT|COMMENT_E:
+								state|=COMMENT_D1;
+								break;
+							case COMMENT|COMMENT_E|COMMENT_D1:
+								state|=COMMENT_D2;
+								baos.reset();				// clear out "!--", it's a Comment
+								break;
+							case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2:
+								state|=COMMENT_D3;
+								baos.write(c);
+								break;
+							case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3:
+								state|=COMMENT_D4;
+								baos.write(c);
+								break;
+						}
+						break;
+					case '>': // Tag indicator has been found, do we have all the comment characters in line?
+						if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) {
+							byte ba[] = baos.toByteArray();
+							tag = new Tag(null,null, new String(ba,0,ba.length-2));
+							baos.reset();
+							go = false;
+							break;
+						}
+						// fall through on purpose
+					default:
+						state&=~(COMMENT_D3|COMMENT_D4);
+						if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment
+						baos.write(c);
+				}
+			} else { // Normal Tag Processing loop
+				switch(c) {
+					case '?': 
+						switch(state & (QUESTION_F|QUESTION)) {  // Validate the state of Doc tag... <?xml ... ?>
+							case QUESTION_F:
+								state |= DOC_TYPE;
+								state &= ~QUESTION_F;
+								break;
+							case 0:
+								state |=QUESTION_F;
+								break;
+							default:
+								throw new IOException("Bad character [?] at " + count);
+						}
+						break;
+					case '!':
+						if(last=='<') { 
+							state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop
+						}
+						baos.write(c);
+						break;
+					case '/':
+						state|=(last=='<'?END_TAG:(END_TAG|START_TAG));  // end tag indicator </xxx>, ,or both <xxx/>
+						break;
+					case ':':
+						prefix=baos.toString(); // prefix indicator
+						baos.reset();
+						break;
+					case '=':					// used in Attributes
+						name=baos.toString();
+						baos.reset();
+						state|=VALUE;
+						break;
+					case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data
+						go = false;
+						// passthrough on purpose
+					case ' ':
+					case '\t':
+					case '\n': // white space indicates change in internal tag state, ex between name and between attributes
+						if((state&VALUE)==VALUE) {
+							value = baos.toString();	// we're in VALUE state, add characters to Value
+						} else if(name==null) {
+							name = baos.toString();		// we're in Name state (default) add characters to Name
+						}
+						baos.reset();					// we've assigned chars, reset buffer
+						if(name!=null) {				// Name is not null, there's a tag in the offing here...
+							Tag t = new Tag(prefix,name,value);
+							if(tag==null) {				// Set as the tag to return, if not exists
+								tag = t;
+							} else {					// if we already have a Tag, then we'll treat this one as an attribute
+								tag.add(t);
+							}
+						}
+						prefix=name=value=null;			// reset these values in case we loop for attributes.
+						break;
+					case '\'':							// is the character one of two kinds of quote?
+					case '"':
+						if(last!='\\') {
+							quote=c;
+							break;
+						}
+						// Fallthrough ok
+					default:
+						baos.write(c);					// write any unprocessed bytes into buffer
+						
+				}
+			}
+			last = c;
+		}
+		int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag
+		if(type==0) {
+			type=START_TAG;
+		}
+		tag.state|=type;	// add the appropriate Tag States
+		return tag;
+	}
+
+	/**
+	 * getNSS
+	 * 
+	 * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add
+	 * This provides Scoping behavior
+	 * 
+	 * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps.
+	 * 
+	 * @param nss
+	 * @param t
+	 * @return
+	 */
+	private Map<String, String> getNss(Map<String, String> nss, Tag t) {
+		Map<String,String> newnss = null;
+		if(t.attribs!=null) {
+			for(Tag tag : t.attribs) {
+				if("xmlns".equals(tag.prefix)) {
+					if(newnss==null) {
+						newnss = new HashMap<String,String>();
+						if(nss!=null)newnss.putAll(nss);
+					}
+					newnss.put(tag.name, tag.value);
+				}
+			}
+		}
+		return newnss==null?(nss==null?new HashMap<String,String>():nss):newnss;
+	}
+
+	/**
+	 * The result of the parseTag method
+	 * 
+	 * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM
+	 * as Attributes.  
+	 * 
+	 *
+	 */
+	public class Tag {
+		public int state;
+		public String prefix,name,value;
+		public List<Tag> attribs;
+
+		public Tag(String prefix, String name, String value) {
+			this.prefix = prefix;
+			this.name = name;
+			this.value = value;
+			attribs = null;  
+		}
+
+		/**
+		 * add an attribute
+		 * Not all tags need attributes... lazy instantiate to save time and memory
+		 * @param tag
+		 */
+		public void add(Tag attrib) {
+			if(attribs == null) {
+				attribs = new ArrayList<Tag>();
+			}
+			attribs.add(attrib);
+		}
+		
+		public String toString() {
+			StringBuffer sb = new StringBuffer();
+			if(prefix!=null) {
+				sb.append(prefix);
+				sb.append(':');
+			}
+			sb.append(name==null?"!!ERROR!!":name);
+
+			char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"';
+			if(value!=null) {
+				sb.append('=');
+				sb.append(quote);
+				sb.append(value);
+				sb.append(quote);
+			}
+			return sb.toString();
+		}
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/JU_AES.java b/core/src/test/java/com/att/cadi/JU_AES.java
new file mode 100644
index 0000000..2143e5b
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/JU_AES.java
@@ -0,0 +1,87 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+import org.junit.Test;
+
+import junit.framework.Assert;
+
+public class JU_AES {
+
+	@Test
+	public void test() throws Exception {
+		AES aes = new AES();
+		String orig = "I'm a password, really";
+		byte[] passin = orig.getBytes();
+		byte[] encrypted = aes.encrypt(passin);
+		byte[] b64enc = Symm.base64.encode(encrypted);
+		System.out.println(new String(b64enc));
+		
+		encrypted = Symm.base64.decode(b64enc);
+		passin = aes.decrypt(encrypted);
+		Assert.assertEquals(orig, new String(passin));
+	}
+
+	@Test
+	public void testInputStream() throws Exception {
+		AES aes = new AES();
+		String orig = "I'm a password, really";
+		ByteArrayInputStream bais = new ByteArrayInputStream(orig.getBytes());
+		CipherInputStream cis = aes.inputStream(bais, true);
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		Symm.base64.encode(cis, baos);
+		cis.close();
+
+		byte[] b64encrypted;
+		System.out.println(new String(b64encrypted=baos.toByteArray()));
+		
+		
+		baos.reset();
+		CipherOutputStream cos = aes.outputStream(baos, false);
+		Symm.base64.decode(new ByteArrayInputStream(b64encrypted),cos);
+		cos.close();
+		Assert.assertEquals(orig, new String(baos.toByteArray()));
+	}
+
+	@Test
+	public void testObtain() throws Exception {
+		byte[] keygen = Symm.baseCrypt().keygen();
+		
+		Symm symm = Symm.obtain(new ByteArrayInputStream(keygen));
+		
+		String orig ="Another Password, please";
+		String encrypted = symm.enpass(orig);
+		System.out.println(encrypted);
+		String decrypted = symm.depass(encrypted);
+		System.out.println(decrypted);
+		Assert.assertEquals(orig, decrypted);
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java b/core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java
new file mode 100644
index 0000000..a4ada86
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java
@@ -0,0 +1,102 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.junit.Test;
+
+import com.att.cadi.CredVal.Type;
+import com.att.cadi.Lur;
+import com.att.cadi.Permission;
+import com.att.cadi.PropAccess;
+import com.att.cadi.Symm;
+import com.att.cadi.config.UsersDump;
+import com.att.cadi.lur.LocalLur;
+import com.att.cadi.lur.LocalPermission;
+
+public class JU_LocalLur {
+
+	@Test
+	public void test() throws IOException {
+		Symm symmetric = Symm.baseCrypt().obtain();
+		LocalLur up;
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		baos.write(Symm.ENC.getBytes());
+		symmetric.enpass("<pass>", baos);
+		PropAccess ta = new PropAccess();
+		Lur ml = up = new LocalLur(ta,"myname:groupA,groupB","admin:myname,yourname;suser:hisname,hername,m1234%"+baos.toString());
+		
+		Permission admin = new LocalPermission("admin");
+		Permission suser = new LocalPermission("suser");
+		
+		// Check User fish
+		assertTrue(ml.fish(new JUPrincipal("myname"),admin));
+		assertTrue(ml.fish(new JUPrincipal("hisname"),admin));
+		assertFalse(ml.fish(new JUPrincipal("noname"),admin));
+		assertTrue(ml.fish(new JUPrincipal("itsname"),suser));
+		assertTrue(ml.fish(new JUPrincipal("hername"),suser));
+		assertFalse(ml.fish(new JUPrincipal("myname"),suser));
+		
+		
+		// Check validate password
+		assertTrue(up.validate("m1234",Type.PASSWORD, "<pass>".getBytes()));
+		assertFalse(up.validate("m1234",Type.PASSWORD, "badPass".getBytes()));
+		
+		// Check fishAll
+		Set<String> set = new TreeSet<String>();
+		List<Permission> perms = new ArrayList<Permission>();
+		ml.fishAll(new JUPrincipal("myname"), perms);
+		for(Permission p : perms) {
+			set.add(p.getKey());
+		}
+		assertEquals("[admin, groupA, groupB]",set.toString());
+		UsersDump.write(System.out, up);
+		System.out.flush();
+		
+	}
+	
+	// Simplistic Principal for testing purposes
+	private static class JUPrincipal implements Principal {
+		private String name;
+		public JUPrincipal(String name) {
+			this.name = name;
+		}
+//		@Override
+		public String getName() {
+			return name;
+		}
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/lur/test/TestAccess.java b/core/src/test/java/com/att/cadi/lur/test/TestAccess.java
new file mode 100644
index 0000000..f8e911c
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/lur/test/TestAccess.java
@@ -0,0 +1,92 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.lur.test;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import com.att.cadi.Access;
+import com.att.cadi.Symm;
+
+public class TestAccess implements Access {
+	private Symm symm;
+
+	public TestAccess() {
+		symm = Symm.obtain(this);
+	}
+	
+	public TestAccess(Symm symmetric) {
+		symm = symmetric;
+	}
+
+	public void log(Level level, Object... elements) {
+		boolean first = true;
+		for(int i=0;i<elements.length;++i) {
+			if(first)first = false;
+			else System.out.print(' ');
+			System.out.print(elements[i].toString());
+		}
+		System.out.println();
+	}
+
+	public void log(Exception e, Object... elements) {
+		e.printStackTrace();
+		log(Level.ERROR,elements);
+	}
+
+	public void setLogLevel(Level level) {
+		
+	}
+
+	public ClassLoader classLoader() {
+		return ClassLoader.getSystemClassLoader();
+	}
+
+	public String getProperty(String string, String def) {
+		String rv = System.getProperty(string);
+		return rv==null?def:rv;
+	}
+
+	public void load(InputStream is) throws IOException {
+		
+	}
+
+	public String decrypt(String encrypted, boolean anytext) throws IOException {
+		return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC)))
+			? symm.depass(encrypted)
+			: encrypted;
+	}
+
+	@Override
+	public boolean willLog(Level level) {
+		return true;
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object[] elements) {
+		// TODO Auto-generated method stub
+		
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Base64.java b/core/src/test/java/com/att/cadi/test/JU_Base64.java
new file mode 100644
index 0000000..fdafb84
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_Base64.java
@@ -0,0 +1,158 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.SecureRandom;
+import org.junit.Test;
+
+import com.att.cadi.Symm;
+import com.att.cadi.config.Config;
+
+
+public class JU_Base64 {
+	private static final String encoding = "Man is distinguished, not only by his reason, but by this singular " +
+			"passion from other animals, which is a lust of the mind, that by a " + 
+			"perseverance of delight in the continued and indefatigable generation of " + 
+			"knowledge, exceeds the short vehemence of any carnal pleasure.";
+		 
+	private static final String expected = 
+			"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz\n" + 
+			"IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg\n" + 
+			"dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu\n" +
+			"dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo\n" +
+			"ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=";
+
+
+	@Test
+	public void test() throws Exception {
+		// Test with different Padding
+		encode("leas",    "bGVhcw==");
+		encode("leasu",   "bGVhc3U=");
+		encode("leasur",  "bGVhc3Vy");
+		encode("leasure", "bGVhc3VyZQ==");
+		encode("leasure.","bGVhc3VyZS4=");
+
+		// Test with line ends
+		encode(encoding, expected);
+		
+		int ITER = 2000;
+		System.out.println("Priming by Encoding Base64 " + ITER + " times");
+		long start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.encode(encoding);
+		}
+		Float ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+		
+		System.out.println("Priming by Decoding Base64 " + ITER + " times");
+		start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.decode(expected);
+		}
+		ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+
+		
+		ITER=30000;
+		System.out.println("Encoding Base64 " + ITER + " times");
+		start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.encode(encoding);
+		}
+		ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+		
+		System.out.println("Decoding Base64 " + ITER + " times");
+		start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.decode(expected);
+		}
+		ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+	}
+	
+	@Test
+	public void symmetric() throws IOException {
+		System.out.println("Validating Generated Key mechanisms works");
+		String symmetric = new String(Symm.base64.keygen());
+		System.out.println(symmetric);
+		Symm bsym = Symm.obtain(symmetric);
+		String result = bsym.encode(encoding);
+		System.out.println("\nResult:");
+		System.out.println(result);
+		assertEquals(encoding, bsym.decode(result));
+		
+		int ITER = 20000;
+		System.out.println("Generating keys " + ITER + " times");
+		long start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.keygen();
+		}
+		Float ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+
+		char[] manipulate = symmetric.toCharArray();
+		int spot = new SecureRandom().nextInt(manipulate.length);
+		manipulate[spot]|=0xFF;
+		String newsymmetric = new String(manipulate);
+		assertNotSame(newsymmetric, symmetric);
+		try {
+			bsym = Symm.obtain(newsymmetric);
+			result = bsym.decode(result);
+			assertEquals(encoding, result);
+		} catch (IOException e) {
+			// this is what we want to see if key wrong
+			System.out.println(e.getMessage() + " (as expected)");
+		}
+	}
+
+	private void encode(String toEncode, String expected) throws IOException {
+		System.out.println("-------------------------------------------------");
+		System.out.println(toEncode);
+		System.out.println();
+		System.out.println(expected);
+		System.out.println();
+		String result = Symm.base64.encode(toEncode);
+		System.out.println(result);
+		assertEquals(expected,result);
+		
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		Symm.base64.decode(new ByteArrayInputStream(result.getBytes()), baos);
+		result = baos.toString(Config.UTF_8);
+		System.out.println(result);
+		assertEquals(toEncode,result);
+		
+	}
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java b/core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java
new file mode 100644
index 0000000..c30d944
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java
@@ -0,0 +1,192 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.io.ByteArrayInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import org.junit.Test;
+
+import com.att.cadi.BufferedServletInputStream;
+
+public class JU_BufferedServletInputStream {
+
+	@Test
+	public void testByteRead() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+			try {
+			bsis.mark(0);
+			int c;
+			byte aa[] = new byte[260];
+			for(int i=0;i<aa.length;++i) {
+				c = bsis.read();
+				if(c>=0) {
+					aa[i]=(byte)c;
+				}
+			}
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[400];
+			for(int i=0;i<bb.length;++i) {
+				c = bsis.read();
+				if(c>=0) {
+					bb[i]=(byte)c;
+				}
+			}
+			System.out.println(new String(bb));
+
+		} finally {
+			bsis.close();
+			fis.close();
+		}
+	}
+	
+	@Test
+	public void testByteArray() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+		try {
+			bsis.mark(0);
+			byte aa[] = new byte[260];
+			bsis.read(aa);
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[400];
+			bsis.read(bb);
+			System.out.println(new String(bb));
+
+		} finally {
+			bsis.close();
+			fis.close();
+		}
+	}
+
+	@Test
+	public void testDoubleRead() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+		try {
+			bsis.mark(0);
+			byte aa[] = new byte[260];
+			bsis.read(aa);
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[400];
+			bsis.read(bb);
+			System.out.println(new String(bb));
+
+		} finally {
+			bsis.close();
+			fis.close();
+		}
+	}
+
+	@Test
+	public void testByteArray2() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		try {
+			BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+			byte[] content = null;
+			byte aa[] = new byte[500];
+			for(int i=0;i<2000;++i) {
+				bsis.mark(0);
+				bsis.read(aa,0,260);
+				if(i==0)System.out.println(new String(aa));
+				
+				bsis.reset();
+	
+				bsis.read(aa,0,aa.length);
+				if(i==0) {
+					System.out.println(new String(aa));
+					content = aa;
+					aa = new byte[400];
+				}
+				bsis = new BufferedServletInputStream(new ByteArrayInputStream(content));
+				
+			}
+			
+			System.out.println(new String(aa));
+
+		} finally {
+			fis.close();
+		}
+	}
+
+	// "Bug" 4/22/2013 
+	// Some XML code expects Buffered InputStream can never return 0...  This isn't actually true, but we'll accommodate as far
+	// as we can. 
+	// Here, we make sure we set and read the Buffered data, making sure the buffer is empty on the last test...
+	@Test
+	public void issue04_22_2013() throws IOException {
+		String testString = "We want to read in and get out with a Buffered Stream seamlessly.";
+		ByteArrayInputStream bais = new ByteArrayInputStream(testString.getBytes());
+		BufferedServletInputStream bsis = new BufferedServletInputStream(bais);
+			try {
+			bsis.mark(0);
+			byte aa[] = new byte[testString.length()];  // 65 count... important for our test (divisible by 5);
+
+			int read;
+			for(int i=0;i<aa.length;i+=5) {
+				read = bsis.read(aa, i, 5);
+				assertEquals(5,read);
+			}
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[aa.length];
+			read = 0;
+			for(int i=0;read>=0;i+=read) {
+				read = bsis.read(bb,i,5);
+				switch(i) {
+					case 65:
+						assertEquals(read,-1);
+						break;
+					default:
+						assertEquals(read,5);
+				}
+			}
+			System.out.println(new String(bb));
+			assertEquals(testString,new String(aa));
+			assertEquals(testString,new String(bb));
+
+		} finally {
+			bsis.close();
+			bais.close();
+		}
+		
+	}
+	
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Capacitor.java b/core/src/test/java/com/att/cadi/test/JU_Capacitor.java
new file mode 100644
index 0000000..c3f6d77
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_Capacitor.java
@@ -0,0 +1,145 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import static junit.framework.Assert.assertEquals;
+
+import org.junit.Test;
+
+import com.att.cadi.Capacitor;
+
+public class JU_Capacitor {
+	@Test
+	public void testA() {
+		Capacitor cap = new Capacitor();
+		
+		for(int iter=0;iter<200;++iter) {
+			for(int i=0;i<20;++i) {
+				cap.put((byte)('a'+i));
+			}
+			cap.setForRead();
+			byte[] array = new byte[20];
+			for(int i=0;i<20;++i) {
+				array[i]=(byte)cap.read();
+			}
+			assertEquals("abcdefghijklmnopqrst",new String(array));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	public final static String TEST_DATA = 
+			"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +
+			"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" +
+			"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc" +
+			"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd" +
+			"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" +
+			"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff";
+	@Test
+	public void testB() {
+		Capacitor cap = new Capacitor();
+		byte[] arrayA = TEST_DATA.getBytes();
+		System.out.println(arrayA.length);
+		for(int iter=0;iter<200;++iter) {
+			for(int i=0;i<arrayA.length;++i) {
+				cap.put(arrayA[i]);
+			}
+			cap.setForRead();
+			assertEquals(TEST_DATA.length(),cap.available());
+			byte[] arrayB = new byte[arrayA.length];
+			for(int i=0;i<arrayB.length;++i) {
+				arrayB[i]=(byte)cap.read();
+			}
+			assertEquals(TEST_DATA,new String(arrayB));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	@Test
+	public void testC() {
+		Capacitor cap = new Capacitor();
+		byte[] arrayA = TEST_DATA.getBytes();
+		System.out.println(arrayA.length);
+		for(int iter=0;iter<200;++iter) {
+			cap.put(arrayA,0,arrayA.length);
+			cap.setForRead();
+			assertEquals(TEST_DATA.length(),cap.available());
+			byte[] arrayB = new byte[arrayA.length];
+			assertEquals(arrayA.length,cap.read(arrayB,0,arrayB.length));
+			assertEquals(TEST_DATA,new String(arrayB));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	
+	@Test
+	public void testD() {
+		StringBuffer sb = new StringBuffer();
+		for(int i=0;i<300;++i) {
+			sb.append(TEST_DATA);
+			sb.append("###FILLER##");
+		}
+		String td = sb.toString();
+		Capacitor cap = new Capacitor();
+		byte[] arrayA = td.getBytes();
+		System.out.println(arrayA.length);
+		for(int iter=0;iter<200;++iter) {
+			cap.put(arrayA,0,arrayA.length);
+			cap.setForRead();
+			assertEquals(td.length(),cap.available());
+			byte[] arrayB = new byte[arrayA.length];
+			assertEquals(arrayA.length,cap.read(arrayB,0,arrayB.length));
+			assertEquals(td,new String(arrayB));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	@Test
+	public void testE() {
+		Capacitor cap = new Capacitor();
+		
+		String b = "This is some content that we want to read";
+		byte[] a = b.getBytes();
+		byte[] c = new byte[b.length()]; // we want to use this to test reading offsets, etc
+
+		for(int i=0;i<a.length;i+=11) {
+			cap.put(a, i, Math.min(11,a.length-i));
+		}
+		cap.reset();
+		int read;
+		for(int i=0;i<c.length;i+=read) {
+			read = cap.read(c, i, Math.min(3,c.length-i));
+			if(read<0) break;
+		}
+		
+		assertEquals(b, new String(c));
+		
+		
+	}
+	
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Hash.java b/core/src/test/java/com/att/cadi/test/JU_Hash.java
new file mode 100644
index 0000000..85e4209
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_Hash.java
@@ -0,0 +1,62 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import org.junit.Test;
+
+import com.att.cadi.CadiException;
+import com.att.cadi.Hash;
+
+import junit.framework.Assert;
+
+public class JU_Hash {
+
+	@Test
+	public void test() throws CadiException {
+		String init = "m82347@csp.att.com:kumquat8rie@#Tomatos3";
+		String hashed = Hash.toHex(init.getBytes());
+		System.out.println(hashed);
+		byte[] ba = Hash.fromHex(hashed);
+		String recon = new String(ba);
+		System.out.println(recon);
+		Assert.assertEquals(init, recon);
+		
+		init =hashed.substring(1);
+		try {
+			hashed = Hash.fromHex(init).toString();
+			Assert.fail("Should have thrown Exception");
+		} catch (CadiException e) {
+			
+		}
+		
+		init = hashed.replace('1', '~');
+		try {
+			hashed = Hash.fromHex(init).toString();
+			Assert.fail("Should have thrown Exception");
+		} catch (CadiException e) {
+			
+		}
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Passcode.java b/core/src/test/java/com/att/cadi/test/JU_Passcode.java
new file mode 100644
index 0000000..68c7dc8
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_Passcode.java
@@ -0,0 +1,91 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+
+import org.junit.Test;
+
+import com.att.cadi.CmdLine;
+import com.att.cadi.Symm;
+
+import junit.framework.Assert;
+
+public class JU_Passcode {
+	@Test
+	public void test() throws Exception {
+		int iterations = 0;
+		long start = System.nanoTime();
+		int gens= 800, en_de=2000;
+		for(int j=0;j<gens;++j) {
+			CmdLine.main(new String[] {"keygen","tempkey"});
+			
+			Symm symm;
+			File fi = new File("tempkey");
+			Assert.assertEquals(2074, fi.length());
+			FileInputStream fis = new FileInputStream(fi);
+			
+			try {
+				symm = Symm.obtain(fis);
+			} finally {
+				fis.close();
+			}
+			String samples[] = {"activevos","ThisIsATestPassword","I have spaces","I have 's, /s and &s and _s"};
+			ByteArrayOutputStream baos;
+			for(int i=0;i<en_de;++i) {
+				String password = samples[i%samples.length];
+				baos = new ByteArrayOutputStream();
+				symm.enpass(password, baos);
+				String pass = baos.toString();
+				byte[] array = baos.toByteArray();
+				for(int k=0;k<array.length;++k) {
+					byte ch = array[k];
+//				for(int k=0;k<pass.length();++k) {
+//					char ch = pass.charAt(k);
+					if(!(Character.isLetter(ch) || Character.isDigit(ch) || ch=='-' || ch=='_' || ch=='=')) {
+						throw new Exception("Yikes, have a bad character..." + ch + '(' + (int)ch + ')');
+					}
+				}
+				baos = new ByteArrayOutputStream();
+				symm.depass(pass, baos);
+				Assert.assertEquals(password,baos.toString());
+				Assert.assertEquals(password,symm.depass(pass));
+				++iterations;
+			}
+			symm.enpass("activevos", System.out);
+			System.out.println();
+		}
+		float ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Ran " + iterations + " Encrypt/Decrypt cycles + " + gens + " keygens");
+
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/iterations + "ms");
+		System.out.println("Avg Gen + " + en_de + " Encrypt/Decrypt cycles:  " + ms/gens + "ms");
+
+
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_UserChainManip.java b/core/src/test/java/com/att/cadi/test/JU_UserChainManip.java
new file mode 100644
index 0000000..40b9266
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_UserChainManip.java
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+
+import com.att.cadi.util.UserChainManip;
+
+public class JU_UserChainManip {
+
+	@Test
+	public void test() {
+		assertEquals("",UserChainManip.idToNS(null));
+		assertEquals("",UserChainManip.idToNS(""));
+		assertEquals("",UserChainManip.idToNS("something"));
+		assertEquals("",UserChainManip.idToNS("something@@"));
+		assertEquals("",UserChainManip.idToNS("something@@."));
+		assertEquals("com",UserChainManip.idToNS("something@com"));
+		assertEquals("com.random",UserChainManip.idToNS("something@random.com"));
+		assertEquals("com.random",UserChainManip.idToNS("@random.com"));
+		assertEquals("com.random",UserChainManip.idToNS("something@random.com."));
+		assertEquals("com.random",UserChainManip.idToNS("something@..random...com..."));
+		assertEquals("com.random.this",UserChainManip.idToNS("something@this.random.com"));
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Vars.java b/core/src/test/java/com/att/cadi/test/JU_Vars.java
new file mode 100644
index 0000000..daf2c0f
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/JU_Vars.java
@@ -0,0 +1,127 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.AfterClass;
+import org.junit.Test;
+
+import com.att.cadi.util.Vars;
+
+public class JU_Vars {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void test() {
+		StringBuilder holder = new StringBuilder();
+		String str,bstr;
+		assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "a","b"));
+		assertEquals("set a to b",holder.toString());
+		assertEquals(str,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "a","b"));
+		assertEquals("set a to b",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "a","b"));
+		
+		holder.setLength(0);
+		assertEquals(str = "%1=%2",Vars.convert(holder,str, "a","b"));
+		assertEquals("a=b",holder.toString());
+		assertEquals(str,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="%s=%s", "a","b"));
+		assertEquals("a=b",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "a","b"));
+		
+		holder.setLength(0);
+		assertEquals(str = "%1%2",Vars.convert(holder,str, "a","b"));
+		assertEquals("ab",holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="%s%s", "a","b"));
+		assertEquals("ab",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
+
+
+		holder.setLength(0);
+		assertEquals(str = " %1=%2 ",Vars.convert(holder,str, "a","b"));
+		assertEquals(" a=b ",holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr = " %s=%s ", "a","b"));
+		assertEquals(" a=b ",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
+
+		holder.setLength(0);
+		assertEquals(str = " %1%2%10 ",Vars.convert(holder,str, "a","b","c","d","e","f","g","h","i","j"));
+		assertEquals(" abj ",holder.toString());
+		assertEquals(str,Vars.convert(null,str, "a","b","c","d","e","f","g","h","i","j"));
+		holder.setLength(0);
+		assertEquals(str=" %1%2%3 ",Vars.convert(holder,bstr = " %s%s%s ", "a","b","c","d","e","f","g","h","i","j"));
+		assertEquals(" abc ",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "a","b","c","d","e","f","g","h","i","j"));
+		
+
+		holder.setLength(0);
+		assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "Something much","larger"));
+		assertEquals("set Something much to larger",holder.toString());
+		assertEquals(str,Vars.convert(null,str,"Something much","larger"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "Something much","larger"));
+		assertEquals("set Something much to larger",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "Something much","larger"));
+
+		holder.setLength(0);
+		assertEquals(str = "Text without Vars",Vars.convert(holder,str));
+		assertEquals(str,holder.toString());
+		assertEquals(str = "Text without Vars",Vars.convert(null,str));
+	
+		
+		holder.setLength(0);
+		assertEquals(str = "Not %1 Enough %2 Vars %3",Vars.convert(holder,str, "a","b"));
+		assertEquals("Not a Enough b Vars ",holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="Not %s Enough %s Vars %s", "a","b"));
+		assertEquals("Not a Enough b Vars ",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
+
+		holder.setLength(0);
+		assertEquals(str = "!@#$%^*()-+?/,:;.",Vars.convert(holder,str, "a","b"));
+		assertEquals(str,holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+
+		holder.setLength(0);
+		bstr = "%s !@#$%^*()-+?/,:;.";
+		str = "%1 !@#$%^*()-+?/,:;.";
+		assertEquals(str,Vars.convert(holder,bstr, "Not Acceptable"));
+		assertEquals("Not Acceptable !@#$%^*()-+?/,:;.",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "Not Acceptable"));
+
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/test/Test.java b/core/src/test/java/com/att/cadi/test/Test.java
new file mode 100644
index 0000000..53729b4
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/test/Test.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.test;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+/**
+ * A Class to run on command line to determine suitability of environment for certain TAFs.
+ * 
+ * For instance, CSP supports services only in certain domains, and while dynamic host
+ * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and
+ * invalid) for CSP because of multiple NetworkInterfaces, etc
+ * 
+ *
+ */
+public class Test {
+
+	/**
+	 * @param args
+	 */
+	public static void main(String[] args) {
+		try {
+			System.out.println("CADI/TAF test");
+			
+			String hostName = InetAddress.getLocalHost().getCanonicalHostName();
+			
+			System.out.println("  Your automatic hostname is reported as \"" + hostName + "\"\n");
+			String[] two;
+
+			for(String str : args) {
+				two = str.split("=");
+				if(two.length==2) {
+					if("hostname".equals(two[0])) {
+						hostName = two[1];
+						System.out.println("  You have overlaid the automatic hostname with \"" + hostName + "\"\n");
+					}
+				}
+			}
+			if(hostName.endsWith("vpn.cingular.net"))
+				System.out.println("  This service appears to be an AT&T VPN address. These VPNs are typically\n" +
+						"    (and appropriately) firewalled against incoming traffic, and likely cannot be accessed.\n" +
+						"    For best results, choose a machine that is not firewalled on the ports you choose.\n");
+			
+		} catch (UnknownHostException e) {
+			e.printStackTrace();
+		}
+
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java b/core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java
new file mode 100644
index 0000000..a262780
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java
@@ -0,0 +1,192 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNotNull;
+import static junit.framework.Assert.assertNull;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+
+import javax.xml.stream.XMLStreamException;
+
+import org.junit.Test;
+
+import com.att.cadi.BasicCred;
+import com.att.cadi.BufferedServletInputStream;
+import com.att.cadi.wsse.WSSEParser;
+
+public class JU_WSSE_Read {
+
+	@Test
+	public void test() {
+		try {
+			final BasicCred bc = new BasicCred() {
+
+				private String user;
+				private byte[] password;
+
+				public void setUser(String user) {
+					this.user = user;
+				}
+
+				public void setCred(byte[] passwd) {
+					this.password = passwd;
+				}
+
+				public String getUser() {
+					return user;
+				}
+
+				public byte[] getCred() {
+					return password;
+				}
+			};
+
+			WSSEParser wp = new WSSEParser();
+
+			FileInputStream fis;
+			fis = new FileInputStream("test/example.xml");
+			BufferedServletInputStream is = new BufferedServletInputStream(fis);
+			try {
+				is.mark(1536);
+				try {
+					assertNull(wp.parse(bc, is));
+				} finally {
+					is.reset();
+					assertEquals(814,is.buffered());
+				}
+				String password = new String(bc.getCred());
+				System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password);
+				assertEquals("some_user", bc.getUser());
+				assertEquals("some_password", password);
+				
+			} finally {
+				fis.close();
+			}
+
+			// CBUS (larger)
+			fis = new FileInputStream("test/CBUSevent.xml");
+			is = new BufferedServletInputStream(fis);
+			try {
+				is.mark(1536);
+				try {
+					assertNull(wp.parse(bc, is));
+				} finally {
+					is.reset();
+					assertEquals(667,is.buffered());
+				}
+				String password = new String(bc.getCred());
+				System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password);
+				assertEquals("none", bc.getUser());
+				assertEquals("none", password);
+				
+			} finally {
+				fis.close();
+			}
+
+			// Closed Stream
+			fis = new FileInputStream("test/example.xml");
+			fis.close();
+			bc.setCred(null);
+			bc.setUser(null);
+			XMLStreamException ex = wp.parse(bc, fis);
+			assertNotNull(ex);
+			assertNull(bc.getUser());
+			assertNull(bc.getCred());
+
+
+			fis = new FileInputStream("test/exampleNoSecurity.xml");
+			try {
+				bc.setCred(null);
+				bc.setUser(null);
+				assertNull(wp.parse(bc, fis));
+				assertNull(bc.getUser());
+				assertNull(bc.getCred());
+			} finally {
+				fis.close();
+			}
+
+			fis = new FileInputStream("test/exampleBad1.xml");
+			try {
+				bc.setCred(null);
+				bc.setUser(null);
+				assertNull(wp.parse(bc, fis));
+				assertNull(bc.getUser());
+				assertNull(bc.getCred());
+			} finally {
+				fis.close();
+			}
+
+			XMLStreamException e = wp.parse(bc, new ByteArrayInputStream("Not XML".getBytes())); // empty
+			assertNotNull(e);
+
+			e = wp.parse(bc, new ByteArrayInputStream("".getBytes())); // empty
+			assertNotNull(e);
+			
+			
+			long start, count = 0L;
+			int iter = 30000;
+			File f = new File("test/CBUSevent.xml");
+			fis = new FileInputStream(f);
+			is = new BufferedServletInputStream(fis);
+			is.mark(0);
+			try {
+				while(is.read()>=0);
+			} finally {
+				fis.close();
+			}
+
+			for(int i=0;i<iter;++i) {
+				start = System.nanoTime();
+				is.reset();
+				try {
+					assertNull(wp.parse(bc, is));
+				} finally {
+					count += System.nanoTime()-start;
+				}
+			}
+			float ms = count/1000000f;
+			System.out.println("Executed " + iter + " WSSE reads from Memory Stream in " + ms + "ms.  " + ms/iter + "ms per trans");
+			
+			// SPECIFIC ISSUES
+			
+			fis = new FileInputStream("test/error2013_04_23.xml");
+			try {
+				bc.setCred(null);
+				bc.setUser(null);
+				assertNull(wp.parse(bc, fis));
+				assertNull(bc.getUser());
+				assertNull(bc.getCred());
+			} finally {
+				fis.close();
+			}
+		} catch(Exception e) {
+			e.printStackTrace(System.err);
+		}
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java b/core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java
new file mode 100644
index 0000000..7f38d94
--- /dev/null
+++ b/core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java
@@ -0,0 +1,67 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aai
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * Copyright © 2017 Amdocs
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package com.att.cadi.wsse.test;
+
+import java.io.FileInputStream;
+
+import javax.xml.stream.events.XMLEvent;
+
+import org.junit.Test;
+
+import com.att.cadi.wsse.XEvent;
+import com.att.cadi.wsse.XReader;
+
+public class JU_XReader {
+	@Test
+	public void test() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		try {
+			XReader xr = new XReader(fis);
+			while(xr.hasNext()) {
+				XEvent xe = xr.nextEvent();
+				switch(xe.getEventType()) {
+					case XMLEvent.START_DOCUMENT:
+						System.out.println("Start Document");
+						break;
+					case XMLEvent.START_ELEMENT:
+						System.out.println("Start Event: " + xe.asStartElement().getName());
+						break;
+					case XMLEvent.END_ELEMENT:
+						System.out.println("End Event: " + xe.asEndElement().getName());
+						break;
+					case XMLEvent.CHARACTERS:
+						System.out.println("Characters: " + xe.asCharacters().getData());
+						break;
+					case XMLEvent.COMMENT:
+						System.out.println("Comment: " + ((XEvent.Comment)xe).value);
+						break;
+				}
+			}
+		} finally {
+			fis.close();
+		}
+		
+	}
+
+}
-- 
cgit 1.2.3-korg