From 62c4eb45e157d502463d797c1353802ca8e1e307 Mon Sep 17 00:00:00 2001
From: sg481n <sg481n@att.com>
Date: Fri, 25 Aug 2017 01:57:24 -0400
Subject: Update project structure for aaf/cadi

Update project structure from com.att to org.onap
and add distribution management and staging plugin.

Issue-id: AAF-22
Change-Id: Idf2b591139e38921ad28782a51486714a05dee92
Signed-off-by: sg481n <sg481n@att.com>
---
 core/pom.xml                                       |  80 +-
 core/src/main/java/com/att/cadi/AES.java           | 127 ----
 .../main/java/com/att/cadi/AbsCachedPrincipal.java |  33 -
 core/src/main/java/com/att/cadi/AbsUserCache.java  | 408 -----------
 core/src/main/java/com/att/cadi/Access.java        | 172 -----
 core/src/main/java/com/att/cadi/BasicCred.java     |  36 -
 .../main/java/com/att/cadi/BufferedCadiWrap.java   |  80 --
 .../com/att/cadi/BufferedServletInputStream.java   | 214 ------
 .../main/java/com/att/cadi/CachedPrincipal.java    |  47 --
 core/src/main/java/com/att/cadi/CachingLur.java    |  35 -
 core/src/main/java/com/att/cadi/CadiException.java |  50 --
 core/src/main/java/com/att/cadi/CadiWrap.java      | 193 -----
 core/src/main/java/com/att/cadi/Capacitor.java     | 240 ------
 core/src/main/java/com/att/cadi/CmdLine.java       | 356 ---------
 core/src/main/java/com/att/cadi/Connector.java     |  27 -
 core/src/main/java/com/att/cadi/CredVal.java       |  42 --
 core/src/main/java/com/att/cadi/GetCred.java       |  27 -
 core/src/main/java/com/att/cadi/Hash.java          | 202 -----
 core/src/main/java/com/att/cadi/Locator.java       |  36 -
 .../main/java/com/att/cadi/LocatorException.java   |  47 --
 core/src/main/java/com/att/cadi/Lur.java           |  94 ---
 core/src/main/java/com/att/cadi/Permission.java    |  29 -
 core/src/main/java/com/att/cadi/PropAccess.java    | 320 --------
 core/src/main/java/com/att/cadi/Revalidator.java   |  35 -
 core/src/main/java/com/att/cadi/SLF4JAccess.java   | 100 ---
 .../src/main/java/com/att/cadi/SecuritySetter.java |  44 --
 .../java/com/att/cadi/ServletContextAccess.java    |  69 --
 core/src/main/java/com/att/cadi/StrLur.java        |  56 --
 core/src/main/java/com/att/cadi/Symm.java          | 811 --------------------
 core/src/main/java/com/att/cadi/Taf.java           |  57 --
 core/src/main/java/com/att/cadi/Transmutate.java   |  45 --
 core/src/main/java/com/att/cadi/TrustChecker.java  |  53 --
 core/src/main/java/com/att/cadi/User.java          | 144 ----
 core/src/main/java/com/att/cadi/UserChain.java     |  43 --
 core/src/main/java/com/att/cadi/config/Config.java | 814 --------------------
 core/src/main/java/com/att/cadi/config/Get.java    |  97 ---
 .../main/java/com/att/cadi/config/GetAccess.java   |  63 --
 .../main/java/com/att/cadi/config/MultiGet.java    |  43 --
 .../java/com/att/cadi/config/SecurityInfo.java     | 243 ------
 .../java/com/att/cadi/config/SecurityInfoC.java    |  44 --
 .../main/java/com/att/cadi/config/UsersDump.java   | 158 ----
 core/src/main/java/com/att/cadi/filter/AUTHZ.java  |  37 -
 .../java/com/att/cadi/filter/AUTHZServlet.java     | 100 ---
 .../java/com/att/cadi/filter/AccessGetter.java     |  37 -
 .../main/java/com/att/cadi/filter/CadiAccess.java  | 243 ------
 .../main/java/com/att/cadi/filter/CadiFilter.java  | 305 --------
 .../java/com/att/cadi/filter/CadiHTTPManip.java    | 227 ------
 core/src/main/java/com/att/cadi/filter/FCGet.java  |  77 --
 .../java/com/att/cadi/filter/MapPermConverter.java |  55 --
 .../com/att/cadi/filter/NullPermConverter.java     |  43 --
 .../main/java/com/att/cadi/filter/PathFilter.java  | 183 -----
 .../java/com/att/cadi/filter/PermConverter.java    |  32 -
 .../java/com/att/cadi/filter/RolesAllowed.java     |  55 --
 .../main/java/com/att/cadi/filter/ServletImpl.java |  55 --
 .../java/com/att/cadi/lur/ConfigPrincipal.java     |  70 --
 core/src/main/java/com/att/cadi/lur/EpiLur.java    | 167 -----
 core/src/main/java/com/att/cadi/lur/LocalLur.java  | 201 -----
 .../java/com/att/cadi/lur/LocalPermission.java     |  51 --
 core/src/main/java/com/att/cadi/lur/NullLur.java   |  88 ---
 .../com/att/cadi/principal/BasicPrincipal.java     | 117 ---
 .../com/att/cadi/principal/BearerPrincipal.java    |  36 -
 .../com/att/cadi/principal/CSPPrincipal_T.java     |  33 -
 .../att/cadi/principal/CachedBasicPrincipal.java   |  65 --
 .../com/att/cadi/principal/TGuardPrincipal.java    |  80 --
 .../com/att/cadi/principal/TGuardPrincipal_T.java  |  33 -
 .../com/att/cadi/principal/TrustPrincipal.java     |  67 --
 .../java/com/att/cadi/principal/X509Principal.java |  92 ---
 .../src/main/java/com/att/cadi/taf/AbsTafResp.java | 116 ---
 core/src/main/java/com/att/cadi/taf/EpiTaf.java    |  84 ---
 .../src/main/java/com/att/cadi/taf/HttpEpiTaf.java | 185 -----
 core/src/main/java/com/att/cadi/taf/HttpTaf.java   |  60 --
 .../java/com/att/cadi/taf/LoginPageTafResp.java    |  87 ---
 core/src/main/java/com/att/cadi/taf/NullTaf.java   |  64 --
 .../main/java/com/att/cadi/taf/NullTafResp.java    |  73 --
 .../main/java/com/att/cadi/taf/PuntTafResp.java    |  71 --
 .../main/java/com/att/cadi/taf/Redirectable.java   |  32 -
 core/src/main/java/com/att/cadi/taf/TafResp.java   |  94 ---
 .../java/com/att/cadi/taf/TrustNotTafResp.java     |  77 --
 .../main/java/com/att/cadi/taf/TrustTafResp.java   |  79 --
 .../java/com/att/cadi/taf/basic/BasicHttpTaf.java  | 159 ----
 .../com/att/cadi/taf/basic/BasicHttpTafResp.java   |  63 --
 .../java/com/att/cadi/taf/cert/CertIdentity.java   |  46 --
 .../com/att/cadi/taf/cert/X509HttpTafResp.java     |  52 --
 .../main/java/com/att/cadi/taf/cert/X509Taf.java   | 257 -------
 .../com/att/cadi/taf/dos/DenialOfServiceTaf.java   | 370 ----------
 .../att/cadi/taf/dos/DenialOfServiceTafResp.java   |  48 --
 .../com/att/cadi/taf/localhost/LocalhostTaf.java   | 130 ----
 .../att/cadi/taf/localhost/LocalhostTafResp.java   |  81 --
 core/src/main/java/com/att/cadi/util/Chmod.java    |  63 --
 .../java/com/att/cadi/util/JsonOutputStream.java   |  90 ---
 .../com/att/cadi/util/MaskFormatException.java     |  32 -
 .../src/main/java/com/att/cadi/util/MyConsole.java |  29 -
 core/src/main/java/com/att/cadi/util/NetMask.java  | 100 ---
 core/src/main/java/com/att/cadi/util/Split.java    |  91 ---
 .../java/com/att/cadi/util/SubStandardConsole.java |  63 --
 .../main/java/com/att/cadi/util/TheConsole.java    |  48 --
 .../java/com/att/cadi/util/UserChainManip.java     |  78 --
 core/src/main/java/com/att/cadi/util/Vars.java     | 121 ---
 core/src/main/java/com/att/cadi/wsse/Action.java   |  37 -
 core/src/main/java/com/att/cadi/wsse/Match.java    | 130 ----
 .../main/java/com/att/cadi/wsse/WSSEParser.java    |  86 ---
 core/src/main/java/com/att/cadi/wsse/XEvent.java   | 135 ----
 core/src/main/java/com/att/cadi/wsse/XReader.java  | 416 -----------
 core/src/main/java/org/onap/aaf/cadi/AES.java      | 127 ++++
 .../java/org/onap/aaf/cadi/AbsCachedPrincipal.java |  33 +
 .../main/java/org/onap/aaf/cadi/AbsUserCache.java  | 408 +++++++++++
 core/src/main/java/org/onap/aaf/cadi/Access.java   | 172 +++++
 .../src/main/java/org/onap/aaf/cadi/BasicCred.java |  36 +
 .../java/org/onap/aaf/cadi/BufferedCadiWrap.java   |  80 ++
 .../onap/aaf/cadi/BufferedServletInputStream.java  | 214 ++++++
 .../java/org/onap/aaf/cadi/CachedPrincipal.java    |  47 ++
 .../main/java/org/onap/aaf/cadi/CachingLur.java    |  35 +
 .../main/java/org/onap/aaf/cadi/CadiException.java |  50 ++
 core/src/main/java/org/onap/aaf/cadi/CadiWrap.java | 193 +++++
 .../src/main/java/org/onap/aaf/cadi/Capacitor.java | 240 ++++++
 core/src/main/java/org/onap/aaf/cadi/CmdLine.java  | 356 +++++++++
 .../src/main/java/org/onap/aaf/cadi/Connector.java |  27 +
 core/src/main/java/org/onap/aaf/cadi/CredVal.java  |  42 ++
 core/src/main/java/org/onap/aaf/cadi/GetCred.java  |  27 +
 core/src/main/java/org/onap/aaf/cadi/Hash.java     | 202 +++++
 core/src/main/java/org/onap/aaf/cadi/Locator.java  |  36 +
 .../java/org/onap/aaf/cadi/LocatorException.java   |  47 ++
 core/src/main/java/org/onap/aaf/cadi/Lur.java      |  94 +++
 .../main/java/org/onap/aaf/cadi/Permission.java    |  29 +
 .../main/java/org/onap/aaf/cadi/PropAccess.java    | 321 ++++++++
 .../main/java/org/onap/aaf/cadi/Revalidator.java   |  35 +
 .../main/java/org/onap/aaf/cadi/SLF4JAccess.java   | 100 +++
 .../java/org/onap/aaf/cadi/SecuritySetter.java     |  44 ++
 .../org/onap/aaf/cadi/ServletContextAccess.java    |  69 ++
 core/src/main/java/org/onap/aaf/cadi/StrLur.java   |  56 ++
 core/src/main/java/org/onap/aaf/cadi/Symm.java     | 811 ++++++++++++++++++++
 core/src/main/java/org/onap/aaf/cadi/Taf.java      |  57 ++
 .../main/java/org/onap/aaf/cadi/Transmutate.java   |  45 ++
 .../main/java/org/onap/aaf/cadi/TrustChecker.java  |  53 ++
 core/src/main/java/org/onap/aaf/cadi/User.java     | 144 ++++
 .../src/main/java/org/onap/aaf/cadi/UserChain.java |  43 ++
 .../main/java/org/onap/aaf/cadi/config/Config.java | 815 +++++++++++++++++++++
 .../main/java/org/onap/aaf/cadi/config/Get.java    |  97 +++
 .../java/org/onap/aaf/cadi/config/GetAccess.java   |  63 ++
 .../java/org/onap/aaf/cadi/config/MultiGet.java    |  43 ++
 .../org/onap/aaf/cadi/config/SecurityInfo.java     | 243 ++++++
 .../org/onap/aaf/cadi/config/SecurityInfoC.java    |  44 ++
 .../java/org/onap/aaf/cadi/config/UsersDump.java   | 158 ++++
 .../main/java/org/onap/aaf/cadi/filter/AUTHZ.java  |  37 +
 .../org/onap/aaf/cadi/filter/AUTHZServlet.java     | 100 +++
 .../org/onap/aaf/cadi/filter/AccessGetter.java     |  37 +
 .../java/org/onap/aaf/cadi/filter/CadiAccess.java  | 243 ++++++
 .../java/org/onap/aaf/cadi/filter/CadiFilter.java  | 305 ++++++++
 .../org/onap/aaf/cadi/filter/CadiHTTPManip.java    | 227 ++++++
 .../main/java/org/onap/aaf/cadi/filter/FCGet.java  |  77 ++
 .../org/onap/aaf/cadi/filter/MapPermConverter.java |  55 ++
 .../onap/aaf/cadi/filter/NullPermConverter.java    |  43 ++
 .../java/org/onap/aaf/cadi/filter/PathFilter.java  | 183 +++++
 .../org/onap/aaf/cadi/filter/PermConverter.java    |  32 +
 .../org/onap/aaf/cadi/filter/RolesAllowed.java     |  55 ++
 .../java/org/onap/aaf/cadi/filter/ServletImpl.java |  55 ++
 .../org/onap/aaf/cadi/lur/ConfigPrincipal.java     |  70 ++
 .../main/java/org/onap/aaf/cadi/lur/EpiLur.java    | 167 +++++
 .../main/java/org/onap/aaf/cadi/lur/LocalLur.java  | 201 +++++
 .../org/onap/aaf/cadi/lur/LocalPermission.java     |  51 ++
 .../main/java/org/onap/aaf/cadi/lur/NullLur.java   |  88 +++
 .../onap/aaf/cadi/principal/BasicPrincipal.java    | 117 +++
 .../onap/aaf/cadi/principal/BearerPrincipal.java   |  36 +
 .../onap/aaf/cadi/principal/CSPPrincipal_T.java    |  33 +
 .../aaf/cadi/principal/CachedBasicPrincipal.java   |  65 ++
 .../onap/aaf/cadi/principal/TGuardPrincipal.java   |  80 ++
 .../onap/aaf/cadi/principal/TGuardPrincipal_T.java |  33 +
 .../onap/aaf/cadi/principal/TrustPrincipal.java    |  67 ++
 .../org/onap/aaf/cadi/principal/X509Principal.java |  92 +++
 .../java/org/onap/aaf/cadi/taf/AbsTafResp.java     | 116 +++
 .../main/java/org/onap/aaf/cadi/taf/EpiTaf.java    |  84 +++
 .../java/org/onap/aaf/cadi/taf/HttpEpiTaf.java     | 185 +++++
 .../main/java/org/onap/aaf/cadi/taf/HttpTaf.java   |  60 ++
 .../org/onap/aaf/cadi/taf/LoginPageTafResp.java    |  87 +++
 .../main/java/org/onap/aaf/cadi/taf/NullTaf.java   |  64 ++
 .../java/org/onap/aaf/cadi/taf/NullTafResp.java    |  73 ++
 .../java/org/onap/aaf/cadi/taf/PuntTafResp.java    |  71 ++
 .../java/org/onap/aaf/cadi/taf/Redirectable.java   |  32 +
 .../main/java/org/onap/aaf/cadi/taf/TafResp.java   |  94 +++
 .../org/onap/aaf/cadi/taf/TrustNotTafResp.java     |  77 ++
 .../java/org/onap/aaf/cadi/taf/TrustTafResp.java   |  79 ++
 .../org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java  | 159 ++++
 .../onap/aaf/cadi/taf/basic/BasicHttpTafResp.java  |  63 ++
 .../org/onap/aaf/cadi/taf/cert/CertIdentity.java   |  46 ++
 .../onap/aaf/cadi/taf/cert/X509HttpTafResp.java    |  52 ++
 .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java   | 257 +++++++
 .../onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java  | 370 ++++++++++
 .../aaf/cadi/taf/dos/DenialOfServiceTafResp.java   |  48 ++
 .../onap/aaf/cadi/taf/localhost/LocalhostTaf.java  | 130 ++++
 .../aaf/cadi/taf/localhost/LocalhostTafResp.java   |  81 ++
 .../main/java/org/onap/aaf/cadi/util/Chmod.java    |  63 ++
 .../org/onap/aaf/cadi/util/JsonOutputStream.java   |  90 +++
 .../onap/aaf/cadi/util/MaskFormatException.java    |  32 +
 .../java/org/onap/aaf/cadi/util/MyConsole.java     |  29 +
 .../main/java/org/onap/aaf/cadi/util/NetMask.java  | 100 +++
 .../main/java/org/onap/aaf/cadi/util/Split.java    |  91 +++
 .../org/onap/aaf/cadi/util/SubStandardConsole.java |  63 ++
 .../java/org/onap/aaf/cadi/util/TheConsole.java    |  48 ++
 .../org/onap/aaf/cadi/util/UserChainManip.java     |  78 ++
 .../src/main/java/org/onap/aaf/cadi/util/Vars.java | 121 +++
 .../main/java/org/onap/aaf/cadi/wsse/Action.java   |  37 +
 .../main/java/org/onap/aaf/cadi/wsse/Match.java    | 130 ++++
 .../java/org/onap/aaf/cadi/wsse/WSSEParser.java    |  86 +++
 .../main/java/org/onap/aaf/cadi/wsse/XEvent.java   | 135 ++++
 .../main/java/org/onap/aaf/cadi/wsse/XReader.java  | 416 +++++++++++
 core/src/test/java/com/att/cadi/JU_AES.java        |  86 ---
 .../java/com/att/cadi/lur/test/JU_LocalLur.java    | 101 ---
 .../java/com/att/cadi/lur/test/TestAccess.java     |  91 ---
 .../src/test/java/com/att/cadi/test/JU_Base64.java | 157 ----
 .../cadi/test/JU_BufferedServletInputStream.java   | 191 -----
 .../test/java/com/att/cadi/test/JU_Capacitor.java  | 144 ----
 core/src/test/java/com/att/cadi/test/JU_Hash.java  |  61 --
 .../test/java/com/att/cadi/test/JU_Passcode.java   |  90 ---
 .../java/com/att/cadi/test/JU_UserChainManip.java  |  48 --
 core/src/test/java/com/att/cadi/test/JU_Vars.java  | 126 ----
 core/src/test/java/com/att/cadi/test/Test.java     |  70 --
 .../java/com/att/cadi/wsse/test/JU_WSSE_Read.java  | 191 -----
 .../java/com/att/cadi/wsse/test/JU_XReader.java    |  66 --
 core/src/test/java/org/onap/aaf/cadi/JU_AES.java   |  88 +++
 .../org/onap/aaf/cadi/lur/test/JU_LocalLur.java    | 100 +++
 .../org/onap/aaf/cadi/lur/test/TestAccess.java     |  91 +++
 .../java/org/onap/aaf/cadi/test/JU_Base64.java     | 156 ++++
 .../cadi/test/JU_BufferedServletInputStream.java   | 190 +++++
 .../java/org/onap/aaf/cadi/test/JU_Capacitor.java  | 143 ++++
 .../test/java/org/onap/aaf/cadi/test/JU_Hash.java  |  60 ++
 .../java/org/onap/aaf/cadi/test/JU_Passcode.java   |  89 +++
 .../org/onap/aaf/cadi/test/JU_UserChainManip.java  |  47 ++
 .../test/java/org/onap/aaf/cadi/test/JU_Vars.java  | 125 ++++
 .../src/test/java/org/onap/aaf/cadi/test/Test.java |  70 ++
 .../org/onap/aaf/cadi/wsse/test/JU_WSSE_Read.java  | 190 +++++
 .../org/onap/aaf/cadi/wsse/test/JU_XReader.java    |  65 ++
 231 files changed, 13511 insertions(+), 13467 deletions(-)
 delete mode 100644 core/src/main/java/com/att/cadi/AES.java
 delete mode 100644 core/src/main/java/com/att/cadi/AbsCachedPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/AbsUserCache.java
 delete mode 100644 core/src/main/java/com/att/cadi/Access.java
 delete mode 100644 core/src/main/java/com/att/cadi/BasicCred.java
 delete mode 100644 core/src/main/java/com/att/cadi/BufferedCadiWrap.java
 delete mode 100644 core/src/main/java/com/att/cadi/BufferedServletInputStream.java
 delete mode 100644 core/src/main/java/com/att/cadi/CachedPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/CachingLur.java
 delete mode 100644 core/src/main/java/com/att/cadi/CadiException.java
 delete mode 100644 core/src/main/java/com/att/cadi/CadiWrap.java
 delete mode 100644 core/src/main/java/com/att/cadi/Capacitor.java
 delete mode 100644 core/src/main/java/com/att/cadi/CmdLine.java
 delete mode 100644 core/src/main/java/com/att/cadi/Connector.java
 delete mode 100644 core/src/main/java/com/att/cadi/CredVal.java
 delete mode 100644 core/src/main/java/com/att/cadi/GetCred.java
 delete mode 100644 core/src/main/java/com/att/cadi/Hash.java
 delete mode 100644 core/src/main/java/com/att/cadi/Locator.java
 delete mode 100644 core/src/main/java/com/att/cadi/LocatorException.java
 delete mode 100644 core/src/main/java/com/att/cadi/Lur.java
 delete mode 100644 core/src/main/java/com/att/cadi/Permission.java
 delete mode 100644 core/src/main/java/com/att/cadi/PropAccess.java
 delete mode 100644 core/src/main/java/com/att/cadi/Revalidator.java
 delete mode 100644 core/src/main/java/com/att/cadi/SLF4JAccess.java
 delete mode 100644 core/src/main/java/com/att/cadi/SecuritySetter.java
 delete mode 100644 core/src/main/java/com/att/cadi/ServletContextAccess.java
 delete mode 100644 core/src/main/java/com/att/cadi/StrLur.java
 delete mode 100644 core/src/main/java/com/att/cadi/Symm.java
 delete mode 100644 core/src/main/java/com/att/cadi/Taf.java
 delete mode 100644 core/src/main/java/com/att/cadi/Transmutate.java
 delete mode 100644 core/src/main/java/com/att/cadi/TrustChecker.java
 delete mode 100644 core/src/main/java/com/att/cadi/User.java
 delete mode 100644 core/src/main/java/com/att/cadi/UserChain.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/Config.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/Get.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/GetAccess.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/MultiGet.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/SecurityInfo.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/SecurityInfoC.java
 delete mode 100644 core/src/main/java/com/att/cadi/config/UsersDump.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/AUTHZ.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/AUTHZServlet.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/AccessGetter.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/CadiAccess.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/CadiFilter.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/FCGet.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/MapPermConverter.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/NullPermConverter.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/PathFilter.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/PermConverter.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/RolesAllowed.java
 delete mode 100644 core/src/main/java/com/att/cadi/filter/ServletImpl.java
 delete mode 100644 core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/lur/EpiLur.java
 delete mode 100644 core/src/main/java/com/att/cadi/lur/LocalLur.java
 delete mode 100644 core/src/main/java/com/att/cadi/lur/LocalPermission.java
 delete mode 100644 core/src/main/java/com/att/cadi/lur/NullLur.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/BasicPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/BearerPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/TrustPrincipal.java
 delete mode 100644 core/src/main/java/com/att/cadi/principal/X509Principal.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/AbsTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/EpiTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/HttpTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/NullTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/NullTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/PuntTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/Redirectable.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/TafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/TrustTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/cert/X509Taf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
 delete mode 100644 core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/Chmod.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/JsonOutputStream.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/MaskFormatException.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/MyConsole.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/NetMask.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/Split.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/SubStandardConsole.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/TheConsole.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/UserChainManip.java
 delete mode 100644 core/src/main/java/com/att/cadi/util/Vars.java
 delete mode 100644 core/src/main/java/com/att/cadi/wsse/Action.java
 delete mode 100644 core/src/main/java/com/att/cadi/wsse/Match.java
 delete mode 100644 core/src/main/java/com/att/cadi/wsse/WSSEParser.java
 delete mode 100644 core/src/main/java/com/att/cadi/wsse/XEvent.java
 delete mode 100644 core/src/main/java/com/att/cadi/wsse/XReader.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/AES.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Access.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/BasicCred.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/BufferedCadiWrap.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/CachedPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/CachingLur.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/CadiException.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/CadiWrap.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Capacitor.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/CmdLine.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Connector.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/CredVal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/GetCred.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Hash.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Locator.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/LocatorException.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Lur.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Permission.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/PropAccess.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Revalidator.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/StrLur.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Symm.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Taf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/Transmutate.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/TrustChecker.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/User.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/UserChain.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/Config.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/Get.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/AUTHZ.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/Chmod.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/MaskFormatException.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/MyConsole.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/NetMask.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/Split.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/util/Vars.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/Action.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/Match.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java
 create mode 100644 core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java
 delete mode 100644 core/src/test/java/com/att/cadi/JU_AES.java
 delete mode 100644 core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java
 delete mode 100644 core/src/test/java/com/att/cadi/lur/test/TestAccess.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_Base64.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_Capacitor.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_Hash.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_Passcode.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_UserChainManip.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/JU_Vars.java
 delete mode 100644 core/src/test/java/com/att/cadi/test/Test.java
 delete mode 100644 core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java
 delete mode 100644 core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/JU_AES.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/lur/test/TestAccess.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_Passcode.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_UserChainManip.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/JU_Vars.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/test/Test.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_WSSE_Read.java
 create mode 100644 core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_XReader.java

(limited to 'core')

diff --git a/core/pom.xml b/core/pom.xml
index 3cfdeb1..80fb699 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -22,7 +22,7 @@
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<parent>
-		<groupId>com.att.cadi</groupId>
+		<groupId>org.onap.aaf.cadi</groupId>
 		<artifactId>parent</artifactId>
 		<relativePath>..</relativePath>
 		<version>1.0.0-SNAPSHOT</version>
@@ -34,7 +34,15 @@
 	<packaging>jar</packaging>
 	<url>https://github.com/att/AAF</url>
 	<description>CADI</description>
-	
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.cadiVersion>1.0.0-SNAPSHOT</project.cadiVersion>
+        <nexusproxy>https://nexus.onap.org</nexusproxy>
+		<snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath>
+		<releaseNexusPath>/content/repositories/releases/</releaseNexusPath>
+		<stagingNexusPath>/content/repositories/staging/</stagingNexusPath>
+		<sitePath>/content/sites/site/${project.groupId}/${project.artifactId}/${project.version}</sitePath>
+	</properties>
 	<dependencies>
 
 		<dependency>
@@ -112,19 +120,61 @@
 			</execution>
 		      </executions>
 		    </plugin>
-	
-		<plugin>
-			<groupId>org.sonatype.plugins</groupId>
-			<artifactId>nexus-staging-maven-plugin</artifactId>
-			<version>1.6.7</version>
-			<extensions>true</extensions>
-			<configuration>
-			<serverId>ossrhdme</serverId>
-			<nexusUrl>https://oss.sonatype.org/</nexusUrl>
-			<autoReleaseAfterClose>true</autoReleaseAfterClose>
-			</configuration>
-		</plugin>
+  <plugin>
+				<groupId>org.sonatype.plugins</groupId>
+				<artifactId>nexus-staging-maven-plugin</artifactId>
+				<version>1.6.7</version>
+				<extensions>true</extensions>
+				<configuration>
+					<nexusUrl>${nexusproxy}</nexusUrl>
+					<stagingProfileId>176c31dfe190a</stagingProfileId>
+					<serverId>ecomp-staging</serverId>
+				</configuration>
+			</plugin> 
 		</plugins>
 	</build>
-
+	<distributionManagement>
+		<repository>
+			<id>ecomp-releases</id>
+			<name>AAF Release Repository</name>
+			<url>${nexusproxy}${releaseNexusPath}</url>
+		</repository>
+		<snapshotRepository>
+			<id>ecomp-snapshots</id>
+			<name>AAF Snapshot Repository</name>
+			<url>${nexusproxy}${snapshotNexusPath}</url>
+		</snapshotRepository>
+		<site>
+			<id>ecomp-site</id>
+			<url>dav:${nexusproxy}${sitePath}</url>
+		</site>
+	</distributionManagement>
+<pluginRepositories>
+        <pluginRepository>
+            <id>onap-plugin-snapshots</id>
+            <url>https://nexus.onap.org/content/repositories/snapshots/</url>
+        </pluginRepository>
+    </pluginRepositories>
+	
+	<repositories>
+		<repository>
+			<id>central</id>
+			<name>Maven 2 repository 2</name>
+			<url>http://repo2.maven.org/maven2/</url>
+		</repository>
+		<repository>
+            <id>onap-jar-snapshots</id>
+            <url>https://nexus.onap.org/content/repositories/snapshots</url>
+        </repository>
+		<repository>
+			<id>spring-repo</id>
+			<name>Spring repo</name>
+			<url>https://artifacts.alfresco.com/nexus/content/repositories/public/</url>
+		</repository>
+		<repository>
+			<id>repository.jboss.org-public</id>
+			<name>JBoss.org Maven repository</name>
+			<url>https://repository.jboss.org/nexus/content/groups/public</url>
+		</repository>
+	</repositories>
 </project>
diff --git a/core/src/main/java/com/att/cadi/AES.java b/core/src/main/java/com/att/cadi/AES.java
deleted file mode 100644
index 7304932..0000000
--- a/core/src/main/java/com/att/cadi/AES.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.CipherInputStream;
-import javax.crypto.CipherOutputStream;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyGenerator;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
-import com.att.cadi.util.Chmod;
-
-public class AES {
-	public static final String AES = AES.class.getSimpleName();
-	public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs.
-	
-	private Cipher aesCipher;
-	private SecretKeySpec aeskeySpec;
-
-	public AES() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
-		aesCipher = Cipher.getInstance(AES);
-	    aeskeySpec = new SecretKeySpec(newKey().getEncoded(), AES);
-	}
-	
-	public static SecretKey newKey() throws NoSuchAlgorithmException {
-		KeyGenerator kgen = KeyGenerator.getInstance(AES);
-	    kgen.init(AES_KEY_SIZE);
-	    return kgen.generateKey();
-	}
-
-	public AES(File keyfile) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
-		aesCipher = Cipher.getInstance(AES);
-		byte[] aesKey = new byte[AES_KEY_SIZE/8];
-		FileInputStream fis = new FileInputStream(keyfile);
-		try {
-			fis.read(aesKey);
-		} finally {
-			fis.close();
-		}
-		aeskeySpec = new SecretKeySpec(aesKey,AES);
-	}
-
-	public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
-		aesCipher = Cipher.getInstance(AES);
-		aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES);
-	}
-	
-	public byte[] encrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
-		aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
-		return aesCipher.doFinal(in);
-	}
-	
-	public byte[] decrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
-		aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec); 
-		return aesCipher.doFinal(in);
-	}
-	
-	public void save(File keyfile) throws IOException {
-		FileOutputStream fis = new FileOutputStream(keyfile);
-		try {
-			fis.write(aeskeySpec.getEncoded());
-		} finally {
-			fis.close();
-		}
-		Chmod.to400.chmod(keyfile);
-	}
-
-	public CipherOutputStream outputStream(OutputStream os, boolean encrypt) {
-		try {
-			if(encrypt) {
-				aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
-			} else {
-				aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec);
-			}
-		} catch (InvalidKeyException e) {
-			// KeySpec created earlier... no chance being wrong.
-		} 
-		return new CipherOutputStream(os,aesCipher);
-	}
-	
-	public CipherInputStream inputStream(InputStream is, boolean encrypt) {
-		try {
-			if(encrypt) {
-				aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
-			} else {
-				aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec);
-			}
-		} catch (InvalidKeyException e) {
-			// KeySpec created earlier... no chance being wrong.
-		} 
-		
-		return new CipherInputStream(is,aesCipher);
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/AbsCachedPrincipal.java b/core/src/main/java/com/att/cadi/AbsCachedPrincipal.java
deleted file mode 100644
index f244d09..0000000
--- a/core/src/main/java/com/att/cadi/AbsCachedPrincipal.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-
-public abstract class AbsCachedPrincipal<TAF> implements CachedPrincipal {
-	protected TAF taf;
-
-	protected AbsCachedPrincipal(TAF taf) {
-		this.taf = taf;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/AbsUserCache.java b/core/src/main/java/com/att/cadi/AbsUserCache.java
deleted file mode 100644
index d374faa..0000000
--- a/core/src/main/java/com/att/cadi/AbsUserCache.java
+++ /dev/null
@@ -1,408 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Timer;
-import java.util.TimerTask;
-import java.util.TreeMap;
-import java.util.concurrent.ConcurrentHashMap;
-
-import com.att.cadi.Access.Level;
-import com.att.cadi.CachedPrincipal.Resp;
-
-/**
- * Implement Fast lookup and Cache for Local User Info
- * 
- * Include ability to add and remove Users
- * 
- * Also includes a Timer Thread (when necessary) to invoke cleanup on expiring Credentials
- * 
- *
- */
-public abstract class AbsUserCache<PERM extends Permission> {
-	static final int MIN_INTERVAL = 15000;
-	static final int MAX_INTERVAL = 1000*60*5; // 5 mins
-	private static Timer timer;
-	// Map of userName to User
-	private final Map<String, User<PERM>> userMap;
-	private final Map<String, Miss> missMap;
-	private Clean clean;
-	protected Access access;
-//	private final static Permission teaser = new LocalPermission("***NoPERM****");
-	
-	protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) {
-		this.access = access;
-		userMap = new ConcurrentHashMap<String, User<PERM>>();
-		missMap = new TreeMap<String,Miss>();
-		if(cleanInterval>0) {
-			cleanInterval = Math.max(MIN_INTERVAL, cleanInterval);
-			synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed
-				if(timer==null) {
-					timer = new Timer("CADI Cleanup Timer",true);
-				}
-				
-				timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval);
-				access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount);
-			}
-		}
-	}
-	
-	@SuppressWarnings("unchecked")
-	public AbsUserCache(AbsUserCache<PERM> cache) {
-		this.access = cache.access;
-		userMap = cache.userMap;
-		missMap = cache.missMap;
-		synchronized(AbsUserCache.class) {
-			if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) {
-				cache.clean.lur=(CachingLur<PERM>)this;
-			}
-		}
-	}
-
-	protected void setLur(CachingLur<PERM> lur) {
-		if(clean!=null)clean.lur = lur;
-		
-	}
-	
-	protected void addUser(User<PERM> user) {
-		userMap.put(user.principal.getName(), user);
-	}
-
-	// Useful for looking up by WebToken, etc.
-	protected void addUser(String key, User<PERM> user) {
-		userMap.put(key, user);
-	}
-	
-	/**
-	 * Add miss to missMap.  If Miss exists, or too many tries, returns false.
-	 * 
-	 * otherwise, returns true to allow another attempt.
-	 * 
-	 * @param key
-	 * @param bs
-	 * @return
-	 */
-	protected boolean addMiss(String key, byte[] bs) {
-		Miss miss = missMap.get(key);
-		if(miss==null) {
-			synchronized(missMap) {
-				missMap.put(key, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval));
-			}
-			return true;
-		}
-		return miss.add(bs); 
-	}
-
-	protected Miss missed(String key) {
-		return missMap.get(key);
-	}
-
-	protected User<PERM> getUser(String userName) {
-		User<PERM> u = userMap.get(userName);
-		if(u!=null) {
-			u.incCount();
-		}
-		return u;
-	}
-	
-	protected User<PERM> getUser(Principal principal) {
-		return getUser(principal.getName()); 
-	}
-	
-	/**
-	 * Removes User from the Cache
-	 * @param user
-	 */
-	protected void remove(User<PERM> user) {
-		userMap.remove(user.principal.getName());
-	}
-	
-	/**
-	 * Removes user from the Cache
-	 * 
-	 * @param user
-	 */
-	public void remove(String user) {
-		Object o = userMap.remove(user);
-		if(o!=null) {
-			access.log(Level.INFO, user,"removed from Client Cache by Request");
-		}
-	}
-	
-	/**
-	 * Clear all users from the Client Cache
-	 */
-	public void clearAll() {
-		userMap.clear();
-	}
-	
-	public final List<DumpInfo> dumpInfo() {
-		List<DumpInfo> rv = new ArrayList<DumpInfo>();
-		for(User<PERM> user : userMap.values()) {
-			rv.add(new DumpInfo(user));
-		}
-		return rv;
-	}
-
-	/**
-	 * The default behavior of a LUR is to not handle something exclusively.
-	 */
-	public boolean handlesExclusively(Permission pond) {
-		return false;
-	}
-	
-	/**
-	 * Container calls when cleaning up... 
-	 * 
-	 * If overloading in Derived class, be sure to call "super.destroy()"
-	 */
-	public void destroy() {
-		if(timer!=null) {
-			timer.purge();
-			timer.cancel();
-		}
-	}
-	
-	
-
-	// Simple map of Group name to a set of User Names
-	//	private Map<String, Set<String>> groupMap = new HashMap<String, Set<String>>();
-
-	/**
-	 * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects
-	 */
-	public final class DumpInfo {
-		public String user;
-		public List<String> perms;
-		
-		public DumpInfo(User<PERM> user) {
-			this.user = user.principal.getName();
-			perms = new ArrayList<String>(user.perms.keySet());
-		}
-	}
-	
-	/**
-	 * Clean will examine resources, and remove those that have expired.
-	 * 
-	 * If "highs" have been exceeded, then we'll expire 10% more the next time.  This will adjust after each run
-	 * without checking contents more than once, making a good average "high" in the minimum speed.
-	 * 
-	 *
-	 */
-	private final class Clean extends TimerTask {
-		private final Access access;
-		private CachingLur<PERM> lur;
-		
-		// The idea here is to not be too restrictive on a high, but to Expire more items by 
-		// shortening the time to expire.  This is done by judiciously incrementing "advance"
-		// when the "highs" are exceeded.  This effectively reduces numbers of cached items quickly.
-		private final int high;
-		private long advance;
-		private final long timeInterval;
-		private final int usageTriggerCount;
-		
-		public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) {
-			this.access = access;
-			lur = null;
-			high = highCount;
-			timeInterval = cleanInterval;
-			advance = 0;
-			this.usageTriggerCount=usageTriggerCount;
-		}
-		public void run() {
-			int renewed = 0;
-			int count = 0;
-			int total = 0;
-			try {
-				// look at now.  If we need to expire more by increasing "now" by "advance"
-				ArrayList<User<PERM>> al = new ArrayList<User<PERM>>(userMap.values().size());
-				al.addAll(0, userMap.values());
-				long now = System.currentTimeMillis() + advance;
-				for(User<PERM> user : al) {
-					++total;
-						if(user.count>usageTriggerCount) {
-	//						access.log(Level.AUDIT, "Checking Thread", new Date(now));
-							boolean touched = false, removed=false;
-							if(user.principal instanceof CachedPrincipal) {
-								CachedPrincipal cp = (CachedPrincipal)user.principal;
-								if(cp.expires() < now) {
-									switch(cp.revalidate()) {
-										case INACCESSIBLE:
-											access.log(Level.AUDIT, "AAF Inaccessible.  Keeping credentials");
-											break;
-										case REVALIDATED:
-											user.resetCount();
-			//								access.log(Level.AUDIT, "CACHE revalidated credentials");
-											touched = true;
-											break;
-										default:
-											user.resetCount();
-											remove(user);
-											++count;
-											removed = true;
-											break;
-									}
-								}
-							}
-						
-	//						access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires));
-							if(!removed && lur!=null && user.permExpires<= now ) {
-	//							access.log(Level.AUDIT, "Reloading");
-								if(lur.reload(user).equals(Resp.REVALIDATED)) {
-									user.renewPerm();
-									access.log(Level.DEBUG, "Reloaded Perms for",user);
-									touched = true;
-								}
-							}
-							user.resetCount();
-							if(touched) {
-								++renewed;
-							}
-	
-						} else {
-							if(user.permExpired()) {
-								remove(user);
-								++count;
-							}
-						}
-				}
-				
-				// Clean out Misses
-				int missTotal = missMap.keySet().size();
-				int miss = 0;
-				if(missTotal>0) {
-					ArrayList<String> keys = new ArrayList<String>(missTotal);
-					keys.addAll(missMap.keySet());
-					for(String key : keys) {
-						Miss m = missMap.get(key);
-						if(m!=null && m.timestamp<System.currentTimeMillis()) {
-							synchronized(missMap) {
-								missMap.remove(key);
-							}
-							access.log(Level.INFO, key, "has been removed from Missed Credential Map (" + m.tries + " invalid tries)");
-							++miss;
-						}
-					}
-				}
-				
-				if(count+renewed+miss>0) {
-					access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count,
-						"and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal);
-				}
-	
-				// If High (total) is reached during this period, increase the number of expired services removed for next time.
-				// There's no point doing it again here, as there should have been cleaned items.
-				if(total>high) {
-					// advance cleanup by 10%, without getting greater than timeInterval.
-					advance = Math.min(timeInterval, advance+(timeInterval/10));
-				} else {
-					// reduce advance by 10%, without getting lower than 0.
-					advance = Math.max(0, advance-(timeInterval/10));
-				}
-			} catch (Exception e) {
-				access.log(Level.ERROR,e.getMessage());
-			}
-		}
-	}
-	
-	public static class Miss {
-		private static final int MAX_TRIES = 3;
-
-		long timestamp;
-		byte[][] array;
-
-		private long timetolive;
-
-		private int tries;
-		
-		public Miss(byte[] first, long timeInterval) {
-			array = new byte[MAX_TRIES][];
-			array[0]=first;
-			timestamp = System.currentTimeMillis() + timeInterval;
-			this.timetolive = timeInterval;
-			tries = 1;
-		}
-		
-		public boolean mayContinue(byte[] bs) {
-			if(++tries > MAX_TRIES) return false;
-			for(byte[] a : array) {
-				if(a==null)return true;
-				if(equals(a,bs)) {
-					return false;
-				}
-			}
-			return true;
-		}
-
-		public synchronized boolean add(byte[] bc) {
-			if(++tries>MAX_TRIES)return false;
-			timestamp = System.currentTimeMillis()+timetolive;
-			for(int i=0;i<MAX_TRIES;++i) {
-				if(array[i]==null) {
-					array[i]=bc;
-					return true; // add to array, and allow more tries
-				} else if(equals(array[i],bc)) {
-					return false;
-				}
-			}
-			return false; // no more tries until cache cleared.
-		}
-		
-		private boolean equals(byte[] src, byte[] target) {
-			if(target.length==src.length) {
-				for(int j=0;j<src.length;++j) {
-					if(src[j]!=target[j]) return false;
-				}
-				return true; // same length and same chars
-			}
-			return false;
-		}
-	}
-	
-	/**
-	 * Report on state
-	 */
-	public String toString() {
-		return getClass().getSimpleName() + 
-				" Cache:\n  Users Cached: " +
-				userMap.size() +
-				"\n  Misses Saved: " +
-				missMap.size() +
-				'\n';
-				
-	}
-
-	public void clear(Principal p, StringBuilder sb) {
-		sb.append(toString());
-		userMap.clear();
-		missMap.clear();
-		access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName());
-		sb.append("Now cleared\n");
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/Access.java b/core/src/main/java/com/att/cadi/Access.java
deleted file mode 100644
index 4c238ee..0000000
--- a/core/src/main/java/com/att/cadi/Access.java
+++ /dev/null
@@ -1,172 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-/**
- * Various Environments require different logging mechanisms, or at least allow
- * for different ones. We need the Framework to be able to hook into any particular instance of logging
- * mechanism, whether it be a Logging Object within a Servlet Context, or a direct library like log4j.
- * This interface, therefore, allows maximum pluggability in a variety of different app styles.  
- *  
- *
- */
-public interface Access {
-	// levels to use
-	public enum Level {
-		DEBUG(0x1), INFO(0x10), AUDIT(0x100), WARN(0x2000), ERROR(0x4000), INIT(0x8000),NONE(0XFFFF);
-		private final int bit;
-		
-		Level(int ord) {
-			bit = ord;
-		}
-		
-		public boolean inMask(int mask) {
-			return (mask & bit) == bit;
-		}
-		
-		public int addToMask(int mask) {
-			return mask | bit;
-		}
-
-		public int delFromMask(int mask) {
-			return mask & ~bit;
-		}
-
-		public int toggle(int mask) {
-			if(inMask(mask)) {
-				return delFromMask(mask);
-			} else {
-				return addToMask(mask);
-			}
-		}
-
-
-		public int maskOf() {
-			int mask=0;
-			for(Level l : values()) {
-				if(ordinal()<l.ordinal()) {
-					mask|=l.bit;
-				}
-			}
-			return mask;
-		}
-	}
-
-	/**
-	 * Write a variable list of Object's text via the toString() method with appropriate space, etc.
-	 * @param elements
-	 */
-	public void log(Level level, Object ... elements);
-
-	/**
-	 * Printf mechanism for Access
-	 * @param level
-	 * @param fmt
-	 * @param elements
-	 */
-	public void printf(Level level, String fmt, Object ... elements);
-	
-	/** 
-	 * Check if message will log before constructing
-	 * @param level
-	 * @return
-	 */
-	public boolean willLog(Level level);
-
-	/**
-	 * Write the contents of an exception, followed by a variable list of Object's text via the 
-	 * toString() method with appropriate space, etc.
-	 * 
-	 * The Loglevel is always "ERROR"
-	 * 
-	 * @param elements
-	 */
-	public void log(Exception e, Object ... elements);
-	
-	/**
-	 * Set the Level to compare logging too
-	 */
-	public void setLogLevel(Level level);
-		
-	/**
-	 * It is important in some cases to create a class from within the same Classloader that created
-	 * Security Objects.  Specifically, it's pretty typical for Web Containers to separate classloaders
-	 * so as to allow Apps with different dependencies. 
-	 * @return
-	 */
-	public ClassLoader classLoader();
-
-	public String getProperty(String string, String def);
-	
-	public void load(InputStream is) throws IOException;
-
-	/**
-	 * if "anytext" is true, then decryption will always be attempted.  Otherwise, only if starts with 
-	 * Symm.ENC
-	 * @param encrypted
-	 * @param anytext
-	 * @return
-	 * @throws IOException
-	 */
-	public String decrypt(String encrypted, boolean anytext) throws IOException;
-
-	public static final Access NULL = new Access() {
-		public void log(Level level, Object... elements) {
-		}
-
-		@Override
-		public void printf(Level level, String fmt, Object... elements) {
-		}
-
-		public void log(Exception e, Object... elements) {
-		}
-
-		public ClassLoader classLoader() {
-			return this.classLoader();
-		}
-
-		public String getProperty(String string, String def) {
-			return null;
-		}
-
-		public void load(InputStream is) throws IOException {
-		}
-
-		public void setLogLevel(Level level) {
-		}
-
-		public String decrypt(String encrypted, boolean anytext) throws IOException {
-			return encrypted;
-		}
-
-		@Override
-		public boolean willLog(Level level) {
-			return false;
-		}
-	};
-
-
-}
diff --git a/core/src/main/java/com/att/cadi/BasicCred.java b/core/src/main/java/com/att/cadi/BasicCred.java
deleted file mode 100644
index 6f0aff5..0000000
--- a/core/src/main/java/com/att/cadi/BasicCred.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-/**
- * An Interface for testing on Requests to see if we can get a User and Password
- * It works for CadiWrap, but also, Container Specific Wraps (aka Tomcat) should also
- * implement.
- * 
- *
- */
-public interface BasicCred extends GetCred {
-	public void setUser(String user);
-	public void setCred(byte[] passwd);
-	public String getUser();
-}
diff --git a/core/src/main/java/com/att/cadi/BufferedCadiWrap.java b/core/src/main/java/com/att/cadi/BufferedCadiWrap.java
deleted file mode 100644
index 74dd126..0000000
--- a/core/src/main/java/com/att/cadi/BufferedCadiWrap.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-
-import javax.servlet.http.HttpServletRequest;
-
-/**
- * BufferedCadiWrap exists to additionally wrap the InputStream with a BufferedInputStream to engage the
- * "mark()/release()" API of InputStream.
- * 
- * This is a requirement for Re-Reading Content for brain-dead Middleware such as SOAP WS-Security.
- * 
- * Framework needs to set the TafResp and Lur (typically) later in the 
- * 
- *
- */
-public class BufferedCadiWrap extends CadiWrap {
-	private BufferedServletInputStream sis;
-	
-	public BufferedCadiWrap(HttpServletRequest request) {
-		super(request, null, null); // will need to set TafResp and Lur separately
-		sis = null;
-	}
-
-
-	// @Override
-	public BufferedServletInputStream getInputStream() throws IOException {
-//		System.out.println("getInputStream() from Buffered CadiWrap... sis = " + sis);
-//		try {
-//			throw new Exception("OK, here's where we are...");
-//		} catch (Exception e) {
-//			e.printStackTrace();
-//		}
-		if(sis==null) {
-			sis = new BufferedServletInputStream(super.getInputStream());
-//		} else {
-//			try {
-//			System.out.println("sis has " + sis.buffered() + " buffered bytes, and reports " + sis.available() + " available");
-//			} catch (Exception e) {
-//				e.printStackTrace();
-//			}
-		}
-		return sis;
-	}
-
-	// @Override
-	public BufferedReader getReader() throws IOException {
-//		System.out.println("getReader() from Buffered CadiWrap... sis = " + sis);
-//		try {
-//			throw new Exception("OK, here's where we are...");
-//		} catch (Exception e) {
-//			e.printStackTrace();
-//		}
-		return new BufferedReader(new InputStreamReader(getInputStream()));
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/BufferedServletInputStream.java b/core/src/main/java/com/att/cadi/BufferedServletInputStream.java
deleted file mode 100644
index 10e7b1f..0000000
--- a/core/src/main/java/com/att/cadi/BufferedServletInputStream.java
+++ /dev/null
@@ -1,214 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import javax.servlet.ServletInputStream;
-
-/**
- * BufferedServletInputStream
- * 
- * There are cases in brain-dead middleware (SOAP) where they store routing information in the content.
- * 
- * In HTTP, this requires reading the content from the InputStream which, of course, cannot be re-read.
- * 
- * BufferedInputStream exists to implement the "Mark" protocols for Streaming, which will enable being 
- * re-read.  Unfortunately, J2EE chose to require a "ServletInputStream" as an abstract class, rather than
- * an interface, which requires we create a delegating pattern, rather than the preferred inheriting pattern. 
- * 
- * Unfortunately, the standard "BufferedInputStream" cannot be used, because it simply creates a byte array
- * in the "mark(int)" method of that size.  This is not appropriate for this application, because the Header 
- * can be potentially huge, and if a buffer was allocated to accommodate all possibilities, the cost of memory 
- * allocation would be too large for high performance transactions.
- *
- * 
- *
- */
-public class BufferedServletInputStream extends ServletInputStream {
-	private static final int NONE = 0;
-	private static final int STORE = 1;
-	private static final int READ = 2;
-	
-	private InputStream is;
-	private int state = NONE;
-	private Capacitor capacitor;
-
-	public BufferedServletInputStream(InputStream is) {
-		this.is = is;
-		capacitor = null;
-	}
-
-
-	// @Override
-	public int read() throws IOException {
-		int value=-1;
-		if(capacitor==null) {
-			value=is.read();
-		} else {
-			switch(state) {
-				case STORE:
-					value = is.read();
-					if(value>=0) {
-						capacitor.put((byte)value);
-					}
-					break;
-				case READ:
-					value = capacitor.read();
-					if(value<0) {
-						capacitor.done();
-						capacitor=null; // all done with buffer
-						value = is.read();
-					}
-			}
-		} 
-		return value;
-	}
-
-	// @Override
-	public int read(byte[] b) throws IOException {
-		return read(b,0,b.length);
-	}
-
-
-	// @Override
-	public int read(byte[] b, int off, int len) throws IOException {
-		int count = -1;
-		if(capacitor==null) {
-			count = is.read(b,off,len);
-		} else {
-			switch(state) {
-				case STORE:
-					count = is.read(b, off, len);
-					if(count>0) {
-						capacitor.put(b, off, count);
-					}
-					break;
-				case READ:
-					count = capacitor.read(b, off, len);
-//					System.out.println("Capacitor read " + count);
-					if(count<=0) {
-						capacitor.done();
-						capacitor=null; // all done with buffer
-					}
-					if(count<len) {
-						int temp = is.read(b, count, len-count);
-//						System.out.println("Capacitor done, stream read " + temp);
-						if(temp>0) { // watch for -1
-							count+=temp;
-						} else {
-							if(count<=0)count = temp; // must account for Stream coming back -1  
-						}
-					}
-					break;
-			}
-		}
-//		System.out.println("read reports " + count);
-		return count;
-	}
-
-	// @Override
-	public long skip(long n) throws IOException {
-		long skipped = capacitor.skip(n);
-		if(skipped<n) {
-			skipped += is.skip(n-skipped);
-		}
-		return skipped;
-	}
-
-
-	// @Override
-	public int available() throws IOException {
-		int count = is.available();
-		if(capacitor!=null)count+=capacitor.available();
-		return count;		
-	}
-	
-	/**
-	 * Return just amount buffered (for debugging purposes, mostly)
-	 * @return
-	 */
-	public int buffered() {
-		return capacitor.available();
-	}
-
-
-	// @Override
-	public void close() throws IOException {
-		if(capacitor!=null) {
-			capacitor.done();
-			capacitor=null;
-		}
-		is.close();
-	}
-
-
-	/**
-	 * Note: Readlimit is ignored in this implementation, because the need was for unknown buffer size which wouldn't 
-	 * require allocating and dumping huge chunks of memory every use, or risk overflow.
-	 */
-	// @Override
-	public synchronized void mark(int readlimit) {
-		switch(state) {
-			case NONE:
-				capacitor = new Capacitor();
-				break;
-			case READ:
-				capacitor.done();
-				break;
-			// ignore case STORE:
-		}
-		state = STORE;
-	}
-
-
-	/**
-	 * Reset Stream
-	 * 
-	 * Calling this twice is not supported in typical Stream situations, but it is allowed in this service.  The caveat is that it can only reset
-	 * the data read in since Mark has been called.  The data integrity is only valid if you have not continued to read past what is stored.
-	 *  
-	 */
-	// @Override
-	public synchronized void reset() throws IOException {
-		switch(state) {
-			case STORE:
-				capacitor.setForRead();
-				state = READ;
-				break;
-			case READ:
-				capacitor.reset();
-				break;
-//				throw new IOException("InputStream is already in READ state");
-			case NONE: 
-				throw new IOException("InputStream has not been marked");
-		}
-	}
-
-
-	// @Override
-	public boolean markSupported() {
-		return true;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/CachedPrincipal.java b/core/src/main/java/com/att/cadi/CachedPrincipal.java
deleted file mode 100644
index 3968f1b..0000000
--- a/core/src/main/java/com/att/cadi/CachedPrincipal.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.security.Principal;
-
-/**
- * Cached Principals need to be able to revalidate in the background.
- * 
- *
- */
-public interface CachedPrincipal extends Principal {
-	public enum Resp {NOT_MINE,UNVALIDATED,REVALIDATED,INACCESSIBLE,DENIED};
-	
-	/**
-	 * Re-validate with Creator
-	 * 
-	 * @return
-	 */
-	public abstract Resp revalidate();
-	
-	/**
-	 * Store when last updated.
-	 * @return
-	 */
-	public abstract long expires();
-}
diff --git a/core/src/main/java/com/att/cadi/CachingLur.java b/core/src/main/java/com/att/cadi/CachingLur.java
deleted file mode 100644
index ee87431..0000000
--- a/core/src/main/java/com/att/cadi/CachingLur.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.security.Principal;
-
-import com.att.cadi.CachedPrincipal.Resp;
-
-
-public interface CachingLur<PERM extends Permission> extends Lur {
-	public abstract void remove(String user);
-	public abstract Resp reload(User<PERM> user);
-	public abstract void setDebug(String commaDelimIDsOrNull);
-	public abstract void clear(Principal p, StringBuilder sb);
-}
diff --git a/core/src/main/java/com/att/cadi/CadiException.java b/core/src/main/java/com/att/cadi/CadiException.java
deleted file mode 100644
index 66b7b5b..0000000
--- a/core/src/main/java/com/att/cadi/CadiException.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-/**
- * CADI Specific Exception
- */
-public class CadiException extends Exception {
-	/**
-	 *  Generated ID 
-	 */
-	private static final long serialVersionUID = -4180145363107742619L;
-
-	public CadiException() {
-		super();
-	}
-
-	public CadiException(String message) {
-		super(message);
-	}
-
-	public CadiException(Throwable cause) {
-		super(cause);
-	}
-
-	public CadiException(String message, Throwable cause) {
-		super(message, cause);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/CadiWrap.java b/core/src/main/java/com/att/cadi/CadiWrap.java
deleted file mode 100644
index 64c565f..0000000
--- a/core/src/main/java/com/att/cadi/CadiWrap.java
+++ /dev/null
@@ -1,193 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-
-import com.att.cadi.Access.Level;
-import com.att.cadi.filter.NullPermConverter;
-import com.att.cadi.filter.PermConverter;
-import com.att.cadi.lur.EpiLur;
-import com.att.cadi.taf.TafResp;
-
-
-
-/**
- * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
- * overload the key security mechanisms with CADI mechanisms
- * 
- * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
- * 
- * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
- * need something similar.  See AppServer specific code (i.e. tomcat) for these.
- * 
- *
- */
-public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
-	private Principal principal;
-	private Lur lur;
-	private String user; // used to set user/pass from brain-dead protocols like WSSE 
-	private byte[] password;
-	private PermConverter pconv;
-	private Access access; 
-	
-	/**
-	 * Standard Wrapper constructor for Delegate pattern
-	 * @param request
-	 */
-	public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
-		super(request);
-		principal = tafResp.getPrincipal();
-		access = tafResp.getAccess();
-		this.lur = lur;
-		pconv = NullPermConverter.singleton();
-	}
-
-	/**
-	 * Standard Wrapper constructor for Delegate pattern, with PermConverter
-	 * @param request
-	 */
-	public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
-		super(request);
-		principal = tafResp.getPrincipal();
-		access = tafResp.getAccess();
-		this.lur = lur;
-		pconv = pc;
-	}
-
-
-	/**
-	 * Part of the HTTP Security API.  Declare the User associated with this HTTP Transaction.
-	 * CADI does this by reporting the name associated with the Principal obtained, if any.
-	 */
-// @Override
-	public String getRemoteUser() {
-		return principal==null?null:principal.getName();
-	}
-
-	/**
-	 * Part of the HTTP Security API.  Return the User Principal associated with this HTTP 
-	 * Transaction.
-	 */
-// @Override
-	public Principal getUserPrincipal() {
-		return principal;
-	}
-	
-	/**
-	 * This is the key API call for AUTHZ in J2EE.  Given a Role (String passed in), is the user
-	 * associated with this HTTP Transaction allowed to function in this Role?
-	 * 
-	 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
-	 * determined by the Enterprise.
-	 * 
-	 * Note: Role check is also done in "CadiRealm" in certain cases...
-	 * 
-	 *
-	 */
-// @Override
-	public boolean isUserInRole(String perm) {
-		return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);
-	}
-	
-	public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
-		if(principal== null) {
-			access.log(Level.AUDIT,caller, "No Principal in Transaction");
-			return false;
-		} else { 
-			perm = pconv.convert(perm);
-			if(lur.fish(principal,lur.createPerm(perm))) {
-				access.log(Level.DEBUG,caller, principal.getName(), "has", perm);
-				return true;
-			} else {
-				access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);
-				return false;
-			}
-		}
-
-	}
-
-	/** 
-	 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
-	 *  as implemented with lur.fishAll
-	 *  
-	 *  To utilize, the Request must be a "CadiWrap" object, then call.
-	 */
-	public List<Permission> getPermissions(Principal p) {
-		List<Permission> perms = new ArrayList<Permission>();
-		lur.fishAll(p, perms);
-		return perms;
-	}
-	/**
-	 * Allow setting of tafResp and lur after construction
-	 * 
-	 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
-	 */
-	public void set(TafResp tafResp, Lur lur) {
-		principal = tafResp.getPrincipal();
-		access = tafResp.getAccess();
-		this.lur = lur;
-	}
-
-	public String getUser() {
-		if(user==null && principal!=null) {
-			user = principal.getName();
-		}
-		return user;
-	}
-
-	public byte[] getCred() {
-		return password;
-	}
-
-	public void setUser(String user) {
-		this.user = user;
-	}
-
-	public void setCred(byte[] passwd) {
-		password = passwd;
-	}
-	
-	public CadiWrap setPermConverter(PermConverter pc) {
-		pconv = pc;
-		return this;
-	}
-	
-	// Add a feature
-	public void invalidate(String id) {
-		if(lur instanceof EpiLur) {
-			((EpiLur)lur).remove(id);
-		} else if(lur instanceof CachingLur) {
-			((CachingLur<?>)lur).remove(id);
-		}
-	}
-	
-	public Lur getLur() {
-		return lur;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/Capacitor.java b/core/src/main/java/com/att/cadi/Capacitor.java
deleted file mode 100644
index 73fd83c..0000000
--- a/core/src/main/java/com/att/cadi/Capacitor.java
+++ /dev/null
@@ -1,240 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.nio.ByteBuffer;
-import java.util.ArrayList;
-
-/**
- * Capacitor
- * 
- * Storage mechanism for read data, specifically designed for InputStreams.
- * 
- * The Standard BufferedInputStream requires a limit to be set for buffered reading, which is 
- * impractical for reading SOAP headers, which can be quite large.
- *
- */
-public class Capacitor {
-	private static final int DEFAULT_CHUNK = 256;
-	private ArrayList<ByteBuffer> bbs = new ArrayList<ByteBuffer>();
-	private ByteBuffer curr = null;
-	private int idx;
-	
-	// Maintain a private RingBuffer for Memory, for efficiency
-	private static ByteBuffer[] ring = new ByteBuffer[16];
-	private static int start, end;
-	
-	
-	public void put(byte b) {
-		if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data
-			curr = ringGet();
-			bbs.add(curr);
-		}
-		curr.put(b); 
-	}
-
-	public int read() {
-		if(curr!=null) { 
-			if(curr.remaining()>0) { // have a buffer, use it!
-				return curr.get();
-			} else if(idx<bbs.size()){ // Buffer not enough, get next one from array
-				if(idx<bbs.size()) {
-					curr=bbs.get(idx++);
-					return curr.get();
-				}
-			}
-		} // if no curr buffer, treat as end of stream
-		return -1;
-	}
-	
-	/**
-	 * read into an array like Streams
-	 * 
-	 * @param array
-	 * @param offset
-	 * @param length
-	 * @return
-	 */
-	public int read(byte[] array, int offset, int length) {
-		if(curr==null)return -1;
-		int len;
-		int count=0;
-		while(length>0) { // loop through while there's data needed
-			if((len=curr.remaining())>length) { //  if enough data in curr buffer, use this code
-				curr.get(array,offset,length);
-				count+=length;
-				length=0;
-			} else {  // get data from curr, mark how much is needed to fulfil, and loop for next curr.
-				curr.get(array,offset,len);
-				count+=len;
-				offset+=len;
-				length-=len;
-				if(idx<bbs.size()) {
-					curr=bbs.get(idx++);
-				} else {
-					length=0; // stop, and return the count of how many we were able to load
-				}
-			}
-		}
-		return count;
-	}
-
-	/**
-	 * Put an array of data into Capacitor
-	 * 
-	 * @param array
-	 * @param offset
-	 * @param length
-	 */
-	public void put(byte[] array, int offset, int length) {
-		if(curr == null || curr.remaining()==0) {
-			curr = ringGet();
-			bbs.add(curr);
-		}
-		
-		int len;
-		while(length>0) {
-			if((len=curr.remaining())>length) {
-				curr.put(array,offset,length);
-				length=0;
-			} else {
-//				System.out.println(new String(array));
-				curr.put(array,offset,len);
-				length-=len;
-				offset+=len;
-				curr = ringGet();
-				bbs.add(curr);
-			}
-		}
-	}
-	 
-	/**
-	 * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc
-	 */
-	public void setForRead() {
-		for(ByteBuffer bb : bbs) {
-			bb.flip();
-		}
-		if(bbs.isEmpty()) {
-			curr = null;
-			idx = 0;
-		} else {
-			curr=bbs.get(0);
-			idx=1;
-		}
-	}
-	
-	/**
-	 * reuse all the buffers
-	 */
-	public void done() {
-		for(ByteBuffer bb : bbs) {
-			ringPut(bb);
-		}
-		bbs.clear();
-		curr = null;
-	}
-	
-	/**
-	 * Declare amount of data available to be read at once.
-	 * 
-	 * @return
-	 */
-	public int available() {
-		int count = 0;
-		for(ByteBuffer bb : bbs) {
-			count+=bb.remaining();
-		}
-		return count;
-	}
-	
-	/**
-	 * Returns how many are left that were not skipped
-	 * @param n
-	 * @return
-	 */
-	public long skip(long n) {
-		long skipped=0L;
-		int skip;
-		while(n>0) {
-			if(n<(skip=curr.remaining())) {
-				curr.position(curr.position()+(int)n);
-				skipped+=skip;
-				n=0;
-			} else {
-				curr.position(curr.limit());
-				
-				skipped-=skip;
-				if(idx<bbs.size()) {
-					curr=bbs.get(idx++);
-					n-=skip;
-				} else {
-					n=0;
-				}
-			}
-		}
-		return skipped;
-	}
-	/**
-	 * Be able to re-read data that is stored that has already been re-read.  This is not a standard Stream behavior, but can be useful
-	 * in a standalone mode.
-	 */
-	public void reset() {
-		for(ByteBuffer bb : bbs) {
-			bb.position(0);
-		}
-		if(bbs.isEmpty()) {
-			curr = null;
-			idx = 0;
-		} else {
-			curr=bbs.get(0);
-			idx=1;
-		}
-	}
-
-	/*
-	 * Ring Functions.  Reuse allocated memory 
-	 */
-	private ByteBuffer ringGet() {
-		ByteBuffer bb = null;
-		synchronized(ring) {
-			bb=ring[start];
-			ring[start]=null;
-			if(bb!=null && ++start>15)start=0;
-		}
-		if(bb==null) {
-			bb=ByteBuffer.allocate(DEFAULT_CHUNK);
-		} else {
-			bb.clear();// refresh reused buffer
-		}
-		return bb;
-	}
-	
-	private void ringPut(ByteBuffer bb) {
-		synchronized(ring) {
-			ring[end]=bb; // if null or not, BB will just be Garbage collected
-			if(++end>15)end=0;
-		}
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/CmdLine.java b/core/src/main/java/com/att/cadi/CmdLine.java
deleted file mode 100644
index 89685e2..0000000
--- a/core/src/main/java/com/att/cadi/CmdLine.java
+++ /dev/null
@@ -1,356 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.FileReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.security.NoSuchAlgorithmException;
-
-import com.att.cadi.util.Chmod;
-import com.att.cadi.util.JsonOutputStream;
-
-
-
-/**
- * A Class to run on command line to determine suitability of environment for certain TAFs.
- * 
- * For instance, CSP supports services only in certain domains, and while dynamic host
- * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and
- * invalid) for CSP because of multiple NetworkInterfaces, etc
- * 
- *
- */
-public class CmdLine {
-
-	/**
-	 * @param args
-	 */
-	public static void main(String[] args) {
-		if(args.length>0) {
-			if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) {
-				String keyfile;
-				String password;
-				if(args.length>2) {
-					password = args[1];
-					keyfile = args[2];
-				} else {
-					keyfile = args[1];
-					password = new String(System.console().readPassword("Type here (keystrokes hidden): "));
-				}
-
-				try {
-					Symm symm;
-					FileInputStream fis = new FileInputStream(keyfile);
-					try {
-						symm = Symm.obtain(fis);
-					} finally {
-						fis.close();
-					}
-					symm.enpass(password, System.out);
-					System.out.println();
-					System.out.flush();
-					return;
-					/*  testing code... don't want it exposed
-					System.out.println(" ******** Testing *********");
-					for(int i=0;i<100000;++i) {
-						System.out.println(args[1]);
-						ByteArrayOutputStream baos = new ByteArrayOutputStream();
-						b64.enpass(args[1], baos);
-						String pass; 
-						System.out.println(pass=new String(baos.toByteArray()));
-						ByteArrayOutputStream reconstituted = new ByteArrayOutputStream();
-						b64.depass(pass, reconstituted);
-						String r = reconstituted.toString();
-						System.out.println(r);
-						if(!r.equals(args[1])) {
-							System.err.println("!!!!! STOP - ERROR !!!!!");
-							return;
-						}
-						System.out.println();
-					}
-					System.out.flush();
-					*/
-					 
-				} catch (IOException e) {
-					System.err.println("Cannot digest password");
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-// .  Oh, well, Deployment services need this behavior.  I will put this code in, but leave it undocumented. 
-// One still needs access to the keyfile to read.
-// July 2016 - thought of a tool "CMPass" to reguritate from properties, but only if allowed.
-			} else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) {
-				try {
-					Symm symm;
-					FileInputStream fis = new FileInputStream(args[2]);
-					try {
-						symm = Symm.obtain(fis);
-					} finally {
-						fis.close();
-					}
-					boolean isFile = false;
-					if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) {
-						BufferedReader br;
-						if(isFile) {
-							if(args.length<4) {
-								System.err.println("Filename in 4th position");
-								return;
-							}
-							br = new BufferedReader(new FileReader(args[3]));
-						} else {
-							br = new BufferedReader(new InputStreamReader(System.in));
-						}
-						try {
-							String line;
-							boolean cont = false;
-							StringBuffer sb = new StringBuffer();
-							JsonOutputStream jw = new JsonOutputStream(System.out);
-							while((line=br.readLine())!=null) {
-								if(cont) {
-									int end;
-									if((end=line.indexOf('"'))>=0) {
-										sb.append(line,0,end);
-										cont=false;
-									} else {
-										sb.append(line);
-									}
-								} else {
-									int idx;
-									if((idx = line.indexOf(' '))>=0 
-											&& (idx = line.indexOf(' ',++idx))>0
-											&& (idx = line.indexOf('=',++idx))>0
-											&& (idx = line.indexOf('=',++idx))>0
-											) {
-										System.out.println(line.substring(0, idx-5));
-										int start = idx+2;
-										int end;
-										if((end=line.indexOf('"',start))<0) {
-											end = line.length();
-											cont = true;
-										}
-										sb.append(line,start,end);
-									}
-								}
-								if(sb.length()>0) {
-									symm.depass(sb.toString(),jw);
-									if(!cont) {
-										System.out.println();
-									}
-								}
-								System.out.flush();
-								sb.setLength(0);
-								if(!cont) {
-									jw.resetIndent();
-								}
-							}
-						} finally {
-							if(isFile) {
-								br.close();
-							}
-						}
-					} else {
-						symm.depass(args[1], System.out);
-					}
-					System.out.println();
-					System.out.flush();
-					return;
-				} catch (IOException e) {
-					System.err.println("Cannot regurgitate password");
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-			} else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) {
-				try {
-					Symm.base64.encode(args[1], System.out);
-					System.out.println();
-					System.out.flush();
-					return;
-				} catch (IOException e) {
-					System.err.println("Cannot encode Base64 with " + args[1]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-			} else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) {
-				try {
-					Symm.base64.decode(args[1], System.out);
-					System.out.println();
-					System.out.flush();
-					return;
-				} catch (IOException e) {
-					System.err.println("Cannot decode Base64 text from " + args[1]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-			} else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) {
-				try {
-					Symm.base64url.encode(args[1], System.out);
-					System.out.println();
-					System.out.flush();
-					return;
-				} catch (IOException e) {
-					System.err.println("Cannot encode Base64url with " + args[1]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-			} else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) {
-				try {
-					Symm.base64url.decode(args[1], System.out);
-					System.out.println();
-					System.out.flush();
-					return;
-				} catch (IOException e) {
-					System.err.println("Cannot decode Base64url text from " + args[1]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-			} else if("md5".equalsIgnoreCase(args[0]) && args.length>1) {
-				try {
-					System.out.println(Hash.encryptMD5asStringHex(args[1]));
-					System.out.flush();
-				} catch (NoSuchAlgorithmException e) {
-					System.err.println("Cannot hash MD5 from " + args[1]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-				return;
-			} else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) {
-				try {
-					if(args.length>2) {
-						int salt = Integer.parseInt(args[2]);
-						System.out.println(Hash.hashSHA256asStringHex(args[1],salt));
-					} else { 
-						System.out.println(Hash.hashSHA256asStringHex(args[1]));
-					}
-				} catch (NoSuchAlgorithmException e) {
-					System.err.println("Cannot hash SHA256 text from " + args[1]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-				System.out.flush();
-				return;
-			} else if("keygen".equalsIgnoreCase(args[0])) {
-				try {
-					if(args.length>1) {
-						File f = new File(args[1]);
-						FileOutputStream fos = new FileOutputStream(f);
-						try {
-							fos.write(Symm.baseCrypt().keygen());
-							fos.flush();
-						} finally {
-							fos.close();
-							Chmod.to400.chmod(f);
-						}
-					} else {
-						// create a Symmetric Key out of same characters found in base64
-						System.out.write(Symm.baseCrypt().keygen());
-						System.out.flush();
-					}
-					return;
-				} catch (IOException e) {
-					System.err.println("Cannot create a key " + args[0]);
-					System.err.println("   \""+ e.getMessage() + '"');
-				}
-			
-			} else if("passgen".equalsIgnoreCase(args[0])) {
-				int numDigits;
-				if(args.length <= 1) {
-					numDigits = 24;
-				} else {
-					numDigits = Integer.parseInt(args[1]); 
-					if(numDigits<8)numDigits = 8;
-				}
-				String pass;
-				boolean noLower,noUpper,noDigits,noSpecial,repeats;
-				do {
-					pass = Symm.randomGen(numDigits);
-					noLower=noUpper=noDigits=noSpecial=true;
-					repeats=false;
-					int c=-1,last;
-					for(int i=0;i<numDigits;++i) {
-						last = c;
-						c = pass.charAt(i);
-						if(c==last) {
-							repeats=true;
-							break;
-						}
-						
-						if(noLower) {
-							noLower=!(c>=0x61 && c<=0x7A);
-							continue;
-						} 
-						if(noUpper) {
-							noUpper=!(c>=0x41 && c<=0x5A);
-							continue;
-						} 
-						if(noDigits) {
-							noDigits=!(c>=0x30 && c<=0x39);
-							continue;
-						} 
-						if(noSpecial) {
-							noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0;
-							continue;
-						} 
-						
-						break;
-					}
-				} while(noLower || noUpper || noDigits || noSpecial || repeats);
-				System.out.println(pass.substring(0,numDigits));
-			} else if("urlgen".equalsIgnoreCase(args[0])) {
-				int numDigits;
-				if(args.length < 1) {
-					numDigits = 24;
-				} else {
-					numDigits = Integer.parseInt(args[1]); 
-				}
-				System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits));
-			
-			} else if("csptest".equalsIgnoreCase(args[0])) {
-				try {
-					System.out.println("CSP Compatibility test");
-					
-					String hostName = InetAddress.getLocalHost().getCanonicalHostName();
-					
-					System.out.println("  Your automatic hostname is reported as \"" + hostName + "\"\n");
-					System.out.flush();
-					return;
-				} catch (UnknownHostException e) {
-					e.printStackTrace(System.err);
-				}
-			}
-		} else {
-			System.out.println("Usage: java -jar <this jar> ...");
-			System.out.println("  keygen [<keyfile>]                     (Generates Key on file, or Std Out)");
-			System.out.println("  digest <keyfile>                       (Encrypts to Key with \"keyfile\")");
-			System.out.println("  passgen <digits>                       (Generate Password of given size)");
-			System.out.println("  urlgen <digits>                        (Generate URL field of given size)");
-			System.out.println("  csptest                                (Tests for CSP compatibility)");
-			System.out.println("  encode64 <your text>                   (Encodes to Base64)");
-			System.out.println("  decode64 <base64 encoded text>         (Decodes from Base64)");
-			System.out.println("  encode64url <your text>                (Encodes to Base64 URL charset)");
-			System.out.println("  decode64url <base64url encoded text>   (Decodes from Base64 URL charset)");
-			System.out.println("  sha256 <text>                          (Digest String into SHA256 Hash)");
-			System.out.println("  md5 <text>                             (Digest String into MD5 Hash)");
-		}
-		System.exit(1);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/Connector.java b/core/src/main/java/com/att/cadi/Connector.java
deleted file mode 100644
index ab96010..0000000
--- a/core/src/main/java/com/att/cadi/Connector.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-public interface Connector {
-	public Lur newLur() throws CadiException;
-}
diff --git a/core/src/main/java/com/att/cadi/CredVal.java b/core/src/main/java/com/att/cadi/CredVal.java
deleted file mode 100644
index 4fe0a28..0000000
--- a/core/src/main/java/com/att/cadi/CredVal.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-
-/**
- * UserPass
- * 
- * The essential interface required by BasicAuth to determine if a given User/Password combination is 
- * valid.  This is done as an interface.
- * 
- */
-public interface CredVal {
-	public enum Type{PASSWORD};
-	/**
-	 *  Validate if the User/Password combination matches records 
-	 * @param user
-	 * @param pass
-	 * @return
-	 */
-	public boolean validate(String user, Type type, byte[] cred);
-}
diff --git a/core/src/main/java/com/att/cadi/GetCred.java b/core/src/main/java/com/att/cadi/GetCred.java
deleted file mode 100644
index d2c99f2..0000000
--- a/core/src/main/java/com/att/cadi/GetCred.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-public interface GetCred {
-	byte[] getCred();
-}
diff --git a/core/src/main/java/com/att/cadi/Hash.java b/core/src/main/java/com/att/cadi/Hash.java
deleted file mode 100644
index b4e114f..0000000
--- a/core/src/main/java/com/att/cadi/Hash.java
+++ /dev/null
@@ -1,202 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.nio.ByteBuffer;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-
-public class Hash {
-	private static char hexDigit[] = "0123456789abcdef".toCharArray();
-	
-/////////////////////////////////
-// MD5
-/////////////////////////////////
-	/**
-	 * Encrypt MD5 from Byte Array to Byte Array
-	 * @param input
-	 * @return
-	 * @throws NoSuchAlgorithmException
-	 */
-	public static byte[] encryptMD5 (byte[] input) throws NoSuchAlgorithmException {
-		MessageDigest md = MessageDigest.getInstance("MD5");
-		md.update(input); 
-		return md.digest();
-	}
-
-	/**
-	 * Encrypt MD5 from Byte Array to Byte Array
-	 * @param input
-	 * @return
-	 * @throws NoSuchAlgorithmException
-	 */
-	public static byte[] encryptMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException {
-		MessageDigest md = MessageDigest.getInstance("MD5");
-		md.update(input,offset,length); 
-		return md.digest();
-	}
-
-
-
-	/**
-	 * Convenience Function: Encrypt MD5 from String to String Hex representation 
-	 * 
-	 * @param input
-	 * @return
-	 * @throws NoSuchAlgorithmException
-	 */
-	public static String encryptMD5asStringHex(String input) throws NoSuchAlgorithmException {
-		byte[] output = encryptMD5(input.getBytes());
-		StringBuilder sb = new StringBuilder("0x");
-		 for (byte b : output) {
-		    sb.append(hexDigit[(b >> 4) & 0x0f]);
-		    sb.append(hexDigit[b & 0x0f]);
-		 }
-		 return sb.toString();
-	}
-
-/////////////////////////////////
-// SHA256
-/////////////////////////////////
-	/**
-	 * SHA256 Hashing
-	 */
-	public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException {
-		MessageDigest md = MessageDigest.getInstance("SHA-256");
-		md.update(input); 
-		return md.digest();
-	}
-
-	/**
-	 * SHA256 Hashing
-	 */
-	public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException {
-		MessageDigest md = MessageDigest.getInstance("SHA-256");
-		md.update(input,offset,length); 
-		return md.digest();
-	}
-	
-	/**
-	 * Convenience Function: Hash from String to String Hex representation
-	 * 
-	 * @param input
-	 * @return
-	 * @throws NoSuchAlgorithmException
-	 */
-	public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException {
-		byte[] output = hashSHA256(input.getBytes());
-		StringBuilder sb = new StringBuilder("0x");
-		 for (byte b : output) {
-		    sb.append(hexDigit[(b >> 4) & 0x0f]);
-		    sb.append(hexDigit[b & 0x0f]);
-		 }
-		 return sb.toString();
-	}
-
-	/**
-	 * Convenience Function: Hash from String to String Hex representation
-	 * 
-	 * @param input
-	 * @return
-	 * @throws NoSuchAlgorithmException
-	 */
-	public static String hashSHA256asStringHex(String input, int salt) throws NoSuchAlgorithmException {
-		byte[] in = input.getBytes();
-		ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + in.length);
-		bb.putInt(salt);
-		bb.put(input.getBytes());
-		byte[] output = Hash.hashSHA256(bb.array());
-		StringBuilder sb = new StringBuilder("0x");
-		 for (byte b : output) {
-		    sb.append(hexDigit[(b >> 4) & 0x0f]);
-		    sb.append(hexDigit[b & 0x0f]);
-		 }
-		 return sb.toString();
-	}
-	
-	/**
-	 * Compare two byte arrays for equivalency
-	 * @param ba1
-	 * @param ba2
-	 * @return
-	 */
-	public static boolean isEqual(byte ba1[], byte ba2[]) {
-		if(ba1.length!=ba2.length)return false;
-		for(int i = 0;i<ba1.length; ++i) {
-			if(ba1[i]!=ba2[i])return false;
-		}
-		return true;
-	}
-
-	public static int compareTo(byte[] a, byte[] b) {
-		int end = Math.min(a.length, b.length);
-		int compare = 0;
-		for(int i=0;compare == 0 && i<end;++i) {
-			compare = a[i]-b[i];
-		}
-		if(compare==0)compare=a.length-b.length;
-		return compare;
-	}
-	
-	public static String toHex(byte[] ba) {
-		StringBuilder sb = new StringBuilder("0x");
-		 for (byte b : ba) {
-		    sb.append(hexDigit[(b >> 4) & 0x0f]);
-		    sb.append(hexDigit[b & 0x0f]);
-		 }
-		 return sb.toString();
-	}
-	
-	public static byte[] fromHex(String s)  throws CadiException{
-		if(!s.startsWith("0x")) {
-			throw new CadiException("HexString must start with \"0x\"");
-		}
-		boolean high = true;
-		int c;
-		byte b;
-		byte[] ba = new byte[(s.length()-2)/2];
-		int idx;
-		for(int i=2;i<s.length();++i) {
-			c = s.charAt(i);
-			if(c>=0x30 && c<=0x39) {
-				b=(byte)(c-0x30);
-			} else if(c>=0x61 && c<=0x66) {
-				b=(byte)(c-0x57);  // account for "A"
-			} else if(c>=0x41 && c<=0x46) {
-				b=(byte)(c-0x37);
-			} else {
-				throw new CadiException("Invalid char '" + c + "' in HexString");
-			}
-			idx = (i-2)/2;
-			if(high) {
-				ba[idx]=(byte)(b<<4);
-				high = false;
-			} else {
-				ba[idx]|=b;
-				high = true;
-			}
-		}
-		return ba;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/Locator.java b/core/src/main/java/com/att/cadi/Locator.java
deleted file mode 100644
index ab1a7f9..0000000
--- a/core/src/main/java/com/att/cadi/Locator.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-public interface Locator<T> {
-	public T get(Locator.Item item) throws LocatorException;
-	public boolean hasItems();
-	public void invalidate(Locator.Item item) throws LocatorException;
-	public Locator.Item best() throws LocatorException;
-	public Item first() throws LocatorException;
-	public Item next(Item item) throws LocatorException;
-	public boolean refresh();
-	public void destroy();
-	
-	public interface Item {}
-}
diff --git a/core/src/main/java/com/att/cadi/LocatorException.java b/core/src/main/java/com/att/cadi/LocatorException.java
deleted file mode 100644
index 9c3b804..0000000
--- a/core/src/main/java/com/att/cadi/LocatorException.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-public class LocatorException extends Exception {
-	/**
-	 * 
-	 */
-	private static final long serialVersionUID = -4267929804321134469L;
-
-	public LocatorException(String arg0) {
-		super(arg0);
-	}
-
-	public LocatorException(Throwable arg0) {
-		super(arg0);
-	}
-
-	public LocatorException(String arg0, Throwable arg1) {
-		super(arg0, arg1);
-	}
-
-	public LocatorException(CharSequence cs) {
-		super(cs.toString());
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/Lur.java b/core/src/main/java/com/att/cadi/Lur.java
deleted file mode 100644
index d8ae6a3..0000000
--- a/core/src/main/java/com/att/cadi/Lur.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.security.Principal;
-import java.util.List;
-
-
-
-/**
- * LUR: Local User Registry
- *
- * Concept by Robert Garskof, Implementation by Jonathan Gathman
- * 
- * Where we can keep local copies of users and roles for faster Authorization when asked.
- * 
- * Note: Author cannot resist the mental image of using a Fishing Lure to this LUR pattern 
- * 
- *
- */
-public interface Lur {
-	/**
-	 * Allow the Lur, which has correct Permission access, to create and hand back. 
-	 */
-	public Permission createPerm(String p);
-	
-	/** 
-	 * Fish for Principals in a Pond
-	 * 
-	 *   or more boringly, is the User identified within a named collection representing permission.
-	 * 
-	 * @param principalName
-	 * @return
-	 */
-	public boolean fish(Principal bait, Permission pond);
-
-	/** 
-	 * Fish all the Principals out a Pond
-	 * 
-	 *   For additional humor, pronounce the following with a Southern Drawl, "FishOil"
-	 * 
-	 *   or more boringly, load the List with Permissions found for Principal
-	 * 
-	 * @param principalName
-	 * @return
-	 */
-	public void fishAll(Principal bait, List<Permission> permissions);
-
-	/**
-	 * Allow implementations to disconnect, or cleanup resources if unneeded
-	 */
-	public void destroy();
-
-	/**
-	 * Does this LUR handle this pond exclusively?  Important for EpiLUR to determine whether 
-	 * to try another (more expensive) LUR 
-	 * @param pond
-	 * @return
-	 */
-	public boolean handlesExclusively(Permission pond);  
-	
-	/**
-	 * What domain of User does this LUR support?  (used to avoid asking when not possible)
-	 * 
-	 * @param bait
-	 * @return
-	 */
-	public boolean supports(String userName);
-	
-	/**
-	 * Clear: Clear any Caching, if exists
-	 */
-	public void clear(Principal p, StringBuilder report);
-}
diff --git a/core/src/main/java/com/att/cadi/Permission.java b/core/src/main/java/com/att/cadi/Permission.java
deleted file mode 100644
index adb80a1..0000000
--- a/core/src/main/java/com/att/cadi/Permission.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-public interface Permission {
-	public String permType();
-	public String getKey();
-	public boolean match(Permission p);
-}
diff --git a/core/src/main/java/com/att/cadi/PropAccess.java b/core/src/main/java/com/att/cadi/PropAccess.java
deleted file mode 100644
index d7c9d99..0000000
--- a/core/src/main/java/com/att/cadi/PropAccess.java
+++ /dev/null
@@ -1,320 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.PrintStream;
-import java.text.SimpleDateFormat;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.Map.Entry;
-import java.util.Properties;
-
-import com.att.cadi.config.Config;
-import com.att.cadi.config.SecurityInfo;
-
-public class PropAccess implements Access {
-	private static final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
-
-	public static Level DEFAULT = Level.AUDIT;
-	
-	private Symm symm;
-	private int level;
-	private Properties props;
-	private List<String> recursionProtection = null;
-	private PrintStream out;
-	
-	private String name;
-
-	public PropAccess() {
-		out=System.out;
-		init(null);
-	}
-	
-	/**
-	 * This Constructor soley exists to instantiate Servlet Context Based Logging that will call "init" later.
-	 * @param sc
-	 */
-	protected PropAccess(Object o) {
-		out=System.out;
-		props = new Properties();
-	}
-	
-	public PropAccess(String ... args) {
-		this(System.out,args);
-	}
-	
-	public PropAccess(PrintStream ps, String[] args) {
-		out=ps==null?System.out:ps;
-		Properties nprops=new Properties();
-		int eq;
-		for(String arg : args) {
-			if((eq=arg.indexOf('='))>0) {
-				nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1));
-			}
-		}
-		init(nprops);
-	}
-
-	public PropAccess(Properties p) {
-		this(System.out,p);
-	}
-	
-	public PropAccess(PrintStream ps, Properties p) {
-		out=ps==null?System.out:ps;
-		init(p);
-	}
-	
-	protected void init(Properties p) {
-		// Make sure these two are set before any changes in Logging
-		name = "cadi";
-		level=DEFAULT.maskOf();
-		
-		props = new Properties();
-		// First, load related System Properties
-		for(Entry<Object,Object> es : System.getProperties().entrySet()) {
-			String key = es.getKey().toString();
-			for(String start : new String[] {"cadi_","aaf_","cm_","csp_"}) {
-				if(key.startsWith(start)) {
-					props.put(key, es.getValue());
-				}
-			}			
-		}
-		// Second, overlay or fill in with Passed in Props
-		if(p!=null) {
-			props.putAll(p);
-		}
-		
-		// Third, load any Chained Property Files
-		load(props.getProperty(Config.CADI_PROP_FILES));
-		
-		String sLevel = props.getProperty(Config.CADI_LOGLEVEL); 
-		if(sLevel!=null) {
-			level=Level.valueOf(sLevel).maskOf(); 
-		}
-		// Setup local Symmetrical key encryption
-		if(symm==null) {
-			symm = Symm.obtain(this);
-		}
-		
-		name = props.getProperty(Config.CADI_LOGNAME, name);
-		
-		// Critical - if no Security Protocols set, then set it.  We'll just get messed up if not
-		if(props.get(Config.CADI_PROTOCOLS)==null) {
-			props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT);
-		}
-	}
-
-	private void load(String cadi_prop_files) {
-		String prevKeyFile = props.getProperty(Config.CADI_KEYFILE);
-
-		if(cadi_prop_files!=null) {
-			int prev = 0, end = cadi_prop_files.length();
-			int idx;
-			String filename;
-			while(prev<end) {
-				idx = cadi_prop_files.indexOf(File.pathSeparatorChar,prev);
-				if(idx<0) {
-					idx = end;
-				}
-				File file = new File(filename=cadi_prop_files.substring(prev,idx));
-				if(file.exists()) {
-					printf(Level.INIT,"Loading CADI Properties from %s",file.getAbsolutePath());
-					try {
-						FileInputStream fis = new FileInputStream(file);
-						try {
-							props.load(fis);
-							// Recursively Load
-							String chainProp = props.getProperty(Config.CADI_PROP_FILES);
-							if(chainProp!=null) {
-								if(recursionProtection==null) {
-									recursionProtection = new ArrayList<String>();
-									recursionProtection.add(cadi_prop_files);
-								}
-								if(!recursionProtection.contains(chainProp)) {
-									recursionProtection.add(chainProp);
-									load(chainProp); // recurse
-								}
-							}
-						} finally {
-							fis.close();
-						}
-					} catch (Exception e) {
-						log(e,filename,"cannot be opened");
-					}
-				} else {
-					printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath());
-				}
-				prev = idx+1;
-			}
-		}
-		// Reset Symm if Keyfile Changes:
-		String newKeyFile = props.getProperty(Config.CADI_KEYFILE);
-		if((prevKeyFile==null && newKeyFile!=null) || (newKeyFile!=null && !newKeyFile.equals(prevKeyFile))) {
-			symm = Symm.obtain(this);
-			prevKeyFile=newKeyFile;
-		}
-		
-		String loglevel = props.getProperty(Config.CADI_LOGLEVEL);
-		if(loglevel!=null) {
-			try {
-				level=Level.valueOf(loglevel).maskOf();
-			} catch (IllegalArgumentException e) {
-				printf(Level.ERROR,"%s=%s is an Invalid Log Level",Config.CADI_LOGLEVEL,loglevel);
-			}
-		}
-	}
-	
-	@Override
-	public void load(InputStream is) throws IOException {
-		props.load(is);
-		load(props.getProperty(Config.CADI_PROP_FILES));
-	}
-
-	@Override
-	public void log(Level level, Object ... elements) {
-		if(willLog(level)) {
-			StringBuilder sb = buildMsg(level, elements);
-			out.println(sb);
-			out.flush();
-		}
-	}
-	
-	protected StringBuilder buildMsg(Level level, Object[] elements) {
-		StringBuilder sb = new StringBuilder(iso8601.format(new Date()));
-		sb.append(' ');
-		sb.append(level.name());
-		sb.append(" [");
-		sb.append(name);
-		
-		int end = elements.length;
-		if(end<=0) {
-			sb.append("] ");
-		} else {
-			int idx = 0;
-			if(elements[idx] instanceof Integer) {
-				sb.append('-');
-				sb.append(elements[idx]);
-				++idx;
-			}
-			sb.append("] ");
-			String s;
-			boolean first = true;
-			for(Object o : elements) {
-				if(o!=null) {
-					s=o.toString();
-					if(first) {
-						first = false;
-					} else {
-						int l = s.length();
-						if(l>0)	{
-							switch(s.charAt(l-1)) {
-								case ' ':
-									break;
-								default:
-									sb.append(' ');
-							}
-						}
-					}
-					sb.append(s);
-				}
-			}
-		}
-		return sb;
-	}
-
-	@Override
-	public void log(Exception e, Object... elements) {
-		log(Level.ERROR,e.getMessage(),elements);
-		e.printStackTrace(System.err);
-	}
-
-	@Override
-	public void printf(Level level, String fmt, Object... elements) {
-		if(willLog(level)) {
-			log(level,String.format(fmt, elements));
-		}
-	}
-
-	@Override
-	public void setLogLevel(Level level) {
-		this.level = level.maskOf();
-	}
-
-	@Override
-	public boolean willLog(Level level) {
-		return level.inMask(this.level);
-	}
-
-	@Override
-	public ClassLoader classLoader() {
-		return ClassLoader.getSystemClassLoader();
-	}
-
-	@Override
-	public String getProperty(String tag, String def) {
-		return props.getProperty(tag,def);
-	}
-
-	@Override
-	public String decrypt(String encrypted, boolean anytext) throws IOException {
-		return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC)))
-			? symm.depass(encrypted)
-			: encrypted;
-	}
-	
-	public String encrypt(String unencrypted) throws IOException {
-		return Symm.ENC+symm.enpass(unencrypted);
-	}
-
-	//////////////////
-	// Additional
-	//////////////////
-	public String getProperty(String tag) {
-		return props.getProperty(tag);
-	}
-	
-
-	public Properties getProperties() {
-		return props;
-	}
-
-	public void setProperty(String tag, String value) {
-		if(value!=null) {
-			props.put(tag, value);
-			if(Config.CADI_KEYFILE.equals(tag)) {
-				// reset decryption too
-				symm = Symm.obtain(this);
-			}
-		}
-	}
-
-	public Properties getDME2Properties() {
-		return Config.getDME2Props(this);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/Revalidator.java b/core/src/main/java/com/att/cadi/Revalidator.java
deleted file mode 100644
index 5d492aa..0000000
--- a/core/src/main/java/com/att/cadi/Revalidator.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-
-public interface Revalidator<TRANS> {
-	/**
-	 * Re-Validate Credential
-	 * 
-	 * @param prin
-	 * @return
-	 */
-	public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin);
-
-}
diff --git a/core/src/main/java/com/att/cadi/SLF4JAccess.java b/core/src/main/java/com/att/cadi/SLF4JAccess.java
deleted file mode 100644
index b222e35..0000000
--- a/core/src/main/java/com/att/cadi/SLF4JAccess.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.util.Properties;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class SLF4JAccess extends PropAccess {
-	private static final Logger slf4j = LoggerFactory.getLogger("AAF");
-	
-	public SLF4JAccess(final Properties initial) throws CadiException {
-		super(initial);
-	}
-
-	public void log(Level level, Object... elements) {
-		switch(level) {
-			case AUDIT:
-				slf4j.info(msg(elements).toString());
-				break;
-			case DEBUG:
-				slf4j.debug(msg(elements).toString());
-				break;
-			case ERROR:
-				slf4j.error(msg(elements).toString());
-				break;
-			case INFO:
-				slf4j.info(msg(elements).toString());
-				break;
-			case INIT:
-				slf4j.info(msg(elements).toString());
-				break;
-			case WARN:
-				slf4j.warn(msg(elements).toString());
-				break;
-			default:
-				slf4j.info(msg(elements).toString());
-				break;
-		}
-	}
-	
-	/* (non-Javadoc)
-	 * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level)
-	 */
-	@Override
-	public boolean willLog(Level level) {
-		switch(level) {
-			case DEBUG:
-				return slf4j.isDebugEnabled();
-			case ERROR:
-				return slf4j.isErrorEnabled();
-			case WARN:
-				return slf4j.isWarnEnabled();
-//			case INFO:
-//			case INIT:
-//			case AUDIT:
-			default:
-				return slf4j.isInfoEnabled();
-		}
-	}
-
-	private StringBuilder msg(Object ... elements) {
-		StringBuilder sb = new StringBuilder();
-		boolean first = true;
-		for(Object o : elements) {
-			if(first) first = false;
-			else {
-				sb.append(' ');
-			}
-			sb.append(o.toString());
-		}
-		return sb;
-	}
-
-	public void log(Exception e, Object... elements) {
-		slf4j.error(msg(elements).toString(),e);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/SecuritySetter.java b/core/src/main/java/com/att/cadi/SecuritySetter.java
deleted file mode 100644
index 295148f..0000000
--- a/core/src/main/java/com/att/cadi/SecuritySetter.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-
-/**
- *  Apply any particular security mechanism
- *  
- *  This allows the definition of various mechanisms involved outside of DRcli jars 
- *  
- *
- */
-public interface SecuritySetter<CT> {
-	public String getID();
-	
-	public void setSecurity(CT client) throws CadiException;
-	
-	/**
-	 * Returns number of bad logins registered
-	 * @param respCode
-	 * @return
-	 */
-	public int setLastResponse(int respCode);
-}
diff --git a/core/src/main/java/com/att/cadi/ServletContextAccess.java b/core/src/main/java/com/att/cadi/ServletContextAccess.java
deleted file mode 100644
index 2d1cfa1..0000000
--- a/core/src/main/java/com/att/cadi/ServletContextAccess.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-import java.util.Enumeration;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-
-import com.att.cadi.config.Config;
-
-public class ServletContextAccess extends PropAccess {
-
-	private ServletContext context;
-
-	public ServletContextAccess(FilterConfig filterConfig) {
-		super(filterConfig); // protected contstructor... does not have "init" called.
-		context = filterConfig.getServletContext();
-
-		for(Enumeration<?> en = filterConfig.getInitParameterNames();en.hasMoreElements();) {
-			String name = (String)en.nextElement();
-			setProperty(name, filterConfig.getInitParameter(name));
-		}
-		init(getProperties());
-		Config.getDME2Props(this);
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.PropAccess#log(com.att.cadi.Access.Level, java.lang.Object[])
-	 */
-	@Override
-	public void log(Level level, Object... elements) {
-		if(willLog(level)) {
-			StringBuilder sb = buildMsg(level, elements);
-			context.log(sb.toString());
-		}
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[])
-	 */
-	@Override
-	public void log(Exception e, Object... elements) {
-		StringBuilder sb = buildMsg(Level.ERROR, elements);
-		context.log(sb.toString(),e);
-	}
-
-	public ServletContext context() {
-		return context;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/StrLur.java b/core/src/main/java/com/att/cadi/StrLur.java
deleted file mode 100644
index f191203..0000000
--- a/core/src/main/java/com/att/cadi/StrLur.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.util.List;
-
-
-
-/**
- * StrLUR: Implements fish with String, skipping the need to be a Principal where it doesn't make sense.
- *
- *
- */
-public interface StrLur extends Lur {
-	/** 
-	 * Fish for Principals in a Pond
-	 * 
-	 *   or more boringly, is the User identified within a named collection representing permission.
-	 * 
-	 * @param principalName
-	 * @return
-	 */
-	public boolean fish(String bait, Permission pond);
-
-	/** 
-	 * Fish all the Principals out a Pond
-	 * 
-	 *   For additional humor, pronounce the following with a Southern Drawl, "FishOil"
-	 * 
-	 *   or more boringly, load the List with Permissions found for Principal
-	 * 
-	 * @param principalName
-	 * @return
-	 */
-	public void fishAll(String bait, List<Permission> permissions);
-}
diff --git a/core/src/main/java/com/att/cadi/Symm.java b/core/src/main/java/com/att/cadi/Symm.java
deleted file mode 100644
index 1504c2d..0000000
--- a/core/src/main/java/com/att/cadi/Symm.java
+++ /dev/null
@@ -1,811 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.DataInputStream;
-import java.io.DataOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.SecureRandom;
-import java.util.ArrayList;
-import java.util.Random;
-
-import javax.crypto.CipherInputStream;
-import javax.crypto.CipherOutputStream;
-
-import com.att.cadi.Access.Level;
-import com.att.cadi.config.Config;
-
-/**
- * Key Conversion, primarily "Base64"
- * 
- * Base64 is required for "Basic Authorization", which is an important part of the overall CADI Package.
- * 
- * Note: This author found that there is not a "standard" library for Base64 conversion within Java.  
- * The source code implementations available elsewhere were surprisingly inefficient, requiring, for 
- * instance, multiple string creation, on a transaction pass.  Integrating other packages that might be
- * efficient enough would put undue Jar File Dependencies given this Framework should have none-but-Java 
- * dependencies.
- * 
- * The essential algorithm is good for a symmetrical key system, as Base64 is really just
- * a symmetrical key that everyone knows the values.  
- * 
- * This code is quite fast, taking about .016 ms for encrypting, decrypting and even .08 for key 
- * generation. The speed quality, especially of key generation makes this a candidate for a short term token 
- * used for identity.
- * 
- * It may be used to easily avoid placing Clear-Text passwords in configurations, etc. and contains 
- * supporting functions such as 2048 keyfile generation (see keygen).  This keyfile should, of course, 
- * be set to "400" (Unix) and protected as any other mechanism requires. 
- * 
- * However, this algorithm has not been tested against hackers.  Until such a time, utilize more tested
- * packages to protect Data, especially sensitive data at rest (long term). 
- *
- */
-public class Symm {
-	private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; 
-	public static final String ENC = "enc:";
-	private static final SecureRandom random = new SecureRandom();
-	
-	public final char[] codeset;
-	private final int splitLinesAt;
-	private final String encoding;
-	private final Convert convert;
-	private final boolean endEquals;
-	//Note: AES Encryption is not Thread Safe.  It is Synchronized
-	private static AES aes = null;  // only initialized from File, and only if needed for Passwords
-	
-	/**
-	 * This is the standard base64 Key Set.
-	 * RFC 2045
-	 */
-	public static final Symm base64 = new Symm(
-			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray()
-			,76, Config.UTF_8,true);
-
-	public static final Symm base64noSplit = new Symm(
-			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray()
-			,Integer.MAX_VALUE, Config.UTF_8,true);
-
-	/**
-	 * This is the standard base64 set suitable for URLs and Filenames
-	 * RFC 4648
-	 */
-	public static final Symm base64url = new Symm(
-			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray()
-			,76, Config.UTF_8,true);
-
-	/**
-	 * A Password set, using US-ASCII
-	 * RFC 4648
-	 */
-	public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false);
-
-	/**
-	 * A typical set of Password Chars
-	 * Note, this is too large to fit into the algorithm. Only use with PassGen
-	 */
-	private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray();
-			
-
-
-	/**
-	 * Use this to create special case Case Sets and/or Line breaks
-	 * 
-	 * If you don't know why you need this, use the Singleton Method
-	 * 
-	 * @param codeset
-	 * @param split
-	 */
-	public Symm(char[] codeset, int split, String charset, boolean useEndEquals) {
-		this.codeset = codeset;
-		splitLinesAt = split;
-		encoding = charset;
-		endEquals = useEndEquals;
-		char prev = 0, curr=0, first = 0;
-		int offset=Integer.SIZE; // something that's out of range for integer array
-		
-		// There can be time efficiencies gained when the underlying keyset consists mainly of ordered 
-		// data (i.e. abcde...).  Therefore, we'll quickly analyze the keyset.  If it proves to have
-		// too much entropy, the "Unordered" algorithm, which is faster in such cases is used.
-		ArrayList<int[]> la = new ArrayList<int[]>();
-		for(int i=0;i<codeset.length;++i) {
-			curr = codeset[i];
-			if(prev+1==curr) { // is next character in set
-				prev = curr;
-			} else {
-				if(offset!=Integer.SIZE) { // add previous range 
-					la.add(new int[]{first,prev,offset});
-				}
-				first = prev = curr;
-				offset = curr-i;
-			}
-		}
-		la.add(new int[]{first,curr,offset});
-		if(la.size()>codeset.length/3) {
-			convert = new Unordered(codeset);
-		} else { // too random to get speed enhancement from range algorithm
-			int[][] range = new int[la.size()][];
-			la.toArray(range);
-			convert = new Ordered(range);
-		}
-	}
-	
-	public Symm copy(int lines) {
-		return new Symm(codeset,lines,encoding,endEquals);
-	}
-	
-	// Only used by keygen, which is intentionally randomized. Therefore, always use unordered
-	private  Symm(char[] codeset, Symm parent) {
-		this.codeset = codeset;
-		splitLinesAt = parent.splitLinesAt;
-		endEquals = parent.endEquals;
-		encoding = parent.encoding;
-		convert = new Unordered(codeset);
-	}
-
-	/**
-	 * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc.
-	 * @return
-	 */
-	@Deprecated
-	public static final Symm base64() {
-		return base64;
-	}
-
-	/**
-	 * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc.  
-	 * No Line Splitting
-	 * @return
-	 */
-	@Deprecated
-	public static final Symm base64noSplit() {
-		return base64noSplit;
-	}
-
-	/**
-	 * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/")
-	 */
-	@Deprecated
-	public static final Symm base64url() {
-		return base64url;
-	}
-
-	/**
-	 * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/")
-	 */
-	public static final Symm baseCrypt() {
-		return encrypt;
-	}
-
-	/*
-	 *  Note: AES Encryption is NOT thread-safe.  Must surround entire use with synchronized
-	 */
-	private synchronized void exec(AESExec exec) throws IOException {
-		if(aes == null) {
-			try {
-				byte[] bytes = new byte[AES.AES_KEY_SIZE/8];
-				int offset = (Math.abs(codeset[0])+47)%(codeset.length-bytes.length);
-				for(int i=0;i<bytes.length;++i) {
-					bytes[i] = (byte)codeset[i+offset];
-				}
-				aes = new AES(bytes,0,bytes.length);
-			} catch (Exception e) {
-				throw new IOException(e);
-			}
-		}
-		exec.exec(aes);
-	}
-	
-	private static interface AESExec {
-		public void exec(AES aes) throws IOException;
-	}
-	
-    public byte[] encode(byte[] toEncrypt) throws IOException {
-		ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(toEncrypt.length*1.25));
-		encode(new ByteArrayInputStream(toEncrypt),baos);
-		return baos.toByteArray();
-	}
-
-    public byte[] decode(byte[] encrypted) throws IOException {
-		ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(encrypted.length*1.25));
-		decode(new ByteArrayInputStream(encrypted),baos);
-		return baos.toByteArray();
-	}
-
-	/**
-     *  Helper function for String API of "Encode"
-     *  use "getBytes" with appropriate char encoding, etc.
-     *  
-     * @param str
-     * @return
-     * @throws IOException
-     */
-    public String encode(String str) throws IOException {
-    	byte[] array;
-    	try { 
-    		array = str.getBytes(encoding);
-    	} catch (IOException e) {
-    		array = str.getBytes(); // take default
-    	}
-    	// Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code
-    	ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*1.363)); // account for 4 bytes for 3 and a byte or two more
-    	
-    	encode(new ByteArrayInputStream(array),baos);
-    	return baos.toString(encoding);
-    }
-    
-    /**
-     * Helper function for the String API of "Decode"
-     * use "getBytes" with appropriate char encoding, etc.
-     * @param str
-     * @return
-     * @throws IOException
-     */
-    public String decode(String str) throws IOException {
-    	byte[] array;
-    	try { 
-    		array = str.getBytes(encoding);
-    	} catch (IOException e) {
-    		array = str.getBytes(); // take default
-    	}
-    	// Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code
-    	ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*.76)); // Decoding is 3 bytes for 4.  Allocate slightly more than 3/4s
-    	decode(new ByteArrayInputStream(array), baos);
-    	return baos.toString(encoding);
-	}
-
-	/**
-     * Convenience Function
-     * 
-     * encode String into InputStream and call encode(InputStream, OutputStream)
-     * 
-     * @param string
-     * @param out
-     * @throws IOException
-     */
-  	public void encode(String string, OutputStream out) throws IOException {
-  		encode(new ByteArrayInputStream(string.getBytes()),out);
-	}
-
-	/**
-	 * Convenience Function
-	 * 
-	 * encode String into InputStream and call decode(InputStream, OutputStream)
-	 * 
-	 * @param string
-	 * @param out
-	 * @throws IOException
-	 */
-	public void decode(String string, OutputStream out) throws IOException {
-		decode(new ByteArrayInputStream(string.getBytes()),out);
-	}
-
-    public void encode(InputStream is, OutputStream os, byte[] prefix) throws IOException {
-    	os.write(prefix);
-    	encode(is,os);
-    }
-
-	/** 
-     * encode InputStream onto Output Stream
-     * 
-     * @param is
-     * @param estimate
-     * @return
-     * @throws IOException
-     */
-    public void encode(InputStream is, OutputStream os) throws IOException {
-    	// StringBuilder sb = new StringBuilder((int)(estimate*1.255)); // try to get the right size of StringBuilder from start.. slightly more than 1.25 times 
-    	int prev=0;
-    	int read, idx=0, line=0;
-    	boolean go;
-    	do {
-    		read = is.read();
-    		if(go = read>=0) {
-    			if(line>=splitLinesAt) {
-	    			os.write('\n');
-	    			line = 0;
-	    		}
-	    		switch(++idx) { // 1 based reading, slightly faster ++
-	    			case 1: // ptr is the first 6 bits of read
-	    				os.write(codeset[read>>2]);
-	    				prev = read;
-	    				break;
-	    			case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read
-	    				os.write(codeset[((prev & 0x03)<<4) | (read>>4)]);
-    					prev = read;
-	    				break;
-	    			default: //(3+) 
-	    					// Char 1 is last 4 bits of prev plus the first 2 bits of read
-	    				    // Char 2 is the last 6 bits of read
-	    				os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]);
-	    				if(line==splitLinesAt) { // deal with line splitting for two characters
-	    					os.write('\n');
-	    					line=0;
-	    				}
-	    				os.write(codeset[(read & 0x3F)]);
-	    				++line;
-	    				idx = 0;
-	    				prev = 0;
-	    		}
-	    		++line;
-    		} else { // deal with any remaining bits from Prev, then pad
-    			switch(idx) {
-    				case 1: // just the last 2 bits of prev
-	    				os.write(codeset[(prev & 0x03)<<4]);
-    					if(endEquals)os.write(DOUBLE_EQ);
-    					break;
-    				case 2: // just the last 4 bits of prev
-	    				os.write(codeset[(prev & 0xF)<<2]);
-	    				if(endEquals)os.write('=');
-	    				break;
-    			}
-    			idx = 0;
-    		}
-    		
-    	} while(go);
-    }
-
-    public void decode(InputStream is, OutputStream os, int skip) throws IOException {
-    	is.skip(skip);
-    	decode(is,os);
-    }
-
-    /**
-	 * Decode InputStream onto OutputStream
-	 * @param is
-	 * @param os
-	 * @throws IOException
-	 */
-    public void decode(InputStream is, OutputStream os) throws IOException {
-	   int read, idx=0;
-	   int prev=0, index;
-	   	while((read = is.read())>=0) {
-	   		index = convert.convert(read);
-	   		if(index>=0) {
-	    		switch(++idx) { // 1 based cases, slightly faster ++
-	    			case 1: // index goes into first 6 bits of prev
-	    				prev = index<<2; 
-	    				break;
-	    			case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev
-	    				os.write((byte)(prev|(index>>4)));
-	    				prev = index<<4;
-	    				break;
-	    			case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev
-	    				os.write((byte)(prev|(index>>2)));
-	    				prev = index<<6;
-	    				break;
-	    			default: // (3+) | prev and last six of index
-	    				os.write((byte)(prev|(index&0x3F)));
-	    				idx = prev = 0;
-	    		}
-	   		}
-	   	};
-	   	os.flush();
-   }
-   
-   /**
-    * Interface to allow this class to choose which algorithm to find index of character in Key
-    *
-    */
-   private interface Convert {
-	   public int convert(int read) throws IOException;
-   }
-
-   /**
-    * Ordered uses a range of orders to compare against, rather than requiring the investigation
-    * of every character needed.
-    *
-    */
-   private static final class Ordered implements Convert {
-	   private int[][] range;
-	   public Ordered(int[][] range) {
-		   this.range = range;
-	   }
-	   public int convert(int read) throws IOException {
-		   switch(read) {
-			   case -1: 
-			   case '=':
-			   case '\n': 
-				   return -1;
-		   }
-		   for(int i=0;i<range.length;++i) {
-			   if(read >= range[i][0] && read<=range[i][1]) {
-				   return read-range[i][2];
-			   }
-		   }
-		   throw new IOException("Unacceptable Character in Stream");
-	   }
-   }
-   
-   /**
-    * Unordered, i.e. the key is purposely randomized, simply has to investigate each character
-    * until we find a match.
-    *
-    */
-   private static final class Unordered implements Convert {
-	   private char[] codec;
-	   public Unordered(char[] codec) {
-		   this.codec = codec;
-	   }
-	   public int convert(int read) throws IOException {
-		   switch(read) {
-			   case -1: 
-			   case '=':
-			   case '\n': 
-				   return -1;
-		   }
-		   for(int i=0;i<codec.length;++i) {
-			   if(codec[i]==read)return i;
-		   }
-		  // don't give clue in Encryption mode
-		  throw new IOException("Unacceptable Character in Stream");
-	   }
-   }
-
-   /**
-    * Generate a 2048 based Key from which we extract our code base
-    * 
-    * @return
-    * @throws IOException
-    */
-   public byte[] keygen() throws IOException {
-		byte inkey[] = new byte[0x600];
-		new SecureRandom().nextBytes(inkey);
-		ByteArrayOutputStream baos = new ByteArrayOutputStream(0x800);
-		base64url.encode(new ByteArrayInputStream(inkey), baos);
-		return baos.toByteArray();
-   }
-   
-   // A class allowing us to be less predictable about significant digits (i.e. not picking them up from the
-   // beginning, and not picking them up in an ordered row.  Gives a nice 2048 with no visible patterns.
-   private class Obtain {
-	   private int last;
-	   private int skip;
-	   private int length;
-	   private byte[] key;
-  
-	   private Obtain(Symm b64, byte[] key) {
-		   skip = Math.abs(key[key.length-13]%key.length);
-		   if((key.length&0x1) == (skip&0x1)) { // if both are odd or both are even
-			   ++skip;
-		   }
-		   length = b64.codeset.length;
-		   last = 17+length%59; // never start at beginning
-		   this.key = key;
-	   }
-	   
-	   private int next() {
-  		   return Math.abs(key[(++last*skip)%key.length])%length;
-	   }
-   };
-  
-   /**
-    * Obtain a Symm from "keyfile" (Config.KEYFILE) property
-    * 
-    * @param acesss
-    * @return
-    */
-   public static Symm obtain(Access access) {
-		Symm symm = Symm.baseCrypt();
-
-		String keyfile = access.getProperty(Config.CADI_KEYFILE,null);
-		if(keyfile!=null) {
-			File file = new File(keyfile);
-			try {
-				access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getCanonicalPath());
-			} catch (IOException e1) {
-				access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getAbsolutePath());
-			}
-			if(file.exists()) {
-				try {
-					FileInputStream fis = new FileInputStream(file);
-					try {
-						symm = Symm.obtain(fis);
-					} finally {
-						try {
-						   fis.close();
-						} catch (IOException e) {
-						}
-					}
-				} catch (IOException e) {
-					access.log(e, "Cannot load keyfile");
-				}
-			}
-		}
-		return symm;
-   }
-  /**
-   *  Create a new random key 
-   */
-  public Symm obtain() throws IOException {
-		byte inkey[] = new byte[0x800];
-		new SecureRandom().nextBytes(inkey);
-		return obtain(inkey);
-  }
-  
-  /**
-   * Obtain a Symm from 2048 key from a String
-   * 
-   * @param key
-   * @return
-   * @throws IOException
-   */
-  public static Symm obtain(String key) throws IOException {
-	  return obtain(new ByteArrayInputStream(key.getBytes()));
-  }
-  
-  /**
-   * Obtain a Symm from 2048 key from a Stream
-   * 
-   * @param is
-   * @return
-   * @throws IOException
-   */
-  public static Symm obtain(InputStream is) throws IOException {
-	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
-	  try {
-		  base64url.decode(is, baos);
-	  } catch (IOException e) {
-		  // don't give clue
-		  throw new IOException("Invalid Key");
-	  }
-	  byte[] bkey = baos.toByteArray();
-	  if(bkey.length<0x88) { // 2048 bit key
-		  throw new IOException("Invalid key");
-	  }
-	  return baseCrypt().obtain(bkey);
-  }
-
-  /**
-   * Convenience for picking up Keyfile
-   * 
-   * @param f
-   * @return
-   * @throws IOException
-   */
-  public static Symm obtain(File f) throws IOException {
-	  FileInputStream fis = new FileInputStream(f);
-	  try {
-		  return obtain(fis);
-	  } finally {
-		  fis.close();
-	  }
-  }
-  /**
-   * Decrypt into a String
-   *
-   *  Convenience method
-   * 
-   * @param password
-   * @return
-   * @throws IOException
-   */
-  public String enpass(String password) throws IOException {
-	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
-	  enpass(password,baos);
-	  return new String(baos.toByteArray());
-  }
-
-  /**
-   * Create an encrypted password, making sure that even short passwords have a minimum length.
-   * 
-   * @param password
-   * @param os
-   * @throws IOException
-   */
-  public void enpass(final String password, final OutputStream os) throws IOException {
-		final ByteArrayOutputStream baos = new ByteArrayOutputStream();
-		DataOutputStream dos = new DataOutputStream(baos);
-		byte[] bytes = password.getBytes();
-		if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization
-			dos.write(bytes);
-		} else {
-			
-			Random r = new SecureRandom();
-			int start = 0;
-			byte b;
-			for(int i=0;i<3;++i) {
-				dos.writeByte(b=(byte)r.nextInt());
-				start+=Math.abs(b);
-			}
-			start%=0x7;
-			for(int i=0;i<start;++i) {
-				dos.writeByte(r.nextInt());
-			}
-			dos.writeInt((int)System.currentTimeMillis());
-			int minlength = Math.min(0x9,bytes.length);
-			dos.writeByte(minlength); // expect truncation
-			if(bytes.length<0x9) {
-				for(int i=0;i<bytes.length;++i) {
-					dos.writeByte(r.nextInt());
-					dos.writeByte(bytes[i]);
-				}
-				// make sure it's long enough
-				for(int i=bytes.length;i<0x9;++i) {
-					dos.writeByte(r.nextInt());
-				}
-			} else {
-				dos.write(bytes);
-			}
-		}
-		
-		// 7/21/2016 jg add AES Encryption to the mix
-		exec(new AESExec() {
-			@Override
-			public void exec(AES aes) throws IOException {
-				CipherInputStream cis = aes.inputStream(new ByteArrayInputStream(baos.toByteArray()), true);
-				try {
-					encode(cis,os);
-				} finally {
-					os.flush();
-					cis.close();
-				}
-			}
-		});
-		synchronized(ENC) {
-		}
-	}
-
-  /**
-   * Decrypt a password into a String
-   * 
-   * Convenience method
-   * 
-   * @param password
-   * @return
-   * @throws IOException
-   */
-  public String depass(String password) throws IOException {
-	  if(password==null)return null;
-	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
-	  depass(password,baos);
-	  return new String(baos.toByteArray());
-  }
-  
-  /**
-   * Decrypt a password
-   * 
-   * Skip Symm.ENC
-   * 
-   * @param password
-   * @param os
-   * @return
-   * @throws IOException
-   */
-  public long depass(final String password, final OutputStream os) throws IOException {
-	  int offset = password.startsWith(ENC)?4:0;
-	  final ByteArrayOutputStream baos = new ByteArrayOutputStream();
-	  final ByteArrayInputStream bais =  new ByteArrayInputStream(password.getBytes(),offset,password.length()-offset);
-	  exec(new AESExec() {
-		@Override
-		public void exec(AES aes) throws IOException {
-			  CipherOutputStream cos = aes.outputStream(baos, false);
-			  decode(bais,cos);
-			  cos.close(); // flush
-		}
-	  });
-	  byte[] bytes = baos.toByteArray();
-	  DataInputStream dis = new DataInputStream(new ByteArrayInputStream(bytes));
-	  long time;
-	  if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization
-		  os.write(bytes);
-		  time = 0L;
-	  } else {
-		  int start=0;
-		  for(int i=0;i<3;++i) {
-			  start+=Math.abs(dis.readByte());
-		  }
-		  start%=0x7;
-		  for(int i=0;i<start;++i) {
-			  dis.readByte();
-		  }
-		  time = (dis.readInt() & 0xFFFF)|(System.currentTimeMillis()&0xFFFF0000);
-		  int minlength = dis.readByte();
-		  if(minlength<0x9){
-			DataOutputStream dos = new DataOutputStream(os);
-			for(int i=0;i<minlength;++i) {
-				dis.readByte();
-				dos.writeByte(dis.readByte());
-			}
-		  } else {
-			  int pre =((Byte.SIZE*3+Integer.SIZE+Byte.SIZE)/Byte.SIZE)+start; 
-			  os.write(bytes, pre, bytes.length-pre);
-		  }
-	  }
-	  return time;
-  }
-
-  public static String randomGen(int numBytes) {
-	  return randomGen(passChars,numBytes);  
-  }
-  
-  public static String randomGen(char[] chars ,int numBytes) {
-	    int rint;
-	    StringBuilder sb = new StringBuilder(numBytes);
-	    for(int i=0;i<numBytes;++i) {
-	    	rint = random.nextInt(chars.length);
-	    	sb.append(chars[rint]);
-	    }
-	    return sb.toString();
-  }
-  // Internal mechanism for helping to randomize placement of characters within a Symm codeset
-  // Based on an incoming data stream (originally created randomly, but can be recreated within 
-  // 2048 key), go after a particular place in the new codeset.  If that codeset spot is used, then move
-  // right or left (depending on iteration) to find the next available slot.  In this way, key generation 
-  // is speeded up by only enacting N iterations, but adds a spreading effect of the random number stream, so that keyset is also
-  // shuffled for a good spread. It is, however, repeatable, given the same number set, allowing for 
-  // quick recreation when the official stream is actually obtained.
-  public Symm obtain(byte[] key) throws IOException {
-	  try {
-		byte[] bytes = new byte[AES.AES_KEY_SIZE/8];
-		int offset = (Math.abs(key[(47%key.length)])+137)%(key.length-bytes.length);
-		for(int i=0;i<bytes.length;++i) {
-			bytes[i] = key[i+offset];
-		}
-
-	  	aes = new AES(bytes,0,bytes.length);
-	  } catch (Exception e) {
-		  throw new IOException(e);
-	  }
-		int filled = codeset.length;
-		char[] seq = new char[filled];
-		int end = filled--;
-		
-		boolean right = true;
-		int index;
-		Obtain o = new Obtain(this,key);
-		
-		while(filled>=0) {
-			index = o.next();
-			if(index<0 || index>=codeset.length) {
-				System.out.println("uh, oh");
-			}
-			if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) 
-				for(int j=index;j<end;++j) {
-					if(seq[j]==0) {
-						seq[j]=codeset[filled];
-						--filled;
-						break;
-					}
-				}
-				right = false;
-			} else {
-				for(int j=index;j>=0;--j) {
-					if(seq[j]==0) {
-						seq[j]=codeset[filled];
-						--filled;
-						break;
-					}
-				}
-				right = true;
-			}
-		}
-		return new Symm(seq,this);
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/Taf.java b/core/src/main/java/com/att/cadi/Taf.java
deleted file mode 100644
index 4017866..0000000
--- a/core/src/main/java/com/att/cadi/Taf.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import com.att.cadi.taf.TafResp;
-
-
-/**
- * TAF - Transmutative Assertion Framework.  
- * 
- * This main Interface embodies the essential of the assertion, where a number of different TAFs might be used to authenticate
- * and that authentication to be recognized through other elements.
- * 
- * Concept by Robert Garskof.  Implemented by Jonathan Gathman
- *  
- *
- */
-public interface Taf {
-	enum LifeForm {CBLF, SBLF, LFN};
-	/**
-	 * The lifeForm param is a humorous way of describing whether the interaction is proceeding from direct Human Interaction via a browser 
-	 * or App which can directly query a memorized password, key sequence, bio-feedback, from that user, or a machine mechanism for which identity
-	 * can more easily be determined by Certificate, Mechanical ID/Password etc.  Popularized in modern culture and Science Fiction (especially 
-	 * Star Trek), we (starting with Robert Garskof) use the terms "Carbon Based Life Form" (CBLF) for mechanisms with people at the end of them, or 
-	 * "Silicon Based Life Forms" (SBLF) to indicate machine only interactions.  I have added "LFN" for (Life-Form Neutral) to aid identifying
-	 * processes for which it doesn't matter whether there is a human at the immediate end of the chain, or cannot be determined mechanically.  
-	 * 
-	 * The variable parameter is not necessarily ideal, but with too many unknown Tafs to be created, flexibility,
-	 * is unfortunately required at this point.  Future versions could lock this down more.  JG 10/18/2012
-	 * 
-	 * @param lifeForm
-	 * @param info
-	 * @return
-	 */
-	public TafResp validate(LifeForm reading, String ... info);
-	
-}
diff --git a/core/src/main/java/com/att/cadi/Transmutate.java b/core/src/main/java/com/att/cadi/Transmutate.java
deleted file mode 100644
index 1d6ff6f..0000000
--- a/core/src/main/java/com/att/cadi/Transmutate.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.security.Principal;
-
-/**
- * The unique element of TAF is that we establish the relationship/mechanism to mutate the Principal derived from
- * one Authentication mechanism into a trustable Principal of another.  The mechanism needs to be decided by system
- * trusting.  
- * 
- * The Generic "T" is used so that the code used will be very specific for the implementation, enforced by Compiler
- * 
- * This interface will allow differences of trusting Transmutation of Authentication 
- *
- */
-public interface Transmutate<T> {
-	/**
-	 * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct
-	 * 
-	 * @param p
-	 * @return
-	 */
-	public T mutate(Principal p);
-}
diff --git a/core/src/main/java/com/att/cadi/TrustChecker.java b/core/src/main/java/com/att/cadi/TrustChecker.java
deleted file mode 100644
index 60b9a17..0000000
--- a/core/src/main/java/com/att/cadi/TrustChecker.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-
-import javax.servlet.http.HttpServletRequest;
-
-import com.att.cadi.taf.TafResp;
-
-/**
- * Change to another Principal based on Trust of caller and User Chain (if desired)
- * 
- *
- */
-public interface TrustChecker {
-	public TafResp mayTrust(TafResp tresp, HttpServletRequest req);
-	
-	/**
-	 * A class that trusts no-one else, so just return same TResp
-	 */
-	public static TrustChecker NOTRUST = new TrustChecker() {
-		@Override
-		public TafResp mayTrust(TafResp tresp, HttpServletRequest req) {
-			return tresp;
-		}
-
-		@Override
-		public void setLur(Lur lur) {
-		}
-	};
-
-	public void setLur(Lur lur);
-}
diff --git a/core/src/main/java/com/att/cadi/User.java b/core/src/main/java/com/att/cadi/User.java
deleted file mode 100644
index bde3488..0000000
--- a/core/src/main/java/com/att/cadi/User.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.security.Principal;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.ConcurrentHashMap;
-
-import com.att.cadi.lur.LocalPermission;
-
-/**
- * Class to hold info from the User Perspective.
- * 
- *
- */
-public final class User<PERM extends Permission> {
-	private static Map<String,Permission> NULL_MAP = new HashMap<String,Permission>();
-	public Principal principal;
-	Map<String, Permission> perms ;
-	long permExpires;
-	private final long interval;
-	int count;
-	
-	// Note: This should only be used for Local RBAC (in memory)
-	public User(Principal principal) {
-		this.principal = principal;
-		perms = NULL_MAP;
-		permExpires = Long.MAX_VALUE; // Never.  Well, until 64 bits of millis since 1970 expires...
-		interval = 0L;
-		count = 0;
-	}
-
-	public User(Principal principal, long expireInterval) {
-		this.principal = principal;
-		perms = NULL_MAP;
-		expireInterval = Math.max(expireInterval, 0); // avoid < 1
-		interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL));
-		permExpires = 0;
-		count = 0;
-	}
-	
-	public void renewPerm() {
-		permExpires = System.currentTimeMillis()+interval;
-	}
-	
-	public long permExpires() {
-		return permExpires;
-	}
-	
-	public boolean permExpired() {
-		return System.currentTimeMillis() > permExpires;
-	}
-
-	public boolean noPerms() {
-		return perms==null || perms.values().size()==0; 
-	}
-	
-	public void setNoPerms() {
-		perms=NULL_MAP;
-		permExpires = System.currentTimeMillis() + interval;
-	}
-
-	public boolean permsUnloaded() {
-		return perms==null;
-	}
-
-	public synchronized void incCount() {
-		++count;
-	}
-	
-	public synchronized void resetCount() {
-		count=0;
-	}
-	
-	public Map<String,Permission> newMap() {
-		return new ConcurrentHashMap<String,Permission>();
-	}
-
-	public void add(LocalPermission permission) {
-		if(perms==NULL_MAP)perms=newMap();
-		perms.put(permission.getKey(),permission);
-	}
-
-	public void add(Map<String, Permission> newMap, PERM permission) {
-		newMap.put(permission.getKey(),permission);
-	}
-
-	public void setMap(Map<String, Permission> newMap) {
-		perms = newMap;
-	}
-
-	public boolean contains(Permission perm) {
-		for (Permission p : perms.values()) {
-			if (p.match(perm)) return true;
-		}
-		return false;
-	}
-	
-	public void copyPermsTo(List<Permission> sink) {
-		sink.addAll(perms.values());
-	}
-	
-	public String toString() {
-		StringBuilder sb = new StringBuilder();
-		sb.append(principal.getName());
-		sb.append('|');
-		boolean first = true;
-		synchronized(perms) {
-			for(Permission gp : perms.values()) {
-				if(first) {
-					first = false;
-					sb.append(':');
-				} else {
-					sb.append(',');
-				}
-				sb.append(gp.getKey());
-			}
-		}
-		return sb.toString();
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/UserChain.java b/core/src/main/java/com/att/cadi/UserChain.java
deleted file mode 100644
index df493c5..0000000
--- a/core/src/main/java/com/att/cadi/UserChain.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-/**
- * Interface to add a User Chain String to Principal
- * 
- * 
- * 
- *  Where
- *  APP is name suitable for Logging (i.e. official App Acronym) 
- *  ID is official User or MechID, best if includes Identity Source (i.e. ab1234@csp.att.com)
- *  Protocol is the Security protocol,
- *  
- *  Format:<ID>:<APP>:<protocol>[:AS][,<ID>:<APP>:<protocol>]*
- *  
- * 
- *
- */
-public interface UserChain  {
-	public enum Protocol {BasicAuth,Cookie,Cert,OAuth};
-	public String userChain();
-}
diff --git a/core/src/main/java/com/att/cadi/config/Config.java b/core/src/main/java/com/att/cadi/config/Config.java
deleted file mode 100644
index ada6117..0000000
--- a/core/src/main/java/com/att/cadi/config/Config.java
+++ /dev/null
@@ -1,814 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-import java.io.IOException;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-import java.net.InetAddress;
-import java.net.URI;
-import java.net.UnknownHostException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map.Entry;
-import java.util.Properties;
-import java.util.TimerTask;
-
-import com.att.cadi.AbsUserCache;
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.CachingLur;
-import com.att.cadi.CadiException;
-import com.att.cadi.CredVal;
-import com.att.cadi.Locator;
-import com.att.cadi.Lur;
-import com.att.cadi.PropAccess;
-import com.att.cadi.Symm;
-import com.att.cadi.TrustChecker;
-import com.att.cadi.lur.EpiLur;
-import com.att.cadi.lur.LocalLur;
-import com.att.cadi.lur.NullLur;
-import com.att.cadi.taf.HttpEpiTaf;
-import com.att.cadi.taf.HttpTaf;
-import com.att.cadi.taf.basic.BasicHttpTaf;
-import com.att.cadi.taf.cert.X509Taf;
-import com.att.cadi.taf.dos.DenialOfServiceTaf;
-
-/**
- * Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as
- * Properties vs JavaBeans vs FilterConfigs...
- * 
- *
- */
-public class Config {
-
-	private static final String HIDE_PASS = "***************";
-
-	public static final String UTF_8 = "UTF-8";
-
-	// Property Names associated with configurations.
-	// As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style
-	// configurations as well as property list style.
-	public static final String HOSTNAME = "hostname";
-	public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;)
-	public static final String CADI_LOGLEVEL = "cadi_loglevel";
-	public static final String CADI_LOGNAME = "cadi_logname";
-	public static final String CADI_KEYFILE = "cadi_keyfile";
-	public static final String CADI_KEYSTORE = "cadi_keystore";
-	public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password";
-	public static final String CADI_ALIAS = "cadi_alias";
-	public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url";
-
-	public static final String CADI_KEY_PASSWORD = "cadi_key_password";
-	public static final String CADI_TRUSTSTORE = "cadi_truststore";
-	public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password";
-	public static final String CADI_X509_ISSUERS = "cadi_x509_issuers";
-	public static final String CADI_TRUST_MASKS="cadi_trust_masks";
-	public static final String CADI_TRUST_PERM="cadi_trust_perm"; //  IDs with this perm can utilize the "AS " user concept
-	public static final String CADI_PROTOCOLS = "cadi_protocols";
-	public static final String CADI_NOAUTHN = "cadi_noauthn";
-	public static final String CADI_LOC_LIST = "cadi_loc_list";
-	
-	public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain";
-	public static final String CADI_USER_CHAIN = "USER_CHAIN";
-
-	
-	
-	public static final String CSP_DOMAIN = "csp_domain";
-	public static final String CSP_HOSTNAME = "csp_hostname";
-	public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
-	public static final String CSP_USER_HEADER = "CSP_USER";
-	public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
-    public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
-
-
-	public static final String TGUARD_ENV="tguard_env";
-	public static final String TGUARD_DOMAIN = "tguard_domain";
-	public static final String TGUARD_TIMEOUT = "tguard_timeout";
-	public static final String TGUARD_TIMEOUT_DEF = "5000";
-	public static final String TGUARD_CERTS = "tguard_certs"; // comma delimited SHA-256 finger prints
-//	public static final String TGUARD_DEVL_LOCALHOST = "tguard_devl_localhost";
-//	public static final String TGUARD_USER_HEADER = "TGUARD_USER";
-
-	public static final String LOCALHOST_ALLOW = "localhost_allow";
-	public static final String LOCALHOST_DENY = "localhost_deny";
-	
-	public static final String BASIC_REALM = "basic_realm";  // what is sent to the client 
-	public static final String BASIC_WARN = "basic_warn";  // Warning of insecure channel 
-	public static final String USERS = "local_users";
-	public static final String GROUPS = "local_groups";
-	public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use)
-	
-	public static final String AAF_ENV = "aaf_env";
-	public static final String AAF_ROOT_NS = "aaf_root_ns";
-	public static final String AAF_ROOT_COMPANY = "aaf_root_company";
-	public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
-	public static final String AAF_MECHID = "aaf_id";
-	public static final String AAF_MECHPASS = "aaf_password";
-	public static final String AAF_LUR_CLASS = "aaf_lur_class";
-	public static final String AAF_TAF_CLASS = "aaf_taf_class";
-	public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class";
-	public static final String AAF_LOCATOR_CLASS = "aaf_locator_class";
-	public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout";
-	public static final String AAF_CONN_TIMEOUT_DEF = "3000";
-	public static final String AAF_READ_TIMEOUT = "aaf_timeout";
-	public static final String AAF_READ_TIMEOUT_DEF = "5000";
-	public static final String AAF_USER_EXPIRES = "aaf_user_expires";
-	public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins
-	public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval";
-	public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds
-	public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count";
-	public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins
-	
-	public static final String AAF_HIGH_COUNT = "aaf_high_count";
-	public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries
-	public static final String AAF_PERM_MAP = "aaf_perm_map";
-	public static final String AAF_DEPLOYED_VERSION = "DEPLOYED_VERSION";
-	public static final String AAF_CERT_IDS = "aaf_cert_ids";
-	public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited
-	
-	public static final String GW_URL = "gw_url";
-	public static final String CM_URL = "cm_url";
-	public static final String CM_TRUSTED_CAS = "cm_trusted_cas";
-
-	public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern";
-	public static final String PATHFILTER_STACK = "pathfilter_stack";
-	public static final String PATHFILTER_NS = "pathfilter_ns";
-	public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg";
-
-	public static final String AFT_DME2_TRUSTSTORE_PASSWORD = "AFT_DME2_TRUSTSTORE_PASSWORD";
-	public static final String AFT_DME2_TRUSTSTORE = "AFT_DME2_TRUSTSTORE";
-	public static final String AFT_DME2_KEYSTORE_PASSWORD = "AFT_DME2_KEYSTORE_PASSWORD";
-	public static final String AFT_DME2_KEY_PASSWORD = "AFT_DME2_KEY_PASSWORD";
-	public static final String AFT_DME2_KEYSTORE = "AFT_DME2_KEYSTORE";
-	public static final String AFT_DME2_SSL_TRUST_ALL = "AFT_DME2_SSL_TRUST_ALL";
-	public static final String AFT_DME2_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_SSL_INCLUDE_PROTOCOLS";
-
-
-	// DME2 Client.  First property must be set to "false", and the others set in order to use SSL Client
-	public static final String AFT_DME2_CLIENT_IGNORE_SSL_CONFIG="AFT_DME2_CLIENT_IGNORE_SSL_CONFIG";
-	public static final String AFT_DME2_CLIENT_KEYSTORE = "AFT_DME2_CLIENT_KEYSTORE";
-	public static final String AFT_DME2_CLIENT_KEYSTORE_PASSWORD = "AFT_DME2_CLIENT_KEYSTORE_PASSWORD";
-	public static final String AFT_DME2_CLIENT_TRUSTSTORE = "AFT_DME2_CLIENT_TRUSTSTORE";
-	public static final String AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD = "AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD";
-	public static final String AFT_DME2_CLIENT_SSL_CERT_ALIAS = "AFT_DME2_CLIENT_SSL_CERT_ALIAS"; 
-	public static final String AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS";
-
-	
-	// This one should go unpublic
-	public static final String AAF_DEFAULT_REALM = "aaf_default_realm";
-	private static String defaultRealm="none";
-
-	public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support";
-	//public static final String AAF_DOMAIN_SUPPORT_DEF = ".com";
-	public static final String AAF_DOMAIN_SUPPORT_DEF = ".org";
-
-
-	public static void setDefaultRealm(Access access) throws CadiException {
-		try {
-			boolean hasCSP;
-			try {
-				Class.forName("com.att.cadi.taf.csp.CSPTaf");
-				hasCSP=true;
-			} catch(ClassNotFoundException e) {
-				hasCSP = logProp(access,Config.CSP_DOMAIN, null)!=null;
-			}
-			defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM,
-					hasCSP?"csp.att.com":
-					logProp(access,Config.BASIC_REALM,
-						logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName())
-						)
-					);
-		} catch (UnknownHostException e) {
-			//defaultRealm="none";
-		}
-	}
-	
-
-	public static HttpTaf configHttpTaf(Access access, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException {
-		/////////////////////////////////////////////////////
-		// Setup AAFCon for any following
-		/////////////////////////////////////////////////////
-		Object aafcon = null;
-		if(lur != null) {
-			Field f = null;
-			try {
-				f = lur.getClass().getField("aaf");
-				aafcon = f.get(lur);
-			} catch (Exception nsfe) {
-			}
-		}
-		// IMPORTANT!  Don't attempt to load AAF Connector if there is no AAF URL
-		String aafURL = access.getProperty(AAF_URL,null);
-		if(aafcon==null && aafURL!=null) {
-			aafcon = loadAAFConnector(access, aafURL);	
-		}
-		
-		HttpTaf taf;
-		// Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc)
-		String hostname = logProp(access, HOSTNAME,null);
-		if(hostname==null) {
-			try {
-				hostname = InetAddress.getLocalHost().getHostName();
-			} catch (UnknownHostException e1) {
-				throw new CadiException("Unable to determine Hostname",e1);
-			}
-		}
-		
-		access.log(Level.INIT, "Hostname set to",hostname);
-		// Get appropriate TAFs
-		ArrayList<HttpTaf> htlist = new ArrayList<HttpTaf>();
-
-		/////////////////////////////////////////////////////
-		// Add a Denial of Service TAF
-		// Note: how IPs and IDs are added are up to service type.
-		// They call "DenialOfServiceTaf.denyIP(String) or denyID(String)
-		/////////////////////////////////////////////////////
-		htlist.add(new DenialOfServiceTaf(access));
-
-		/////////////////////////////////////////////////////
-		// Configure LocalHost 
-		/////////////////////////////////////////////////////
-		
-		String truststore = logProp(access, CADI_TRUSTSTORE, access.getProperty("AFT_DME2_TRUSTSTORE", null));
-		if(truststore!=null) {
-			String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD, access.getProperty("AFT_DME2_TRUSTSTORE_PASSWORD",null));
-			if(truststore_pwd!=null) {
-				if(truststore_pwd.startsWith(Symm.ENC)) {
-					try {
-						truststore_pwd = access.decrypt(truststore_pwd,false);
-					} catch (IOException e) {
-						throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e);
-					}
-				}
-				try {
-					htlist.add(new X509Taf(access,lur));
-					access.log(Level.INIT,"Certificate Authorization enabled");
-				} catch (SecurityException e) {
-					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
-				} catch (IllegalArgumentException e) {
-					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
-				} catch (CertificateException e) {
-					access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e);
-				} catch (NoSuchAlgorithmException e) {
-					access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e);
-				}
-			}
-		} else {
-			access.log(Level.INIT,"Certificate Authorization not enabled");
-		}
-		
-		/////////////////////////////////////////////////////
-		// Configure Basic Auth (local content)
-		/////////////////////////////////////////////////////
-		String basic_realm = logProp(access, BASIC_REALM,null);
-		boolean basic_warn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE"));
-		if(basic_realm!=null && up!=null) {
-			access.log(Level.INIT,"Basic Authorization is enabled using realm",basic_realm);
-			// Allow warning about insecure channel to be turned off
-			if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
-					" There will be no additional warning if Basic Auth is used on an insecure channel"
-					);
-			String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins
-			long userExp = Long.parseLong(aafCleanup);
-
-			htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
-		} else {
-			access.log(Level.INIT,"Local Basic Authorization is disabled.  Enable by setting basic_realm=<appropriate realm, i.e. my.att.com>");
-		}
-		
-		/////////////////////////////////////////////////////
-		// Configure AAF Driven Basic Auth
-		/////////////////////////////////////////////////////
-		boolean getRemoteAAF = true;
-		if(additionalTafLurs!=null) {
-			for(Object o : additionalTafLurs) {
-				if(o.getClass().getSimpleName().equals("DirectAAFLur")) {
-					getRemoteAAF = false;
-					break;
-				}
-			}
-		}
-		HttpTaf aaftaf=null;
-		if(getRemoteAAF) {
-			if(aafcon==null) {
-				access.log(Level.INIT,"AAF Connection (AAFcon) is null.  Cannot create an AAF TAF");
-			} else if(aafURL==null) {
-				access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF");
-			} else {// There's an AAF_URL... try to configure an AAF 
-				String defName = aafURL.contains("version=2.0")?"com.att.cadi.aaf.v2_0.AAFTaf":"";
-				String aafTafClassName = logProp(access, AAF_TAF_CLASS,defName);
-				// Only 2.0 available at this time
-				if("com.att.cadi.aaf.v2_0.AAFTaf".equals(aafTafClassName)) { 
-					try {
-						Class<?> aafTafClass = loadClass(access,aafTafClassName);
-						Class<?> aafConClass = loadClass(access,"com.att.cadi.aaf.v2_0.AAFCon");
-	
-						Constructor<?> cstr = aafTafClass.getConstructor(aafConClass,boolean.class,AbsUserCache.class);
-						if(cstr!=null) {
-							aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn,lur);
-							if(aaftaf==null) {
-								access.log(Level.INIT,"ERROR! AAF TAF Failed construction.  NOT Configured");
-							} else {
-								access.log(Level.INIT,"AAF TAF Configured to ",aafURL);
-								// Note: will add later, after all others configured
-							}
-						}
-					} catch(Exception e) {
-						access.log(Level.INIT,"ERROR! AAF TAF Failed construction.  NOT Configured");
-					}
-				}
-			}
-		}
-		
-		
-		String alias = logProp(access, CADI_ALIAS,null);
-
-		/////////////////////////////////////////////////////
-		// Configure tGuard... (AT&T Client Repo)
-		/////////////////////////////////////////////////////
-		// TGUARD Environment, translated to any other remote Environment validation mechanism...
-		String tGuard_domain = logProp(access, TGUARD_DOMAIN,null);
-		String tGuard_env = logProp(access, TGUARD_ENV, null);
-
-		if(!("PROD".equals(tGuard_env) || "STAGE".equals(tGuard_env))) {
-			access.log(Level.INIT, "tGuard Authorization is disabled.  Enable by setting", TGUARD_ENV, "to \"PROD\" or \"STAGE\"");
-		} else if(tGuard_domain==null) {
-			access.log(Level.INIT,TGUARD_DOMAIN + " must be set:  tGuard Authorization is disabled.");
-		} else if(alias == null) {
-			access.log(Level.INIT,CADI_ALIAS + " must be set:  tGuard Authorization is disabled.");
-		} else {
-			try {
-				Class<?> tGuardClass = loadClass(access,"com.att.cadi.tguard.TGuardHttpTaf");
-				if(aaftaf!=null) {
-					Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, AbsUserCache.class});
-					htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {access,aaftaf}));
-					access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");
-				} else {
-					Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, int.class, int.class, int.class});
-					htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {
-							access,
-							Integer.parseInt(logProp(access, AAF_CLEAN_INTERVAL,AAF_CLEAN_INTERVAL_DEF)),
-							Integer.parseInt(logProp(access, AAF_HIGH_COUNT, AAF_HIGH_COUNT_DEF)),
-							Integer.parseInt(logProp(access, AAF_REFRESH_TRIGGER_COUNT, AAF_REFRESH_TRIGGER_COUNT_DEF))
-							}));
-					access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");
-				}
-			} catch(Exception e) {
-				access.log(e, Level.INIT,"tGuard Class cannot be loaded:  tGuard Authorization is disabled.");
-			}
-		}
-		
-		/////////////////////////////////////////////////////
-		// Adding BasicAuth (AAF) last, after other primary Cookie Based
-		// Needs to be before Cert... see below
-		/////////////////////////////////////////////////////
-		if(aaftaf!=null) {
-			htlist.add(aaftaf);
-		}
-
-
-		/////////////////////////////////////////////////////
-		// Any Additional Lurs passed in Constructor
-		/////////////////////////////////////////////////////
-		if(additionalTafLurs!=null) {
-			for(Object additional : additionalTafLurs) {
-				if(additional instanceof HttpTaf) {
-					htlist.add((HttpTaf)additional);
-					access.log(Level.INIT,additional);
-				}
-			}
-		}
-
-		/////////////////////////////////////////////////////
-		// Create EpiTaf from configured TAFs
-		/////////////////////////////////////////////////////
-		if(htlist.size()==1) {
-			// just return the one
-			taf = htlist.get(0);
-		} else {
-			HttpTaf[] htarray = new HttpTaf[htlist.size()];
-			htlist.toArray(htarray);
-			Locator<URI> locator = loadLocator(access, logProp(access, CADI_LOGINPAGE_URL, null));
-			
-			taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null
-			String level = logProp(access, CADI_LOGLEVEL, null);
-			if(level!=null) {
-				access.setLogLevel(Level.valueOf(level));
-			}
-		}
-		
-		return taf;
-	}
-	
-	public static String logProp(Access access,String tag, String def) {
-		String rv = access.getProperty(tag, def);
-		if(rv == null) {
-			access.log(Level.INIT,tag,"is not set");
-		} else {
-			access.log(Level.INIT,tag,"is set to",rv);
-		}
-		return rv;
-	}
-	
-	public static Lur configLur(Access access, Object ... additionalTafLurs) throws CadiException {
-		List<Lur> lurs = new ArrayList<Lur>();
-		
-		/////////////////////////////////////////////////////
-		// Configure a Local Property Based RBAC/LUR
-		/////////////////////////////////////////////////////
-		try {
-			String users = access.getProperty(USERS,null);
-			String groups = access.getProperty(GROUPS,null);
-
-			if(groups!=null || users!=null) {
-				LocalLur ll;
-				lurs.add(ll = new LocalLur(access, users, groups)); // note b64==null is ok.. just means no encryption.
-				
-				String writeto = access.getProperty(WRITE_TO,null);
-				if(writeto!=null) {
-					String msg = UsersDump.updateUsers(writeto, ll);
-					if(msg!=null) access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg);
-				}
-			}
-		} catch (IOException e) {
-			throw new CadiException(e);
-		}
-		
-		/////////////////////////////////////////////////////
-		// Configure the AAF Lur (if any)
-		/////////////////////////////////////////////////////
-		String aafURL = logProp(access,AAF_URL,null); // Trigger Property
-		String aaf_env = access.getProperty(AAF_ENV,null);
-		if(aaf_env == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL
-			int ec = aafURL.indexOf("envContext=");
-			if(ec>0) {
-				ec += 11; // length of envContext=
-				int slash = aafURL.indexOf('/', ec);
-				if(slash>0) {
-					aaf_env = aafURL.substring(ec, slash);
-					((PropAccess)access).setProperty(AAF_ENV, aaf_env);
-					access.printf(Level.INIT, "Setting aaf_env to %s from aaf_url value",aaf_env);
-				}
-			}
-		}
-			
-		if(aafURL==null) {
-			access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded");
-		} else {// There's an AAF_URL... try to configure an AAF
-			String aafLurClassStr = logProp(access,AAF_LUR_CLASS,"com.att.cadi.aaf.v2_0.AAFLurPerm");
-			////////////AAF Lur 2.0 /////////////
-			if(aafLurClassStr.startsWith("com.att.cadi.aaf.v2_0")) { 
-				try {
-					Object aafcon = loadAAFConnector(access, aafURL);
-					if(aafcon==null) {
-						access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object.");
-					} else {
-						Class<?> aafAbsAAFCon = loadClass(access, "com.att.cadi.aaf.v2_0.AAFCon");
-						Method mNewLur = aafAbsAAFCon.getMethod("newLur");
-						Object aaflur = mNewLur.invoke(aafcon);
-	
-						if(aaflur==null) {
-							access.log(Level.INIT,"ERROR! AAF LUR Failed construction.  NOT Configured");
-						} else {
-							access.log(Level.INIT,"AAF LUR Configured to ",aafURL);
-							lurs.add((Lur)aaflur);
-							String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null);
-							if(debugIDs !=null && aaflur instanceof CachingLur) {
-								((CachingLur<?>)aaflur).setDebug(debugIDs);
-							}
-						}
-					}
-				} catch (Exception e) {
-					access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors.");
-				}
-			} 
-		} 
-
-		/////////////////////////////////////////////////////
-		// Any Additional passed in Constructor
-		/////////////////////////////////////////////////////
-		if(additionalTafLurs!=null) {
-			for(Object additional : additionalTafLurs) {
-				if(additional instanceof Lur) {
-					lurs.add((Lur)additional);
-					access.log(Level.INIT, additional);
-				}
-			}
-		}
-
-		/////////////////////////////////////////////////////
-		// Return a Lur based on how many there are... 
-		/////////////////////////////////////////////////////
-		switch(lurs.size()) {
-			case 0: 
-				access.log(Level.INIT,"WARNING! No CADI LURs configured");
-				// Return a NULL Lur that does nothing.
-				return new NullLur();
-			case 1:
-				return lurs.get(0); // Only one, just return it, save processing
-			default:
-				// Multiple Lurs, use EpiLUR to handle
-				Lur[] la = new Lur[lurs.size()];
-				lurs.toArray(la);
-				return new EpiLur(la);
-		}
-	}
-	
-	private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2 = "com.att.cadi.aaf.v2_0.AAFConDME2";
-	private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP = "com.att.cadi.aaf.v2_0.AAFConHttp";
-	public static Object loadAAFConnector(Access access, String aafURL) {
-		Object aafcon = null;
-		Class<?> aafConClass = null;
-
-		try {
-			if(aafURL!=null) {
-				String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);
-				if(COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2.equals(aafConnector) || aafURL.contains("/service=")) {
-					aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2);
-					if(aafConClass!=null) {
-						Constructor<?> cons = aafConClass.getConstructor(PropAccess.class);
-						aafcon = cons.newInstance(access);
-					} else {
-						access.log(Level.ERROR, "URL contains '/service=', which requires DME2");
-					}
-				} else if(COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) {
-					aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);
-					for(Constructor<?> c : aafConClass.getConstructors()) {
-						List<Object> lo = new ArrayList<Object>();
-						for(Class<?> pc : c.getParameterTypes()) {
-							if(pc.equals(PropAccess.class)) {
-								lo.add(access);
-							} else if(pc.equals(Locator.class)) {
-								lo.add(loadLocator(access, aafURL));
-							} else {
-								continue;
-							}
-						}
-						if(c.getParameterTypes().length!=lo.size()) {
-							continue; // back to another Constructor
-						} else {
-							aafcon = c.newInstance(lo.toArray());
-						}
-						break;
-					}
-				}
-				if(aafcon!=null) {
-					String mechid = logProp(access,Config.AAF_MECHID, null);
-					String pass = access.getProperty(Config.AAF_MECHPASS, null);
-					if(mechid!=null && pass!=null) {
-						try {
-							Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class);
-							basicAuth.invoke(aafcon, mechid,pass);
-						} catch (NoSuchMethodException nsme) {
-							// it's ok, don't use
-						}
-					}
-				}
-			}
-		} catch (Exception e) {
-			access.log(e,"AAF Connector could not be constructed with given Constructors.");
-		}
-		
-		return aafcon;
-	}
-
-	public static Class<?> loadClass(Access access, String className) {
-		Class<?> cls=null;
-		try {
-			cls = access.classLoader().loadClass(className);
-		} catch (ClassNotFoundException cnfe) {
-			try {
-				cls = access.getClass().getClassLoader().loadClass(className);
-			} catch (ClassNotFoundException cnfe2) {
-				// just return null
-			}
-		}
-		return cls;
-	}
-
-	@SuppressWarnings("unchecked")
-	public static Locator<URI> loadLocator(Access access, String url) {
-		Locator<URI> locator = null;
-		if(url==null) {
-			access.log(Level.INIT,"No URL for AAF Login Page. Disabled");
-		} else {
-			if(url.contains("DME2RESOLVE")) {
-				try {
-					Class<?> lcls = loadClass(access,"com.att.cadi.locator.DME2Locator");
-					Class<?> dmcls = loadClass(access,"com.att.aft.dme2.api.DME2Manager");
-					Constructor<?> cnst = lcls.getConstructor(new Class[] {Access.class,dmcls,String.class});
-					locator = (Locator<URI>)cnst.newInstance(new Object[] {access,null,url});
-					access.log(Level.INFO, "DME2Locator enabled with " + url);
-				} catch (Exception e) {
-					access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires DME2. It is now disabled",e);
-				}
-			} else {
-				try {
-					Class<?> cls = loadClass(access,"com.att.cadi.locator.PropertyLocator");
-					Constructor<?> cnst = cls.getConstructor(new Class[] {String.class});
-					locator = (Locator<URI>)cnst.newInstance(new Object[] {url});
-					access.log(Level.INFO, "PropertyLocator enabled with " + url);
-				} catch (Exception e) {
-					access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires PropertyLocator. It is now disabled",e);
-				}
-			}
-		}
-		return locator;
-	}
-
-	/*
-	 * DME2 can only read Passwords as clear text properties.  Leaving in "System Properties" un-encrypted exposes these passwords
-	 */
-	public static class PasswordRemoval extends TimerTask {
-		private Access access;
-		
-		private final List<String> pws;
-
-		public PasswordRemoval(Access access) {
-			this.access = access;
-			pws = new ArrayList<String>();
-		}
-		
-		@Override
-		public void run() {
-			for(String key:pws) {
-				access.log(Level.INIT, "Scrubbing " + key);
-				System.clearProperty(key);
-			}
-		}		
-		public void add(String key) {
-			pws.add(key);
-		}
-	}
-
-	private static final String Y = "Y";
-
-	private static String[][] CONVERTER_STRINGS=new String[][] {
-			{AFT_DME2_KEYSTORE,CADI_KEYSTORE,null},
-			{AFT_DME2_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},
-			{AFT_DME2_KEY_PASSWORD,CADI_KEY_PASSWORD,null},
-			{AFT_DME2_TRUSTSTORE,CADI_TRUSTSTORE,null},
-			{AFT_DME2_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},
-			{AFT_DME2_CLIENT_KEYSTORE,CADI_KEYSTORE,null},
-			{AFT_DME2_CLIENT_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},
-			{AFT_DME2_CLIENT_TRUSTSTORE,CADI_TRUSTSTORE,null},
-			{AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},
-			{AFT_DME2_CLIENT_SSL_CERT_ALIAS,CADI_ALIAS,null},
-			{AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},
-			{"AFT_DME2_HOSTNAME",HOSTNAME,null},
-			{"AFT_LATITUDE",null,Y},
-			{"AFT_LONGITUDE",null,Y},
-			{"AFT_ENVIRONMENT",null,Y},
-			{"SCLD_PLATFORM",null,Y},
-			{"DME2_EP_REGISTRY_CLASS",null,Y},// for Developer local access
-			{"AFT_DME2_EP_REGISTRY_FS_DIR",null,Y},
-			{"DME2.DEBUG",null,null},
-			{"AFT_DME2_HTTP_EXCHANGE_TRACE_ON",null,null},
-			{"AFT_DME2_SSL_ENABLE",null,null},
-			{"AFT_DME2_SSL_WANT_CLIENT_AUTH",null,null},
-			{AFT_DME2_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},
-			{"AFT_DME2_SSL_VALIDATE_CERTS",null,null},
-			{AFT_DME2_CLIENT_IGNORE_SSL_CONFIG,null,null},
-			{"https.protocols",CADI_PROTOCOLS,Y},
-			};
-
-
-
-	public static Properties getDME2Props(PropAccess access) {
-		Properties dprops = new Properties();
-		String value = null;
-		boolean reqClientConfig = false;
-		for(String[] row : CONVERTER_STRINGS) {
-			value = access.getProperty(row[0],null);
-			if(value==null) {
-				value = System.getProperty(row[0]);
-				if(value==null && row[1]!=null) {
-					value = access.getProperty(row[1],null);
-					if(value == null) {
-						value = System.getProperty(row[1]);
-					}
-				}
-			}
-			if(value!=null) {
-				if(row[0].contains("_SSL_")) {
-					reqClientConfig = true;
-				}
-				if(row[0].startsWith("AFT") || row[0].startsWith("SCLD") || row[0].contains("DME2")) {
-					if(value.startsWith("enc:")) {
-						try {
-							value = access.decrypt(value, true);
-						} catch (IOException e) {
-							access.log(Level.ERROR, e);
-						}
-						System.setProperty(row[0], value);
-					} else if(Y.equals(row[2])) {
-						System.setProperty(row[0], value);
-						dprops.setProperty(row[0], value);
-					} else if(row[0].contains("PASSWORD") || row[0].contains("STORE")) {
-						System.setProperty(row[0], value);
-					} else {
-						dprops.setProperty(row[0], value);
-					}
-				}
-				
-			}
-			
-		}
-		
-		Properties sprops = System.getProperties();
-		if(reqClientConfig && sprops.getProperty(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) {
-			sprops.put(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG, "false");
-			replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE,AFT_DME2_TRUSTSTORE);
-			replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE_PASSWORD,AFT_DME2_TRUSTSTORE_PASSWORD);
-			replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE,AFT_DME2_CLIENT_TRUSTSTORE);
-			replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE_PASSWORD,AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD);
-		}
-		
-		if(sprops.getProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS)==null) {
-			sprops.setProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
-		}
-
-		if(sprops.getProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS)==null) {
-			sprops.setProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
-		}
-		
-		if(access.willLog(Level.DEBUG)) {
-			if(access instanceof PropAccess) {
-				access.log(Level.DEBUG,"Access Properties");
-				for(Entry<Object, Object> es : ((PropAccess)access).getProperties().entrySet()) {
-					access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),es.getValue().toString());
-				}
-			}
-			access.log(Level.DEBUG,"DME2 Properties()");
-			for(Entry<Object, Object> es : dprops.entrySet()) {
-				value = es.getValue().toString();
-				if(es.getKey().toString().contains("PASS")) {
-					if(value==null || !value.contains("enc:")) {
-						value = HIDE_PASS;
-					}
-				}
-				access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),value);
-			}
-			
-			access.log(Level.DEBUG,"System (AFT) Properties");
-			for(Entry<Object, Object> es : System.getProperties().entrySet()) {
-				if(es.getKey().toString().startsWith("AFT")) {
-					value = es.getValue().toString();
-					if(es.getKey().toString().contains("PASS")) {
-						if(value==null || !value.contains("enc:")) {
-							value = HIDE_PASS;
-						}
-					}
-					access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),value);
-				}
-			}
-		}
-		// Cover any not specific AFT props
-		String key;
-		for(Entry<Object, Object> es : access.getProperties().entrySet()) {
-			if((key=es.getKey().toString()).startsWith("AFT_") && 
-					!key.contains("PASSWORD") &&
-					dprops.get(key)==null) {
-				dprops.put(key, es.getValue());
-			}
-		}
-		return dprops;
-	}
-	
-	private static void replaceKeyWithTrust(Properties props, String ks, String ts) {
-		String value;
-		if(props.get(ks)==null && (value=props.getProperty(ts))!=null) {
-			props.put(ks,value);
-			props.remove(ts);
-		}
-	}
-	// Set by CSP, or is hostname.
-	public static String getDefaultRealm() {
-		return defaultRealm;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/config/Get.java b/core/src/main/java/com/att/cadi/config/Get.java
deleted file mode 100644
index 7a2eab5..0000000
--- a/core/src/main/java/com/att/cadi/config/Get.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-import java.lang.reflect.Method;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-
-public interface Get {
-	public String get(String name, String def, boolean print);
-	
-	
-	/**
-	 * A class for Getting info out of "JavaBean" format
-	 *
-	 */
-	public static class Bean implements Get {
-		private Object bean;
-		private Class<?> bc;
-		private Class<?>[] params;
-		private Object[] args;
-		
-		public Bean(Object bean) {
-			this.bean = bean;
-			bc = bean.getClass();
-			params = new Class<?>[0]; // note, this will allow to go out of scope after config
-			args = new Object[0];
-		}
-		
-		public String get(String name, String def, boolean print) {
-			String str = null;
-			String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1);
-			try {
-				Method meth = bc.getMethod(gname, params);
-				Object obj = meth.invoke(bean, args);
-				str = obj==null?null:obj.toString(); // easy string convert... 
-			} catch (Exception e) {
-			}
-			
-			// Take def if nothing else
-			if(str==null) {
-				str = def;
-				// don't log defaults
-			} else {
-				str = str.trim(); // this is vital in Property File based values, as spaces can hide easily
-			}
-			// Note: Can't log during configuration
-			return str;
-		}
-	}
-
-	public static Get NULL = new Get() {
-		public String get(String name, String def, boolean print) {
-			return def;
-		}
-	};
-
-	public static class AccessGet implements Get {
-		private Access access;
-		public AccessGet(Access access) {
-			this.access = access;
-		}
-		public String get(String name, String def, boolean print) {
-			String gotten = access.getProperty(name, def);
-			if(print) {
-				if(gotten == null) {
-					access.log(Level.INIT,name, "is not set");
-				} else {
-					access.log(Level.INIT,name, "is set to", gotten);
-				}
-			}
-			return gotten;
-		}
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/config/GetAccess.java b/core/src/main/java/com/att/cadi/config/GetAccess.java
deleted file mode 100644
index 1df9b0e..0000000
--- a/core/src/main/java/com/att/cadi/config/GetAccess.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-import com.att.cadi.PropAccess;
-
-public class GetAccess extends PropAccess {
-	private final Get getter;
-	
-	public GetAccess(Get getter) {
-		super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)});
-		this.getter = getter;
-	}
-	
-	/* (non-Javadoc)
-	 * @see com.att.cadi.PropAccess#getProperty(java.lang.String, java.lang.String)
-	 */
-	@Override
-	public String getProperty(String tag, String def) {
-		String rv;
-		rv = super.getProperty(tag, null);
-		if(rv==null && getter!=null) {
-			rv = getter.get(tag, null, true);
-		}
-		return rv==null?def:rv;
-	}
-	/* (non-Javadoc)
-	 * @see com.att.cadi.PropAccess#getProperty(java.lang.String)
-	 */
-	@Override
-	public String getProperty(String tag) {
-		String rv;
-		rv = super.getProperty(tag, null);
-		if(rv==null && getter!=null) {
-			rv = getter.get(tag, null, true);
-		}
-		return rv;
-	}
-
-	public Get get() {
-		return getter;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/config/MultiGet.java b/core/src/main/java/com/att/cadi/config/MultiGet.java
deleted file mode 100644
index 83cd21d..0000000
--- a/core/src/main/java/com/att/cadi/config/MultiGet.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-public class MultiGet implements Get {
-    private Get[] getters;
-
-    public MultiGet(Get ... getters) {
-        this.getters = getters;
-    }
-
-    @Override
-    public String get(String name, String def, boolean print) {
-        String str;
-        for(Get getter : getters) {
-            str = getter.get(name, null, print);
-            if(str!=null) 
-                return str;
-        }
-        return def;
-    }
-
-}
diff --git a/core/src/main/java/com/att/cadi/config/SecurityInfo.java b/core/src/main/java/com/att/cadi/config/SecurityInfo.java
deleted file mode 100644
index 6d0f3c2..0000000
--- a/core/src/main/java/com/att/cadi/config/SecurityInfo.java
+++ /dev/null
@@ -1,243 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-import java.rmi.AccessException;
-import java.security.GeneralSecurityException;
-import java.security.KeyStore;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocketFactory;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509KeyManager;
-import javax.net.ssl.X509TrustManager;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.util.MaskFormatException;
-import com.att.cadi.util.NetMask;
-
-public class SecurityInfo {
-	private static final String SECURITY_ALGO = "RSA";
-	private static final String HTTPS_PROTOCOLS = "https.protocols";
-	private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
-
-	public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
-	public static final String REGEX_COMMA = "\\s*,\\s*";
-	public static final String SslKeyManagerFactoryAlgorithm;
-	
-	private SSLSocketFactory scf;
-	private X509KeyManager[] km;
-	private X509TrustManager[] tm;
-	public final String default_alias;
-	private NetMask[] trustMasks;
-	private SSLContext ctx;
-	private HostnameVerifier maskHV;
-
-	// Change Key Algorithms for IBM's VM.  Could put in others, if needed.
-	static {
-		if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) {
-			SslKeyManagerFactoryAlgorithm = "IbmX509";
-		} else {
-			SslKeyManagerFactoryAlgorithm = "SunX509";
-		}
-	}
-	
-
-	public SecurityInfo(final Access access) throws GeneralSecurityException, IOException {
-		// reuse DME2 Properties for convenience if specific Properties don't exist
-		String keyStore = access.getProperty(Config.CADI_KEYSTORE,
-				access.getProperty(Config.AFT_DME2_KEYSTORE,null));
-		String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD,
-				access.getProperty(Config.AFT_DME2_KEYSTORE_PASSWORD, null));
-		keyStorePasswd = keyStorePasswd==null?null:access.decrypt(keyStorePasswd,false);
-		String trustStore = access.getProperty(Config.CADI_TRUSTSTORE,
-				access.getProperty(Config.AFT_DME2_TRUSTSTORE, null));
-		String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD,
-				access.getProperty(Config.AFT_DME2_TRUSTSTORE_PASSWORD,null));
-		trustStorePasswd = trustStorePasswd==null?null:access.decrypt(trustStorePasswd,false);
-		default_alias = access.getProperty(Config.CADI_ALIAS, 
-				access.getProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS,null));
-		
-		String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD,null);
-		keyPasswd = keyPasswd==null?keyStorePasswd:access.decrypt(keyPasswd,false);
-		String tips=access.getProperty(Config.CADI_TRUST_MASKS, null);
-		if(tips!=null) {
-			access.log(Level.INIT,"Explicitly accepting valid X509s from",tips);
-			String[] ipsplit = tips.split(REGEX_COMMA);
-			trustMasks = new NetMask[ipsplit.length];
-			for(int i=0;i<ipsplit.length;++i) {
-				try {
-					trustMasks[i]=new NetMask(ipsplit[i]);
-				} catch (MaskFormatException e) {
-					throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS,e);
-				}
-			}
-		}
-		String https_protocols = Config.logProp(access,Config.CADI_PROTOCOLS, 
-				access.getProperty(Config.AFT_DME2_SSL_INCLUDE_PROTOCOLS, 
-					access.getProperty(HTTPS_PROTOCOLS,HTTPS_PROTOCOLS_DEFAULT)
-					));
-		System.setProperty(HTTPS_PROTOCOLS,https_protocols);
-		System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, https_protocols);
-		
-		KeyManagerFactory kmf = KeyManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
-		File file;
-
-
-		if(keyStore==null || keyStorePasswd == null) { 
-			km = new X509KeyManager[0];
-		} else {
-			ArrayList<X509KeyManager> kmal = new ArrayList<X509KeyManager>();
-			for(String ksname : keyStore.split(REGEX_COMMA)) {
-				file = new File(ksname);
-				String keystoreFormat;
-				if(ksname.endsWith("pkcs12")) {
-					keystoreFormat = "PKCS12";
-				} else {
-					keystoreFormat = "JKS";
-				}
-				if(file.exists()) {
-					FileInputStream fis = new FileInputStream(file);
-					try {
-						KeyStore ks = KeyStore.getInstance(keystoreFormat);
-						ks.load(fis, keyStorePasswd.toCharArray());
-						kmf.init(ks, keyPasswd.toCharArray());
-					} finally {
-						fis.close();
-					}
-				}
-			}
-			for(KeyManager km : kmf.getKeyManagers()) {
-				if(km instanceof X509KeyManager) {
-					kmal.add((X509KeyManager)km);
-				}
-			}
-			km = new X509KeyManager[kmal.size()];
-			kmal.toArray(km);
-		}
-
-		TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
-		if(trustStore!=null) {
-			for(String tsname : trustStore.split(REGEX_COMMA)) {
-				file = new File(tsname);
-				if(file.exists()) {
-					FileInputStream fis = new FileInputStream(file);
-					try {
-						KeyStore ts = KeyStore.getInstance("JKS");
-						ts.load(fis, trustStorePasswd.toCharArray());
-						tmf.init(ts); 
-					} finally {
-						fis.close();
-					}
-				}
-			}
-			TrustManager tms[] = tmf.getTrustManagers();
-			tm = new X509TrustManager[tms==null?0:tms.length];
-			for(int i=0;i<tms.length;++i) {
-				try {
-					tm[i]=(X509TrustManager)tms[i];
-				} catch (ClassCastException e) {
-					access.log(Level.WARN, "Non X509 TrustManager", tm[i].getClass().getName(),"skipped in SecurityInfo");
-				}
-			}
-		}
-		
-		if(trustMasks!=null) {
-			final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
-			HttpsURLConnection.setDefaultHostnameVerifier(maskHV = new HostnameVerifier() {
-				@Override
-				public boolean verify(final String urlHostName, final SSLSession session) {
-					try {
-						// This will pick up /etc/host entries as well as DNS
-						InetAddress ia = InetAddress.getByName(session.getPeerHost());
-						for(NetMask tmask : trustMasks) {
-							if(tmask.isInNet(ia.getHostAddress())) {
-								return true;
-							}
-						}
-					} catch (UnknownHostException e) {
-						// It's ok. do normal Verify
-					}
-					return origHV.verify(urlHostName,session);
-				};
-			});
-		}
-		ctx = SSLContext.getInstance("TLS");
-		ctx.init(km, tm, null);
-		SSLContext.setDefault(ctx);
-		scf = ctx.getSocketFactory();
-	}
-
-	/**
-	 * @return the scf
-	 */
-	public SSLSocketFactory getSSLSocketFactory() {
-		return scf;
-	}
-
-	public SSLContext getSSLContext() {
-		return ctx;
-	}
-
-	/**
-	 * @return the km
-	 */
-	public X509KeyManager[] getKeyManagers() {
-		return km;
-	}
-
-	public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
-		for(X509TrustManager xtm : tm) {
-			xtm.checkClientTrusted(certarr, SECURITY_ALGO);
-		}
-	}
-
-	public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
-		for(X509TrustManager xtm : tm) {
-			xtm.checkServerTrusted(certarr, SECURITY_ALGO);
-		}
-	}
-
-	public void setSocketFactoryOn(HttpsURLConnection hsuc) {
-		hsuc.setSSLSocketFactory(scf);
-		if(maskHV!=null && !maskHV.equals(hsuc.getHostnameVerifier())) {
-			hsuc.setHostnameVerifier(maskHV);
-		}
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/config/SecurityInfoC.java b/core/src/main/java/com/att/cadi/config/SecurityInfoC.java
deleted file mode 100644
index 2b0ec43..0000000
--- a/core/src/main/java/com/att/cadi/config/SecurityInfoC.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-
-import com.att.cadi.Access;
-import com.att.cadi.SecuritySetter;
-
-
-public class SecurityInfoC<CLIENT> extends SecurityInfo {
-	public SecuritySetter<CLIENT> defSS;
-
-	public SecurityInfoC(Access access) throws GeneralSecurityException, IOException {
-		super(access);
-	}
-
-	public SecurityInfoC<CLIENT> set(SecuritySetter<CLIENT> defSS) {
-		this.defSS = defSS;
-		return this;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/config/UsersDump.java b/core/src/main/java/com/att/cadi/config/UsersDump.java
deleted file mode 100644
index 992b365..0000000
--- a/core/src/main/java/com/att/cadi/config/UsersDump.java
+++ /dev/null
@@ -1,158 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.config;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.io.PrintStream;
-import java.util.Date;
-import java.util.HashSet;
-
-import com.att.cadi.AbsUserCache;
-import com.att.cadi.lur.LocalLur;
-
-public class UsersDump {
-
-	/**
-	 * @param args
-	 */
-	public static boolean write(OutputStream os, AbsUserCache<?> lur) {
-		PrintStream ps;
-		if(os instanceof PrintStream) {
-			ps = (PrintStream)os;
-		} else {
-			ps = new PrintStream(os);
-		}
-		try {
-			ps.println("<?xml version='1.0' encoding='utf-8'?>");
-			ps.println("<!--");
-			ps.print(  "     Code Generated Tomcat Users and Roles from AT&T LUR on ");
-			ps.println(new Date());
-			ps.println(  "-->");
-			ps.println("<tomcat-users>");
-
-			// We loop through Users, but want to write Groups first... therefore, save off print
-			StringBuilder sb = new StringBuilder();
-			
-			// Obtain all unique role names
-			HashSet<String> groups = new HashSet<String>();
-			for(AbsUserCache<?>.DumpInfo di : lur.dumpInfo()) {
-				sb.append("\n  <user username=\"");
-				sb.append(di.user);
-				sb.append("\" roles=\"");
-				boolean first = true;
-				for(String role : di.perms) {
-					groups.add(role);
-					if(first)first = false;
-					else sb.append(',');
-					sb.append(role);
-				}
-				sb.append("\"/>");
-
-			}
-
-			// Print roles
-			for(String group : groups) {
-				ps.print("  <role rolename=\"");
-				ps.print(group);
-				ps.println("\"/>");
-			}
-	
-			ps.println(sb);
-
-			ps.println("</tomcat-users>");
-			ps.flush();
-		} catch (Throwable t) {
-			t.printStackTrace(ps);
-			return false;
-		}
-		return true;
-	}
-	
-	/**
-	 * 
-	 * Note: This method returns a String if there's an error, or null if ok.
-	 * This unusual style is necessitated by the fact that any Exceptions thrown are likely to 
-	 * be unlogged and hidden from view, making debugging almost impossible.
-	 * 
-	 * @param writeto
-	 * @param up
-	 * @return
-	 */
-	public static String updateUsers(String writeto, LocalLur up) {
-		// Dump a Tomcat-user.xml lookalike (anywhere)
-		if(writeto!=null) {
-			// First read content
-			ByteArrayOutputStream baos = new ByteArrayOutputStream();
-			if(UsersDump.write(baos, up)) {
-				byte[] postulate = baos.toByteArray();
-				// now get contents of file
-				File file = new File(writeto);
-				boolean writeIt;
-				if(file.exists()) {
-					try {
-						FileInputStream fis = new FileInputStream(file);
-						byte[] orig = new byte[(int)file.length()];
-						try {
-							fis.read(orig);
-						} finally {
-							fis.close();
-						}
-						// Starting at third "<" (<tomcat-users> line)
-						int startA=0, startB=0;
-						for(int i=0;startA<orig.length && i<3;++startA) if(orig[startA]=='<')++i;
-						for(int i=0;startB<orig.length && i<3;++startB) if(postulate[startB]=='<')++i;
-						
-						writeIt=orig.length-startA!=postulate.length-startB; // first, check if remaining length is the same
-						while(!writeIt && startA<orig.length && startB<postulate.length) {
-							if(orig[startA++]!=postulate[startB++])writeIt = true;
-						}
-					} catch (Exception e) {
-						writeIt = true;
-					}
-				} else {
-					writeIt = true;
-				}
-				
-				if(writeIt) {
-					try {
-						FileOutputStream fos = new FileOutputStream(file);
-						try {
-							fos.write(postulate);
-						} finally {
-							fos.close();
-						}
-					} catch (IOException e) {
-						return e.getMessage();
-					}
-				}
-			}
-		}
-		return null; // no message means ok.
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/AUTHZ.java b/core/src/main/java/com/att/cadi/filter/AUTHZ.java
deleted file mode 100644
index ab32a98..0000000
--- a/core/src/main/java/com/att/cadi/filter/AUTHZ.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import static java.lang.annotation.ElementType.TYPE;
-import static java.lang.annotation.RetentionPolicy.RUNTIME;
-
-import java.lang.annotation.Retention;
-import java.lang.annotation.Target;
-
-import javax.servlet.Servlet;
-
-@Target({TYPE})
-@Retention(RUNTIME)
-public @interface AUTHZ {
-	Class<? extends Servlet> value();
-}
diff --git a/core/src/main/java/com/att/cadi/filter/AUTHZServlet.java b/core/src/main/java/com/att/cadi/filter/AUTHZServlet.java
deleted file mode 100644
index c1ad627..0000000
--- a/core/src/main/java/com/att/cadi/filter/AUTHZServlet.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import java.io.IOException;
-
-import javax.servlet.Servlet;
-import javax.servlet.ServletConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-/**
- * 
- *
- */
-public class AUTHZServlet<S extends Servlet> implements Servlet {
-	private String[] roles;
-	private Servlet delegate;
-
-	protected AUTHZServlet(Class<S> cls) {
-		try {
-			delegate = cls.newInstance();
-		} catch (Exception e) {
-			delegate = null;
-		}
-		RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class);
-		if(rolesAllowed == null) {
-			roles = null;
-		} else {
-			roles = rolesAllowed.value();
-		}
-	}
-	
-	public void init(ServletConfig sc) throws ServletException {
-		if(delegate == null) throw new ServletException("Invalid Servlet Delegate");
-		delegate.init(sc);
-	}
-	
-	public ServletConfig getServletConfig() {
-		return delegate.getServletConfig();
-	}
-
-	public String getServletInfo() {
-		return delegate.getServletInfo();
-	}
-
-	public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
-		if(roles==null) {
-			delegate.service(req,resp);
-		} else { // Validate
-			try {
-				HttpServletRequest hreq = (HttpServletRequest)req;
-				boolean proceed = false;
-				for(String role : roles) {
-					if(hreq.isUserInRole(role)) {
-						proceed = true;
-						break;
-					}
-				}
-				if(proceed) {
-					delegate.service(req,resp);
-				} else {
-					//baseRequest.getServletContext().log(hreq.getUserPrincipal().getName()+" Refused " + roles);
-					((HttpServletResponse)resp).sendError(403); // forbidden
-				}
-			} catch(ClassCastException e) {
-				throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse");
-			}
-		}
-	}
-
-	public void destroy() {
-		delegate.destroy();
-	}
-
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/AccessGetter.java b/core/src/main/java/com/att/cadi/filter/AccessGetter.java
deleted file mode 100644
index 37d2c04..0000000
--- a/core/src/main/java/com/att/cadi/filter/AccessGetter.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import com.att.cadi.Access;
-import com.att.cadi.config.Get;
-
-public class AccessGetter implements Get {
-	private final Access access;
-	public AccessGetter(Access access) {
-		this.access = access;
-	}
-	public String get(String name, String def, boolean print) {
-		return access.getProperty(name, def);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/CadiAccess.java b/core/src/main/java/com/att/cadi/filter/CadiAccess.java
deleted file mode 100644
index e9bc5a8..0000000
--- a/core/src/main/java/com/att/cadi/filter/CadiAccess.java
+++ /dev/null
@@ -1,243 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Properties;
-
-import javax.servlet.ServletContext;
-
-import com.att.cadi.Access;
-import com.att.cadi.Symm;
-import com.att.cadi.config.Config;
-import com.att.cadi.config.Get;
-
-public class CadiAccess implements Access {
-	// constants for a couple of very commonly used strings.
-	protected static final String FROM = "from";
-	protected static final String FOR = "for";
-
-	// Properties derived from <pass> sources (could be property files, Valve Configurations, Filter
-	// configs, etc. 
-	protected Properties props;
-
-	// Will we write Logs?
-	protected Level willWrite = Level.INFO;
-	
-	protected ServletContext context;
-	protected Get getter = Get.NULL; // replace with Derived Class getter
-	private Symm symm;
-
-	public CadiAccess(Map<String, Object> map) {
-		if(map!=null && !map.isEmpty()) {
-			props = new Properties();
-			for(Entry<String, Object> es : map.entrySet()) {
-				Object v = es.getValue();
-				if(v!=null) {
-					props.put(es.getKey(), v.toString());
-				}
-			}
-			Object keyfile = props.get(Config.CADI_KEYFILE);
-			if(keyfile!=null) {
-				try {
-					FileInputStream fis = new FileInputStream(keyfile.toString());
-					symm = Symm.obtain(fis);
-				} catch (Exception e) {
-				}
-			}
-
-		}
-	}
-	
-	public Level willWrite() {
-		return willWrite;
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level)
-	 */
-	@Override
-	public boolean willLog(Level level) {
-		return willWrite.compareTo(level)<=0;
-	}
-
-	/**
-	 * Add the "Level" to the Buildline for Logging types that don't specify, or straight Streams, etc.  Then buildline
-	 * 
-	 * Build a line of code onto a StringBuilder based on Objects.  Analyze whether 
-	 * spaces need including.
-	 *
-	 * @param level
-	 * @param sb
-	 * @param elements
-	 * @return
-	 */
-	public final static StringBuilder buildLine(Level level, StringBuilder sb, Object[] elements) {
-		sb.append(level.name());
-		return buildLine(sb,elements);
-	}
-	
-	/*
-	 * Build a line of code onto a StringBuilder based on Objects.  Analyze whether 
-	 * spaces need including.
-	 * 
-	 * @param sb
-	 * @param elements
-	 * @return
-	 */
-	public final static StringBuilder buildLine(StringBuilder sb, Object[] elements) {
-		sb.append(' ');
-		String str;
-		boolean notFirst = false;
-		for(Object o : elements) {
-			if(o!=null) {
-				str = o.toString();
-				
-				if(str.length()>0) {
-					if(notFirst && shouldAddSpace(str,true) && shouldAddSpace(sb,false)) {
-						sb.append(' ');
-					} else {
-						notFirst=true;
-					}
-					sb.append(str);
-				}
-			}
-		}
-		return sb;
-	}
-	
-	private static boolean shouldAddSpace(CharSequence c,boolean start) {
-		if(c.length()>0)
-			switch(c.charAt(start?0:c.length()-1)) {
-				case ' ':
-				case '\t':
-				case '\n':
-				case '\'':
-				case '"':
-				case '|':
-					return false;
-			}
-		return true;
-	}
-
-	/**
-	 * Standard mechanism for logging, given being within a Servlet Context
-	 * 
-	 * Here, we treat
-	 * 
-	 * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup 
-	 * scenarios)
-	 *
-	 */
-	public void log(Level level, Object... elements) {
-		if(willWrite.compareTo(level)<=0) {
-			StringBuilder sb = buildLine(level, new StringBuilder(),elements);
-			if(context==null) {
-				System.out.println(sb.toString());
-			} else {
-				context.log(sb.toString());
-			}
-		}
-	}
-
-	/**
-	 * Standard mechanism for logging an Exception, given being within a Servlet Context, etc
-	 * 
-	 * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup 
-	 * scenarios)
-	 *
-	 */
-	public void log(Exception e, Object... elements) {
-		if(willWrite.compareTo(Level.ERROR)<=0) {
-			StringBuilder sb = buildLine(Level.ERROR, new StringBuilder(),elements);
-		
-			if(context==null) {
-				sb.append(e.toString());
-				System.out.println(sb.toString());
-			} else {
-				context.log(sb.toString(),e);
-			}
-		}
-	}
-	
-	public void setLogLevel(Level level) {
-		willWrite = level;
-	}
-	
-	/**
-	 * Pass back the classloader of the Servlet Context, if it exists. Otherwise, get the classloader
-	 * of this object.
-	 */
-	public ClassLoader classLoader() { // Use the Classloader that Context was created with
-		return (context==null?this:context).getClass().getClassLoader();
-	}
-
-	/**
-	 * Get the Property from Context
-	 */
-	public String getProperty(String string, String def) {
-		String rv = null;
-
-        if ( props != null )
-            rv = props.getProperty( string, def );
-        
-		if(rv==null) {
-            rv = context.getInitParameter(string);
-		}
-		return rv==null?def:rv;
-
-	}
-
-	public void load(InputStream is) throws IOException {
-		if(this.props==null) {
-			this.props = new Properties();
-		}
-		this.props.load(is);
-		symm = Symm.obtain(this);
-	}
-
-	public String decrypt(String encrypted, boolean anytext) throws IOException {
-		if(symm==null) {
-			String keyfile = getter.get(Config.CADI_KEYFILE, null, true);
-			if(keyfile!=null) {
-				FileInputStream fis = new FileInputStream(keyfile);
-				symm=Symm.obtain(fis);
-				fis.close();
-			}
-		}
-		return (symm!=null && encrypted!=null && (anytext || encrypted.startsWith(Symm.ENC)))
-			? symm.depass(encrypted)
-			: encrypted;
-	}
-
-	@Override
-	public void printf(Level level, String fmt, Object[] elements) {
-		// TODO Auto-generated method stub
-		
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/CadiFilter.java b/core/src/main/java/com/att/cadi/filter/CadiFilter.java
deleted file mode 100644
index da24f44..0000000
--- a/core/src/main/java/com/att/cadi/filter/CadiFilter.java
+++ /dev/null
@@ -1,305 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import java.io.IOException;
-import java.lang.reflect.Constructor;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.CadiException;
-import com.att.cadi.CadiWrap;
-import com.att.cadi.Lur;
-import com.att.cadi.PropAccess;
-import com.att.cadi.ServletContextAccess;
-import com.att.cadi.TrustChecker;
-import com.att.cadi.config.Config;
-import com.att.cadi.config.Get;
-import com.att.cadi.taf.TafResp;
-import com.att.cadi.taf.TafResp.RESP;
-
-/**
- * CadiFilter
- * 
- * This class implements Servlet Filter, and ties together CADI implementations
- * 
- * This class can be used in a standard J2EE Servlet manner.  Optimal usage is for POJO operations, where
- * one can enforce this Filter being first and primary.  Depending on the Container, it 
- * may be more effective, in some cases, to utilize features that allow earlier determination of 
- * AUTHN (Authorization).  An example would be "Tomcat Valve".  These implementations, however, should
- * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes.
- * 
- * 
- *
- */
-public class CadiFilter implements Filter {
-	private static CadiHTTPManip httpChecker;
-	private static String[] pathExceptions;
-	private static List<Pair> mapPairs;
-	private Access access;
-	private Object[] additionalTafLurs;
-	private static int count=0;
-	
-	public Lur getLur() {
-		return httpChecker.getLur();
-	}
-	
-	/**
-	 * Construct a viable Filter
-	 * 
-	 * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on 
-	 * them at a later time.  Therefore, this object creates with an object that denies all access
-	 * until appropriate Init happens, just in case the container lets something slip by in the meantime.
-	 * 
-	 */
-	public CadiFilter() {
-		additionalTafLurs = CadiHTTPManip.noAdditional;
-	}
-
-	/**
-	 * This constructor to be used when directly constructing and placing in HTTP Engine
-	 * 
-	 * @param access
-	 * @param moreTafLurs
-	 * @throws ServletException 
-	 */
-	public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException {
-		additionalTafLurs = moreTafLurs;
-		init(new AccessGetter(this.access = access));
-	}
-
-
-	/**
-	 * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it
-	 * @param init
-	 * @param access
-	 * @param moreTafLurs
-	 * @throws ServletException
-	 */
-	public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException {
-		this.access = access;
-		if(init) {
-			init(new AccessGetter(access));
-		}
-		additionalTafLurs = moreTafLurs;
-	}
-
-	/**
-	 * Init
-	 * 
-	 * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a
-	 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
-	 * mechanism already.
-	 */
-	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions
-	public void init(FilterConfig filterConfig) throws ServletException {
-		// need the Context for Logging, instantiating ClassLoader, etc
-		ServletContextAccess sca=new ServletContextAccess(filterConfig); 
-		if(access==null) {
-			access = sca;
-		}
-		
-		// Set Protected getter with base Access, for internal class instantiations
-		init(new FCGet(access, sca.context(), filterConfig));
-	}
-	
-
-   private void init(Get getter) throws ServletException {
-        // Start with the assumption of "Don't trust anyone".
-	   TrustChecker tc = TrustChecker.NOTRUST; // default position
-	   try {
-		   @SuppressWarnings("unchecked")
-		   Class<TrustChecker> ctc = (Class<TrustChecker>) Class.forName("com.att.cadi.aaf.v2_0.AAFTrustChecker");
-		   if(ctc!=null) {
-			   Constructor<TrustChecker> contc = ctc.getConstructor(Access.class);
-			   if(contc!=null) {
-				   tc = contc.newInstance(access);
-			   }
-		   }
-	   } catch (Exception e) {
-		   access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
-	   }
-       
-        
-        // Synchronize, because some instantiations call init several times on the same object
-        // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.
-		synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {
-			++count;
-			if(httpChecker == null) {
-				if(access==null) {
-					access = new PropAccess();
-				}
-				try {
-					httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs);
-				} catch (CadiException e1) {
-					throw new ServletException(e1);
-				}
-			} else if(access==null) {
-				access= httpChecker.getAccess();
-			}
-
-			/*
-			 * Setup Authn Path Exceptions
-			 */
-			if(pathExceptions==null) {
-				String str = getter.get(Config.CADI_NOAUTHN, null, true);
-				if(str!=null) {
-					pathExceptions = str.split("\\s*:\\s*");
-				}
-			}
-	
-			/* 
-			 * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions
-			 */
-			if(mapPairs==null) {
-				String str = getter.get(Config.AAF_PERM_MAP, null, true);
-				if(str!=null) {
-					String mstr = getter.get(Config.AAF_PERM_MAP, null, true);
-					if(mstr!=null) {
-						String map[] = mstr.split("\\s*:\\s*");
-						if(map.length>0) {
-							MapPermConverter mpc=null;
-							int idx;
-							mapPairs = new ArrayList<Pair>();
-							for(String entry : map) {
-								if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
-									access.log(Level.INIT,"Loading Perm Conversions for:",entry);
-									mapPairs.add(new Pair(entry,mpc=new MapPermConverter()));
-								} else {
-									if(mpc!=null) {
-										mpc.map().put(entry.substring(0,idx),entry.substring(idx+1));
-									} else {
-										access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped");
-									}
-								}
-							}
-						}
-					}
-				}
-			}
-		}
-
-		// Remove Getter
-        getter = Get.NULL;
-	}
-
-	/**
-	 * Containers call "destroy" when time to cleanup 
-	 */
-	public void destroy() {
-		// Synchronize, in case multiCadiFilters are used.
-		synchronized(CadiHTTPManip.noAdditional) {
-			if(--count<=0 && httpChecker!=null) {
-				httpChecker.destroy();
-				httpChecker=null;
-				access=null;
-				pathExceptions=null;
-			}
-		}
-	}
-
-	/**
-	 * doFilter
-	 * 
-	 * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and
-	 * only call the next item in the filterChain if request is suitably Authenticated.
-	 */
-	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
-	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-		try {
-			HttpServletRequest hreq = (HttpServletRequest)request;
-			if(noAuthn(hreq)) {
-				chain.doFilter(request, response);
-			} else {
-				HttpServletResponse hresp = (HttpServletResponse)response;
-				TafResp tresp = httpChecker.validate(hreq, hresp);
-				if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
-						CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));
-						if(httpChecker.notCadi(cw, hresp)) {
-							chain.doFilter(cw,response);
-						}
-				}						
-			}
-		} catch (ClassCastException e) {
-			throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e);
-		}
-	}
-
-
-	/** 
-	 * If PathExceptions exist, report if these should not have Authn applied.
-	 * @param hreq
-	 * @return
-	 */
-	private boolean noAuthn(HttpServletRequest hreq) {
-		if(pathExceptions!=null) {
-			String pi = hreq.getPathInfo();
-			if(pi==null) return false; // JBoss sometimes leaves null
-			for(String pe : pathExceptions) {
-				if(pi.startsWith(pe))return true;
-			}
-		}
-		return false;
-	}
-	
-	/**
-	 * Get Converter by Path
-	 */
-	private PermConverter getConverter(HttpServletRequest hreq) {
-		if(mapPairs!=null) {
-			String pi = hreq.getPathInfo();
-			if(pi!=null) {
-			for(Pair p: mapPairs) {
-				if(pi.startsWith(p.name))return p.pc;
-			}
-			}
-		}
-		return NullPermConverter.singleton();
-	}
-	
-	/**
-	 * store PermConverters by Path prefix
-	 *
-	 */
-	private class Pair {
-		public Pair(String key, PermConverter pc) {
-			name = key;
-			this.pc = pc;
-		}
-		public String name;
-		public PermConverter pc;
-	}
-
-}
-
diff --git a/core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java b/core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java
deleted file mode 100644
index 6969b8c..0000000
--- a/core/src/main/java/com/att/cadi/filter/CadiHTTPManip.java
+++ /dev/null
@@ -1,227 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.CadiException;
-import com.att.cadi.CadiWrap;
-import com.att.cadi.Connector;
-import com.att.cadi.CredVal;
-import com.att.cadi.Lur;
-import com.att.cadi.Taf;
-import com.att.cadi.TrustChecker;
-import com.att.cadi.config.Config;
-import com.att.cadi.lur.EpiLur;
-import com.att.cadi.taf.HttpTaf;
-import com.att.cadi.taf.TafResp;
-import com.att.cadi.util.UserChainManip;
-
-/**
- * Encapsulate common HTTP Manipulation Behavior.  It will appropriately set
- * HTTPServletResponse for Redirect or Forbidden, as needed.
- * 
- * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
- * are created and destroyed regularly.
- * 
- *
- *
- */
-public class CadiHTTPManip {
-	private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
-	private static final String METH = "OPTIONS";
-	private static final String CADI = "/cadi/";
-	private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
-	private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
-	private static final String CADI_LOG_SET = "/cadi/log/set/";
-	private Access access;
-	private HttpTaf taf;
-	private CredVal up;
-	private Lur lur;
-	private String thisPerm,companyPerm,aaf_id;
-	
-	public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
-
-
-	public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
-		synchronized(CADI) {
-			this.access = access;
-//			Get getter = new AccessGetter(access);
-			Config.setDefaultRealm(access);
-	
-			aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null));
-			if(aaf_id==null) {
-				access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS);
-			} else {
-				access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id);
-			}
-			String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
-			if(ns!=null) {
-				thisPerm = ns+ACCESS_CADI_CONTROL;
-				int dot = ns.indexOf('.');
-				if(dot>=0) {
-					int dot2=ns.indexOf('.',dot+1);
-					if(dot2<0) {
-						dot2=dot;
-					}
-					companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
-				} else {
-					companyPerm = "com"+ACCESS_CADI_CONTROL;
-				}
-			} else {
-				thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
-			}
-			
-			if(con!=null) { // try to reutilize connector
-				List<Lur> ll = null;
-				for(Object tl : additionalTafLurs) {
-					if(tl instanceof Lur) {
-						if(ll==null) {
-							ll = new ArrayList<Lur>();
-							ll.add(con.newLur());
-						}
-						ll.add((Lur)tl);
-					}
-				}
-				if(ll==null) {
-					lur = con.newLur();
-				} else {
-					lur = new EpiLur((Lur[])ll.toArray());
-				}
-			} else {
-				lur = Config.configLur(access, additionalTafLurs);
-			}
-			tc.setLur(lur);
-			if(lur instanceof EpiLur) {
-				up = ((EpiLur)lur).getUserPassImpl();
-			} else if(lur instanceof CredVal) {
-				up = (CredVal)lur;
-			} else {
-				up = null;
-			}
-			taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs);
-		}
-	}
-
-	public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException {
-		TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
-		switch(tresp.isAuthenticated()) {
-			case IS_AUTHENTICATED:
-				access.printf(Level.INFO,"Authenticated: %s from %s:%d"
-						, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
-				break;
-			case TRY_AUTHENTICATING:
-				switch (tresp.authenticate()) {
-					case IS_AUTHENTICATED:
-						access.printf(Level.INFO,"Authenticated: %s from %s:%d"
-								, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
-						break;
-					case HTTP_REDIRECT_INVOKED:
-						access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
-						break;
-					case NO_FURTHER_PROCESSING:
-						access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
-								, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
-						hresp.sendError(403, tresp.desc()); // Forbidden
-						break;
-
-					default:
-						access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
-								, hreq.getRemoteAddr(), hreq.getRemotePort());
-						hresp.sendError(403, tresp.desc()); // Forbidden
-				}
-				break;
-			case NO_FURTHER_PROCESSING:
-				access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", 
-						tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
-				hresp.sendError(403, "Access Denied"); // FORBIDDEN
-				break;
-			default:
-				access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
-						, hreq.getRemoteAddr(), hreq.getRemotePort());
-				hresp.sendError(403, "Access Denied"); // FORBIDDEN
-		}
-		return tresp;
-	}
-	
-	public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
-		
-		String pathInfo = req.getPathInfo();
-		if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
-			if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
-				try {
-					if(pathInfo.contains(CADI_CACHE_PRINT)) {
-						resp.getOutputStream().println(lur.toString());
-						resp.setStatus(200);
-						return false;
-					} else if(pathInfo.contains(CADI_CACHE_CLEAR)) {
-						StringBuilder report = new StringBuilder();
-						lur.clear(req.getUserPrincipal(), report);
-						resp.getOutputStream().println(report.toString());
-						resp.setStatus(200);
-						return false;
-					} else if(pathInfo.contains(CADI_LOG_SET))  {
-						Level l;
-						int slash = pathInfo.lastIndexOf('/');
-						String level = pathInfo.substring(slash+1);
-						try {
-							l = Level.valueOf(level);
-							access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
-							access.setLogLevel(l);
-						} catch (IllegalArgumentException e) {
-							access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
-						}
-						return false;
-					}
-				} catch (IOException e) {
-					access.log(e);
-				}
-			}
-		}
-		return true;
-	}
-
-	public Lur getLur() {
-		return lur;
-	}
-	
-	public void destroy() {
-		access.log(Level.INFO,"CadiHttpChecker destroyed.");
-		if(lur!=null) {
-			lur.destroy();
-			lur=null;
-		}
-	}
-
-	public Access getAccess() {
-		return access;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/FCGet.java b/core/src/main/java/com/att/cadi/filter/FCGet.java
deleted file mode 100644
index b8f95da..0000000
--- a/core/src/main/java/com/att/cadi/filter/FCGet.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.config.Get;
-
-/*
- * A private method to query the Filter config and if not exists, return the default.  This
- * cleans up the initialization code.
- */
-class FCGet implements Get {
-	/**
-	 * 
-	 */
-	private final Access access;
-	private FilterConfig filterConfig;
-	private ServletContext context;
-
-	public FCGet(Access access, ServletContext context, FilterConfig filterConfig) {
-		this.access = access;
-		this.context = context;
-		this.filterConfig = filterConfig;
-	}
-
-	public String get(String name, String def, boolean print) {
-		String str = null;
-		// Try Server Context First
-		if(context!=null) {
-			str = context.getInitParameter(name);
-		}
-		
-		// Try Filter Context next
-		if(str==null && filterConfig != null) {
-			str = filterConfig.getInitParameter(name);
-		}
-		
-		if(str==null) {
-			str = access.getProperty(name, def);
-		}
-		// Take def if nothing else
-		if(str==null) {
-			str = def;
-			// don't log defaults
-		} else {
-			str = str.trim(); // this is vital in Property File based values, as spaces can hide easily
-			if(print) {
-				access.log(Level.INFO,"Setting", name, "to", str);
-			}
-		}
-		return str;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/filter/MapPermConverter.java b/core/src/main/java/com/att/cadi/filter/MapPermConverter.java
deleted file mode 100644
index 09b6f93..0000000
--- a/core/src/main/java/com/att/cadi/filter/MapPermConverter.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import java.util.HashMap;
-import java.util.Map;
-
-public class MapPermConverter implements PermConverter {
-	private HashMap<String,String> map;
-
-	/**
-	 * Create with colon separated name value pairs
-	 *  i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=...
-	 *  
-	 * @param value
-	 */
-	public MapPermConverter() {
-		map = new HashMap<String,String>();
-	}
-
-	/**
-	 * use to instantiate entries 
-	 * 
-	 * @return
-	 */
-	public Map<String,String> map() {
-		return map;
-	}
-
-	public String convert(String minimal) {
-		String rv = map.get(minimal);
-		return rv==null?minimal:rv;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/NullPermConverter.java b/core/src/main/java/com/att/cadi/filter/NullPermConverter.java
deleted file mode 100644
index d73008e..0000000
--- a/core/src/main/java/com/att/cadi/filter/NullPermConverter.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-
-/**
- * A NullPermConverter 
- * 
- * Obey the PermConverter Interface, but passed in "minimal" String is not converted.
- * 
- *
- */
-public class NullPermConverter implements PermConverter {
-
-	private NullPermConverter() {}
-	private static final NullPermConverter singleton = new NullPermConverter();
-	public static NullPermConverter singleton() {return singleton;}
-
-	public String convert(String minimal) {
-		return minimal;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/filter/PathFilter.java b/core/src/main/java/com/att/cadi/filter/PathFilter.java
deleted file mode 100644
index 328977d..0000000
--- a/core/src/main/java/com/att/cadi/filter/PathFilter.java
+++ /dev/null
@@ -1,183 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-import java.io.IOException;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.config.Config;
-
-/**
- * PathFilter
- * 
- * This class implements Servlet Filter, and uses AAF to validate access to a Path.
- * 
- * This class can be used in a standard J2EE Servlet manner.
- *  
- *
- */
-public class PathFilter implements Filter {
-	private ServletContext context;
-	private String aaf_type;
-	private String not_authorized_msg;
-	private final Log log;
-
-	/**
-	 * Construct a viable Filter for installing in Container WEB.XML, etc.
-	 * 
-	 */
-	public PathFilter() {
-		log = new Log() {
-			public void info(String ... msg) {
-				context.log(build("INFO:",msg));
-			}
-			public void audit(String ... msg) {
-				context.log(build("AUDIT:",msg));
-			}
-			private String build(String type, String []msg) {
-				StringBuilder sb = new StringBuilder(type);
-				for(String s : msg) {
-					sb.append(' ');
-					sb.append(s);
-				}
-				return sb.toString();
-			}
-		
-		};
-	}
-	
-	/**
-	 * Filter that can be constructed within Java
-	 * @param access
-	 */
-	public PathFilter(final Access access) {
-		log = new Log() {
-			public void info(String ... msg) {
-				access.log(Level.INFO, (Object[])msg);
-			}
-			public void audit(String ... msg) {
-				access.log(Level.AUDIT, (Object[])msg);
-			}
-		};
-	}
-	
-	/**
-	 * Init
-	 * 
-	 * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a
-	 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
-	 * mechanism already.
-	 */
-	public void init(FilterConfig filterConfig) throws ServletException {
-		// need the Context for Logging, instantiating ClassLoader, etc
-		context = filterConfig.getServletContext();
-		StringBuilder sb = new StringBuilder();
-		StringBuilder err = new StringBuilder(); 
-		Object attr = context.getAttribute(Config.PATHFILTER_NS);
-		if(attr==null) {
-			err.append("PathFilter - pathfilter_ns is not set");
-		} else {
-			sb.append(attr.toString()); 
-		}
-
-		attr = context.getAttribute(Config.PATHFILTER_STACK);
-		if(attr==null) {
-			log.info("PathFilter - No pathfilter_stack set, ignoring");
-		} else {
-			sb.append('.');
-			sb.append(attr.toString());
-		}
-
-		attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);
-		if(attr==null) {
-			log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");
-			sb.append(".urlpattern");
-		} else {
-			sb.append('.');
-			sb.append(attr.toString());
-		}
-
-		log.info("PathFilter - AAF Permission Type is",sb.toString());
-		
-		sb.append('|');
-		
-		aaf_type = sb.toString();
-
-		attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);
-		if(attr==null) {
-			not_authorized_msg = "Forbidden - Not Authorized to access this Path";
-		} else {
-			not_authorized_msg = attr.toString();
-		}
-
-		if(err.length()>0) {
-			throw new ServletException(err.toString());
-		}
-	}
-
-	private interface Log {
-		public void info(String ... msg);
-		public void audit(String ... msg);
-	}
-
-	/**
-	 * doFilter
-	 * 
-	 * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and
-	 * only call the next item in the filterChain if request is suitably Authenticated.
-	 */
-	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
-	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-		HttpServletRequest hreq = (HttpServletRequest)request;
-		HttpServletResponse hresp = (HttpServletResponse)response;
-		String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod();
-		if(hreq.isUserInRole(perm)) {
-			chain.doFilter(request, response);
-		} else {
-			log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm);
-			hresp.sendError(403,not_authorized_msg);
-		}
-	}
-
-	/**
-	 * Containers call "destroy" when time to cleanup 
-	 */
-	public void destroy() {
-		log.info("PathFilter destroyed.");
-	}
-
-
-
-}
-
diff --git a/core/src/main/java/com/att/cadi/filter/PermConverter.java b/core/src/main/java/com/att/cadi/filter/PermConverter.java
deleted file mode 100644
index ba098c4..0000000
--- a/core/src/main/java/com/att/cadi/filter/PermConverter.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.filter;
-
-/**
- * Convert a simplistic, single string Permission into an Enterprise Scoped Perm
- * 
- *
- */
-public interface PermConverter {
-	public String convert(String minimal);
-}
diff --git a/core/src/main/java/com/att/cadi/filter/RolesAllowed.java b/core/src/main/java/com/att/cadi/filter/RolesAllowed.java
deleted file mode 100644
index 97a8f54..0000000
--- a/core/src/main/java/com/att/cadi/filter/RolesAllowed.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-/**
- * RolesAllowed 
- * 
- * 
- * Similar to Java EE's Spec from Annotations 1.1, 2.8
- * 
- * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined
- * sense of permissions hierarchy.  The same mechanism, however, can easily be achieved on single Servlet/Handlers in
- * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation
- * 
- */
-package com.att.cadi.filter;
-import static java.lang.annotation.ElementType.TYPE;
-import static java.lang.annotation.RetentionPolicy.RUNTIME;
-
-import java.lang.annotation.Retention;
-import java.lang.annotation.Target;
-
-/**
- * JASPI Style Annotation of RolesAllowed when the coding style is desired but actually including all 
- * JEE jars is not. If using actual JASPI, use official @interface classes, not this one...
- * 
- */
-@Target({TYPE})
-@Retention(RUNTIME)
-public @interface RolesAllowed {
-	/**
-	 * Security role of the implementation, which doesn't have to be an EJB or CORBA like object.  Can be just a
-	 * Handler
-	 * @return
-	 */
-	String[] value();
-}
diff --git a/core/src/main/java/com/att/cadi/filter/ServletImpl.java b/core/src/main/java/com/att/cadi/filter/ServletImpl.java
deleted file mode 100644
index 13a251c..0000000
--- a/core/src/main/java/com/att/cadi/filter/ServletImpl.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-/**
- * RolesAllowed 
- * 
- * 
- * Similar to Java EE's Spec from Annotations 1.1, 2.8
- * 
- * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined
- * sense of permissions hierarchy.  The same mechanism, however, can easily be achieved on single Servlet/Handlers in
- * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation
- * 
- */
-package com.att.cadi.filter;
-import static java.lang.annotation.ElementType.TYPE;
-import static java.lang.annotation.RetentionPolicy.RUNTIME;
-
-import java.lang.annotation.Retention;
-import java.lang.annotation.Target;
-
-import javax.servlet.Servlet;
-
-/**
- * 
- */
-@Target({TYPE})
-@Retention(RUNTIME)
-public @interface ServletImpl {
-	/**
-	 * Security role of the implementation, which doesn't have to be an EJB or CORBA like object.  Can be just a
-	 * Handler
-	 * @return
-	 */
-	Class<? extends Servlet> value();
-}
diff --git a/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java b/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
deleted file mode 100644
index 443d7e7..0000000
--- a/core/src/main/java/com/att/cadi/lur/ConfigPrincipal.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.GetCred;
-import com.att.cadi.Symm;
-
-public class ConfigPrincipal implements Principal, GetCred {
-	private String name;
-	private byte[] cred;
-	private String content;
-
-	public ConfigPrincipal(String name, String passwd) {
-		this.name = name;
-		this.cred = passwd.getBytes();
-		content = null;
-	}
-
-	public ConfigPrincipal(String name, byte[] cred) {
-		this.name = name;
-		this.cred = cred;
-		content = null;
-	}
-
-	public String getName() {
-		return name;
-	}
-	
-	public byte[] getCred() {
-		return cred;
-	}
-
-	public String toString() {
-		return name;
-	}
-	
-	public String getAsBasicAuthHeader() throws IOException {
-		if(content ==null) {
-			String s = name + ':' + new String(cred);
-			content = "Basic " + Symm.base64.encode(s);  
-		} else if(!content.startsWith("Basic ")) { // content is the saved password from construction
-			String s = name + ':' + content;
-			content = "Basic " + Symm.base64.encode(s);  
-		}
-		return content;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/lur/EpiLur.java b/core/src/main/java/com/att/cadi/lur/EpiLur.java
deleted file mode 100644
index 1eff70e..0000000
--- a/core/src/main/java/com/att/cadi/lur/EpiLur.java
+++ /dev/null
@@ -1,167 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur;
-
-import java.security.Principal;
-import java.util.List;
-
-import com.att.cadi.CachingLur;
-import com.att.cadi.CadiException;
-import com.att.cadi.CredVal;
-import com.att.cadi.Lur;
-import com.att.cadi.Permission;
-
-/**
- * EpiLUR
- * 
- * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed.
- * 
- * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of 
- * LURs that will be accomplished.
- * 
- * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have
- * different Caching requirements.  For instance, the Local User Repo (with stand alone names), never expire, but might be
- * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals 
- * 
- *
- */
-public final class EpiLur implements Lur {
-	private final Lur[] lurs;
-	
-	/**
-	 * EpiLur constructor
-	 * 
-	 * Construct the EpiLur from variable TAF parameters
-	 * @param lurs
-	 * @throws CadiException
-	 */
-	public EpiLur(Lur ... lurs) throws CadiException{
-		this.lurs = lurs;
-		if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor");
-	}
-
-	public boolean fish(Principal bait, Permission pond) {
-		if(pond==null) {
-			return false;
-		}
-		boolean rv = false;
-		Lur lur;
-		for(int i=0;!rv && i<lurs.length;++i) {
-			rv = (lur = lurs[i]).fish(bait, pond);
-			if(!rv && lur.handlesExclusively(pond)) break;
-		}
-		return rv;
-	}
-
-	public void fishAll(Principal bait, List<Permission> permissions) {
-		for(Lur lur : lurs) {
-			lur.fishAll(bait, permissions);
-		}
-	}
-
-	public void destroy() {
-		for(Lur lur : lurs) {
-			lur.destroy();
-		}
-	}
-
-	/**
-	 * Return the first Lur (if any) which also implements UserPass 
-	 * @return
-	 */
-	public CredVal getUserPassImpl() {
-		for(Lur lur : lurs) {
-			if(lur instanceof CredVal) {
-				return (CredVal)lur;
-			}
-		}
-		return null;
-	}
-
-	// Never needed... Only EpiLur uses...
-	public boolean handlesExclusively(Permission pond) {
-		return false;
-	}
-	
-	/**
-	 * Get Lur for index.  Returns null if out of range
-	 * @param idx
-	 * @return
-	 */
-	public Lur get(int idx) {
-		if(idx>=0 && idx<lurs.length) {
-			return lurs[idx];
-		}
-		return null;
-	}
-
-	public boolean supports(String userName) {
-		for(Lur l : lurs) {
-			if(l.supports(userName))return true;
-		}
-		return false;
-	}
-
-	public void remove(String id) {
-		for(Lur l : lurs) {
-			if(l instanceof CachingLur) {
-				((CachingLur<?>)l).remove(id);
-			}
-		}
-	}
-	
-	public Lur subLur(Class<? extends Lur> cls ) {
-		for(Lur l : lurs) {
-			if(l.getClass().isAssignableFrom(cls)) {
-				return l;
-			}
-		}
-		return null;
-	}
-
-	@Override
-	public Permission createPerm(String p) {
-		return new LocalPermission(p);
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
-	 */
-	@Override
-	public void clear(Principal p, StringBuilder report) {
-		for(Lur lur : lurs) {
-			lur.clear(p, report);
-		}
-	}
-	
-	public String toString() {
-		StringBuilder sb = new StringBuilder();
-		for(Lur lur : lurs) {
-			sb.append(lur.getClass().getSimpleName());
-			sb.append(": Report\n");
-			sb.append(lur.toString());
-			sb.append('\n');
-		}
-		return sb.toString();
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/lur/LocalLur.java b/core/src/main/java/com/att/cadi/lur/LocalLur.java
deleted file mode 100644
index 5980769..0000000
--- a/core/src/main/java/com/att/cadi/lur/LocalLur.java
+++ /dev/null
@@ -1,201 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.TreeSet;
-
-import com.att.cadi.AbsUserCache;
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.CredVal;
-import com.att.cadi.Hash;
-import com.att.cadi.Permission;
-import com.att.cadi.StrLur;
-import com.att.cadi.User;
-import com.att.cadi.config.Config;
-
-
-/**
- * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.
- * 
- *
- */
-public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {
-	public static final String SEMI = "\\s*;\\s*";
-	public static final String COLON = "\\s*:\\s*";
-	public static final String COMMA = "\\s*,\\s*";
-	public static final String PERCENT = "\\s*%\\s*";
-	
-	// Use to quickly determine whether any given group is supported by this LUR
-	private final Set<String> supportingGroups;
-	private String supportedRealm; 
-	
-	/**
-	 * Construct by building structure, see "build"
-	 * 
-	 * Reconstruct with "build"
-	 * 
-	 * @param userProperty
-	 * @param groupProperty
-	 * @param decryptor
-	 * @throws IOException
-	 */
-	public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {
-		super(access, 0, 0, Integer.MAX_VALUE);  // data doesn't expire
-		supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");
-		supportingGroups = new TreeSet<String>();
-		
-		if(userProperty!=null) {
-			// For each User name...
-			for(String user : userProperty.trim().split(SEMI)) {
-				String[] us = user.split(COLON,2);
-				String[] userpass = us[0].split(PERCENT,2);
-				String u;
-				User<LocalPermission> usr;
-				if(userpass.length>1) {
-					if(userpass.length>0 && userpass[0].indexOf('@')<0) {
-						userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
-					}
-
-					u = userpass[0];
-					byte[] pass = access.decrypt(userpass[1], true).getBytes();
-					usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));
-				} else {
-					u = us[0];
-					usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));
-				}
-				addUser(usr);
-				access.log(Level.INIT, "Local User:",usr.principal);
-				
-				if(us.length>1) {
-					Map<String, Permission> newMap = usr.newMap();
-					for(String group : us[1].split(COMMA)) {
-						supportingGroups.add(group);
-						usr.add(newMap,new LocalPermission(group));
-					}
-					usr.setMap(newMap);
-				}
-			}
-		}
-		if(groupProperty!=null) {
-			// For each Group name...
-			for(String group : groupProperty.trim().split(SEMI)) {
-				String[] gs = group.split(COLON,2);
-				if(gs.length>1) {
-					supportingGroups.add(gs[0]);
-					LocalPermission p = new LocalPermission(gs[0]);
-					// Add all users (known by comma separators)	
-					
-					for(String grpMem : gs[1].split(COMMA)) {
-						// look for password, if so, put in passMap
-						String[] userpass = grpMem.split(PERCENT,2);
-						if(userpass.length>0 && userpass[0].indexOf('@')<0) {
-							userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
-						}
-						User<LocalPermission> usr = getUser(userpass[0]);
-						if(userpass.length>1) {
-							byte[] pass = access.decrypt(userpass[1], true).getBytes();
-							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));
-							else usr.principal=new ConfigPrincipal(userpass[0],pass);
-						} else {
-							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));
-						}
-						usr.add(p);
-						access.log(Level.INIT, "Local User:",usr.principal);
-					}
-				}
-			}
-		}
-	}
-	
-	public boolean validate(String user, CredVal.Type type, byte[] cred) {
-		User<LocalPermission> usr = getUser(user);
-		switch(type) {
-			case PASSWORD:
-				// covers null as well as bad pass
-				if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {
-					return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());
-				}
-				break;
-		}
-		return false;
-	}
-
-	//	@Override
-	public boolean fish(Principal bait, Permission pond) {
-		if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
-				User<LocalPermission> user = getUser(bait);
-				return user==null?false:user.contains((LocalPermission)pond);
-			}
-		return false;
-	}
-
-	public boolean fish(String bait, Permission pond) {
-		if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
-			User<LocalPermission> user = getUser(bait);
-			return user==null?false:user.contains((LocalPermission)pond);
-		}
-		return false;
-	}
-
-	// We do not want to expose the actual Group, so make a copy.
-	public void fishAll(Principal bait, List<Permission> perms) {
-		if(supports(bait.getName())) {
-			User<LocalPermission> user = getUser(bait);
-			if(user!=null) {
-				user.copyPermsTo(perms);
-			}
-		}
-	}
-
-	public void fishAll(String bait, List<Permission> perms) {
-		if(supports(bait)) {
-			User<LocalPermission> user = getUser(bait);
-			if(user!=null) {
-				user.copyPermsTo(perms);
-			}
-		}
-	}
-
-	public boolean supports(String userName) {
-		return userName!=null && userName.endsWith(supportedRealm);
-	}
-
-	public boolean handlesExclusively(Permission pond) {
-		return supportingGroups.contains(pond.getKey());
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
-	 */
-	@Override
-	public Permission createPerm(String p) {
-		return new LocalPermission(p);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/lur/LocalPermission.java b/core/src/main/java/com/att/cadi/lur/LocalPermission.java
deleted file mode 100644
index b44f840..0000000
--- a/core/src/main/java/com/att/cadi/lur/LocalPermission.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur;
-
-import com.att.cadi.Permission;
-
-public class LocalPermission implements Permission {
-	private String key;
-	
-	public LocalPermission(String role) {
-		this.key = role;
-	}
-	
-	public String getKey() {
-		return key;
-	}
-
-	public String toString() {
-		return key;
-	}
-
-	public boolean match(Permission p) {
-		return key.equals(p.getKey());
-	}
-
-	public String permType() {
-		return "LOCAL";
-	}
-	
-	
-}
diff --git a/core/src/main/java/com/att/cadi/lur/NullLur.java b/core/src/main/java/com/att/cadi/lur/NullLur.java
deleted file mode 100644
index 7b01f5a..0000000
--- a/core/src/main/java/com/att/cadi/lur/NullLur.java
+++ /dev/null
@@ -1,88 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur;
-
-import java.security.Principal;
-import java.util.List;
-
-import com.att.cadi.Lur;
-import com.att.cadi.Permission;
-
-public class NullLur implements Lur {
-	private static final Permission NULL = new Permission() {
-		@Override
-		public String permType() {
-			return "";
-		}
-
-		@Override
-		public String getKey() {
-			return "";
-		}
-
-		@Override
-		public boolean match(Permission p) {
-			return false;
-		}};
-
-	public boolean fish(Principal bait, Permission pond) {
-		// Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own
-//		System.err.println("CADI's LUR has not been configured, but is still being called.  Access is being denied");
-		return false;
-	}
-
-	public void fishAll(Principal bait,	List<Permission> permissions) {
-	}
-
-	public void destroy() {
-	}
-
-	public boolean handlesExclusively(Permission pond) {
-		return false;
-	}
-
-	public boolean supports(String userName) {
-		return false;
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
-	 */
-	@Override
-	public Permission createPerm(String p) {
-		return NULL;
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
-	 */
-	@Override
-	public void clear(Principal p, StringBuilder report) {
-		report.append(NullLur.class.getSimpleName());
-		report.append('\n');
-	}
-	
-	public String toString() {
-		return NullLur.class.getSimpleName() + '\n';
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/principal/BasicPrincipal.java b/core/src/main/java/com/att/cadi/principal/BasicPrincipal.java
deleted file mode 100644
index 800628d..0000000
--- a/core/src/main/java/com/att/cadi/principal/BasicPrincipal.java
+++ /dev/null
@@ -1,117 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.util.Date;
-
-import com.att.cadi.BasicCred;
-import com.att.cadi.GetCred;
-import com.att.cadi.Symm;
-
-public class BasicPrincipal extends BearerPrincipal implements GetCred {
-	private static byte[] basic = "Basic ".getBytes();
-
-	private String name = null;
-	private String shortName = null;
-	private byte[] cred = null;
-	
-	private long created;
-
-	public BasicPrincipal(String content,String domain) throws IOException {
-		created = System.currentTimeMillis();
-		ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
-		// Read past "Basic ", ensuring it starts with it.
-		for(int i=0;i<basic.length;++i) {
-			if(bis.read()!=basic[i]) {
-				name=content;
-				cred = null;
-				return;
-			}
-		}
-		BasicOS bos = new BasicOS(content.length());
-		Symm.base64.decode(bis,bos); // note: writes directly to name until ':'
-		if(name==null) throw new IOException("Invalid Coding");
-		else cred = bos.toCred();
-		int at;
-		if((at=name.indexOf('@'))>0) {
-			domain=name.substring(at+1);
-			shortName=name.substring(0, at);
-		} else {
-			shortName = name;
-			name = name + '@' + domain;
-		}
-	}
-	
-	public BasicPrincipal(BasicCred bc, String domain) {
-		name = bc.getUser();
-		cred = bc.getCred();
-	}
-
-	private class BasicOS extends OutputStream {
-		private boolean first = true;
-		private ByteArrayOutputStream baos;
-		
-		public BasicOS(int size) {
-			baos = new ByteArrayOutputStream(size);
-		}
-
-		@Override
-		public void write(int b) throws IOException {
-			if(b==':' && first) {
-				first = false;
-				name = new String(baos.toByteArray());
-				baos.reset(); // 
-			} else {
-				baos.write(b);
-			}
-		}
-		
-		private byte[] toCred() {
-			return baos.toByteArray();
-		}
-	}
-	
-	public String getName() {
-		return name;
-	}
-	
-	public String getShortName() {
-		return shortName;
-	}
-	
-	public byte[] getCred() {
-		return cred;
-	}
-	
-	public long created() {
-		return created;
-	}
-
-	public String toString() {
-		return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString();
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/principal/BearerPrincipal.java b/core/src/main/java/com/att/cadi/principal/BearerPrincipal.java
deleted file mode 100644
index 0d215a5..0000000
--- a/core/src/main/java/com/att/cadi/principal/BearerPrincipal.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.security.Principal;
-
-public abstract class BearerPrincipal implements Principal {
-	private String bearer = null;
-	public BearerPrincipal setBearer(String bearer) {
-		this.bearer = bearer;
-		return this;
-	}
-	public String getBearer() {
-		return bearer;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java b/core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java
deleted file mode 100644
index e3ccb42..0000000
--- a/core/src/main/java/com/att/cadi/principal/CSPPrincipal_T.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.security.Principal;
-
-/**
- * Indicate a CSP Principal that is trusted as a CSPPrincipal.  
- *
- */
-public interface CSPPrincipal_T extends Principal {
-
-}
diff --git a/core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java b/core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java
deleted file mode 100644
index de1ebaf..0000000
--- a/core/src/main/java/com/att/cadi/principal/CachedBasicPrincipal.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.io.IOException;
-
-import com.att.cadi.BasicCred;
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.taf.HttpTaf;
-
-/**
- * Cached Principals need to be able to revalidate in the Background
- * 
- *
- */
-public class CachedBasicPrincipal extends BasicPrincipal implements CachedPrincipal {
-	private final HttpTaf creator;
-	private long timeToLive;
-	private long expires;
-
-	public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) {
-		super(bc, domain);
-		this.creator = creator;
-		this.timeToLive = timeToLive;
-		expires = System.currentTimeMillis()+timeToLive;
-	}
-	
-	public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException {
-		super(content, domain);
-		this.creator = creator;
-		this.timeToLive = timeToLive;
-		expires = System.currentTimeMillis()+timeToLive;
-	}
-
-	public CachedPrincipal.Resp revalidate() {
-		Resp resp = creator.revalidate(this);
-		if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive;
-		return resp;
-	}
-
-	public long expires() {
-		return expires;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java b/core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java
deleted file mode 100644
index e2a6400..0000000
--- a/core/src/main/java/com/att/cadi/principal/TGuardPrincipal.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-public class TGuardPrincipal extends BearerPrincipal {
-
-	private String name, tresp;
-
-	public TGuardPrincipal(String tresp) {
-		this.tresp=tresp;
-	}
-
-	/**
-	 * TODO Need to figure out what Organizations TGuard entities should be part of.  
-	 * 
-	 */
-	public String getName() {
-		if(name==null) {
-			String temp = get("iv-user");
-			if(temp==null)return null;
-			StringBuilder sb = new StringBuilder();
-			int at = temp.indexOf('@');
-			if(at<0) {
-				sb.append(temp);
-			} else {
-				sb.append(temp.substring(0, at));
-			}
-			if(temp.endsWith("@uverse.com"))sb.append("@uverse.tguard.att.com");
-			else if(temp.endsWith("@att.com"))sb.append("@com.tguard.att.com");
-			else if(temp.endsWith("@att.net"))sb.append("@net.tguard.att.com");
-			else sb.append("@tguard.att.com");
-			name = sb.toString();
-		}
-		return name;
-	}
-
-	/**
-	 * Get a value from a named TGuard Property
-	 * 
-	 * TGuard response info is very dynamic.  They can add new properties at any time, so we dare not code field names for these values.
-	 * @param key
-	 * @return
-	 */
-	public String get(String key) {
-		if(key==null)return null;
-		int idx=0,equal=0,amp=0;
-		while(idx>=0 && (equal = tresp.indexOf('=',idx))>=0) {
-			amp = tresp.indexOf('&',equal);
-			if(key.regionMatches(0, tresp, idx, equal-idx)) {
-				return amp>=0?tresp.substring(equal+1, amp):tresp.substring(equal+1); 
-			}
-			idx=amp+(amp>0?1:0);
-		}
-		return null;
-	}
-
-	public String info() {
-		return tresp;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java b/core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java
deleted file mode 100644
index cfd8564..0000000
--- a/core/src/main/java/com/att/cadi/principal/TGuardPrincipal_T.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.security.Principal;
-
-/**
- * Indicate a TGuard Principal that is trusted as a TGuardPrincipal.  
- *
- */
-public interface TGuardPrincipal_T extends Principal {
-
-}
diff --git a/core/src/main/java/com/att/cadi/principal/TrustPrincipal.java b/core/src/main/java/com/att/cadi/principal/TrustPrincipal.java
deleted file mode 100644
index 744560f..0000000
--- a/core/src/main/java/com/att/cadi/principal/TrustPrincipal.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.security.Principal;
-
-import com.att.cadi.UserChain;
-
-public class TrustPrincipal extends BearerPrincipal implements UserChain {
-	private final String name;
-	private final Principal original;
-	private String userChain;
-	
-	public TrustPrincipal(final Principal actual, final String asName) {
-		this.original = actual;
-		name = asName.trim();
-		if(actual instanceof UserChain) {
-			UserChain uc = (UserChain)actual;
-			userChain = uc.userChain();
-		} else if(actual instanceof X509Principal) {
-			userChain="x509";
-		} else if(actual instanceof BasicPrincipal) {
-			userChain="BAth";
-		} else {
-			userChain = actual.getClass().getSimpleName();
-		}
-	}
-	
-	@Override
-	public String getName() {
-		return name;
-	}
-	
-	public String getOrigName() {
-		return original.getName() + '[' + userChain + ']';
-	}
-
-	@Override
-	public String userChain() {
-		return userChain;
-	}
-	
-	public Principal original() {
-		return original;
-	}
-	
-}
diff --git a/core/src/main/java/com/att/cadi/principal/X509Principal.java b/core/src/main/java/com/att/cadi/principal/X509Principal.java
deleted file mode 100644
index 89a8dc2..0000000
--- a/core/src/main/java/com/att/cadi/principal/X509Principal.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.principal;
-
-import java.io.IOException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
-import java.util.regex.Pattern;
-
-import com.att.cadi.GetCred;
-
-public class X509Principal extends BearerPrincipal implements GetCred {
-	private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
-	private byte[] content;  
-	private X509Certificate cert;
-	private String name;
-
-	public X509Principal(String identity, X509Certificate cert, byte[] content) {
-		name = identity;
-		this.content = content;
-		this.cert = cert;
-	}
-	
-	public X509Principal(X509Certificate cert, byte[] content) throws IOException {
-		this.content=content;
-		this.cert = cert;
-		String subj = cert.getSubjectDN().getName();
-		int cn = subj.indexOf("OU=");
-		if(cn>=0) {
-			cn+=3;
-			int space = subj.indexOf(',',cn);
-			if(space>=0) {
-				String id = subj.substring(cn, space);
-				if(pattern.matcher(id).matches()) {
-					name = id;
-				}
-			}
-		}
-		if(name==null)
-			throw new IOException("X509 does not have Identity as CN");
-		
-	}
-	
-	
-	public String getAsHeader() throws IOException {
-		try {
-			if(content==null) 
-				content=cert.getEncoded();
-		} catch (CertificateEncodingException e) {
-			throw new IOException(e);
-		}
-		return "X509 " + content;
-	}
-	
-	public String toString() {
-		return "X509 Authentication for " + name;
-	}
-
-
-	public byte[] getCred() {
-		try {
-			return content==null?(content=cert.getEncoded()):content;
-		} catch (CertificateEncodingException e) {
-			return null;
-		}
-	}
-
-
-	public String getName() {
-		return name;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/AbsTafResp.java b/core/src/main/java/com/att/cadi/taf/AbsTafResp.java
deleted file mode 100644
index f57b975..0000000
--- a/core/src/main/java/com/att/cadi/taf/AbsTafResp.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.security.Principal;
-
-import com.att.cadi.Access;
-
-/**
- * AbsTafResp
- * 
- * Base class for TafResp (TAF Response Objects)
- *
- */
-public abstract class AbsTafResp implements TafResp {
-
-	protected final String desc;
-	protected final Principal principal;
-	protected final Access access;
-
-	/**
-	 * AbsTafResp
-	 * 
-	 * Set and hold
-	 * Description (for logging)
-	 * Principal (as created by derived class)
-	 * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc)
-	 *  
-	 * @param access
-	 * @param principal
-	 * @param description
-	 */
-	public AbsTafResp(Access access, Principal principal, String description) {
-		this.access = access;
-		this.principal = principal;
-		this.desc = description;
-	}
-
-	/**
-	 * isValid()
-	 * 
-	 * Respond in the affirmative if the TAF was able to Authenticate
-	 */
-	public boolean isValid() {
-		return principal!=null;
-	}
-
-	/**
-	 * desc()
-	 * 
-	 * Respond with description of response as given by the TAF  
-	 */
-	public String desc() {
-		return desc;
-	}
-
-	/**
-	 * isAuthenticated()
-	 * 
-	 * Respond with the TAF's code of whether Authenticated, or suggested next steps
-	 * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF.  The TAF can overload
-	 * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this
-	 * is some sort of security breach (i.e. Denial of Service)  
-	 */
-	public RESP isAuthenticated() {
-		return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED;
-	}
-
-	/**
-	 * getPrincipal()
-	 * 
-	 * Return the principal created by the TAF based on Authentication. 
-	 * 
-	 * Returns "null" if Authentication failed (no principal)
-	 */
-	public Principal getPrincipal() {
-		return principal;
-	}
-
-	/**
-	 * getAccess()
-	 * 
-	 * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated.
-	 */
-	public Access getAccess() {
-		return access;
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.taf.TafResp#isFailedAttempt()
-	 */
-	public boolean isFailedAttempt() {
-		return false;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/taf/EpiTaf.java b/core/src/main/java/com/att/cadi/taf/EpiTaf.java
deleted file mode 100644
index 613f317..0000000
--- a/core/src/main/java/com/att/cadi/taf/EpiTaf.java
+++ /dev/null
@@ -1,84 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import com.att.cadi.CadiException;
-import com.att.cadi.Taf;
-
-/**
- * EpiTAF
- * 
- * Short for "Epic TAF". Be able to run through a series of TAFs to obtain the validation needed.
- * 
- * OK, the name could probably be better as "Tafs", like it was originally, but the pun was too
- * irresistible for this author to pass up.
- * 
- *
- */
-public class EpiTaf implements Taf {
-	private Taf[] tafs;
-	
-	/**
-	 * EpiTaf constructor
-	 * 
-	 * Construct the EpiTaf from variable TAF parameters
-	 * @param tafs
-	 * @throws CadiException
-	 */
-	public EpiTaf(Taf ... tafs) throws CadiException{
-		this.tafs = tafs;
-		if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor");
-	}
-
-	/**
-	 * validate
-	 * 
-	 * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it 
-	 * a human behind an interface, or a server behind a protocol).
-	 * 
-	 * If there is no TAF that can authenticate, respond with the first TAF that suggests it can
-	 * establish an Authentication conversation (TRY_AUTHENTICATING).
-	 * 
-	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
-	 */
-	public TafResp validate(LifeForm reading, String... info) {
-		TafResp tresp,firstTryAuth=null;
-		for(Taf taf : tafs) {
-			tresp = taf.validate(reading, info);
-			switch(tresp.isAuthenticated()) {
-				case TRY_ANOTHER_TAF:
-					break;
-				case TRY_AUTHENTICATING:
-					if(firstTryAuth==null)firstTryAuth=tresp;
-					break;
-				default:
-					return tresp;
-			}
-		}
-
-		// No TAFs configured, at this point.  It is safer at this point to be "not validated", 
-		// rather than "let it go"
-		return firstTryAuth == null?NullTafResp.singleton():firstTryAuth;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java b/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
deleted file mode 100644
index 3036f07..0000000
--- a/core/src/main/java/com/att/cadi/taf/HttpEpiTaf.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.CachedPrincipal.Resp;
-import com.att.cadi.CadiException;
-import com.att.cadi.Locator;
-import com.att.cadi.Taf.LifeForm;
-import com.att.cadi.TrustChecker;
-
-/**
- * HttpEpiTaf
- * 
- * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials
- * 
- *
- */
-public class HttpEpiTaf implements HttpTaf {
-	private HttpTaf[] tafs;
-	private Access access;
-	private Locator<URI> locator;
-	private TrustChecker trustChecker;
-	
-	/**
-	 * HttpEpiTaf constructor
-	 * 
-	 * Construct the HttpEpiTaf from variable Http specific TAF parameters
-
-	 * @param tafs
-	 * @throws CadiException
-	 */
-	public HttpEpiTaf(Access access, Locator<URI> locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{
-		this.tafs = tafs;
-		this.access = access;
-		this.locator = locator;
-		this.trustChecker = tc;
-		// Establish what Header Property to look for UserChain/Trust Props 
-//		trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT);
-
-		if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor");
-	}
-
-	/**
-	 * validate
-	 * 
-	 * Respond with the first Http specific TAF to authenticate user based on variable info 
-	 * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol).
-	 * 
-	 * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can
-	 * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP
-	 * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm 
-	 * submission
-	 * 
-	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
-	 */
-	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
-		// Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings
-		if(reading==LifeForm.LFN) {
-			reading = tricorderScan(req);
-		}
-		TafResp tresp=null, firstTry = null;
-		List<Redirectable> redirectables = null;
-		
-		for(HttpTaf taf : tafs) {
-			tresp = taf.validate(reading, req, resp);
-			switch(tresp.isAuthenticated()) {
-				case TRY_ANOTHER_TAF:
-					break; // and loop
-				case TRY_AUTHENTICATING:
-					if(tresp instanceof Redirectable) {
-						if(redirectables==null) {
-							redirectables = new ArrayList<Redirectable>();
-						}
-						redirectables.add((Redirectable)tresp);
-					} else if(firstTry==null) {
-						firstTry = tresp;
-					}
-					break; 
-				case IS_AUTHENTICATED:
-					tresp = trustChecker.mayTrust(tresp, req);
-					return tresp;
-				default:
-					return tresp;
-			}
-		}
-		
-		// If No TAFs configured, at this point.  It is safer at this point to be "not validated", 
-		// rather than "let it go"
-		// Note: if exists, there will always be more than 0 entries, according to above code
-		if(redirectables==null) {
-			return firstTry!=null?firstTry:NullTafResp.singleton();
-		}
-		
-		// If there is one Tryable entry then return it
-		if(redirectables.size()>1) {
-			return LoginPageTafResp.create(access,locator,resp,redirectables);
-		} else {
-			return redirectables.get(0);
-		}
-	}
-	
-	public boolean revalidate(Principal prin) throws Exception {
-		return false;
-	}
-
-	/*
-	 * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind
-	 * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical 
-	 * id (SiliconBasedLifeForm)?  This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs
-	 */
-	private LifeForm tricorderScan(HttpServletRequest req) {
-		// For simplicity's sake, we'll say Humans use FQDNs, not IPs.
-		
-		String auth = req.getParameter("Authentication");
-		if(auth!=null) {
-			if("BasicAuth".equals(auth)) {
-				return LifeForm.SBLF;
-			}
-		}
-		// Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are.
-		// If mechanical frameworks are found that populate this, then more advanced analysis may be required
-		//  1/22/2013
-		String agent = req.getHeader("User-Agent");
-		if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent
-			return LifeForm.CBLF;                      
-		return LifeForm.SBLF;							// notably skips "curl","wget", (which is desired behavior.  We don't want to try CSP, etc on these)
-	}
-
-	public Resp revalidate(CachedPrincipal prin) {
-		Resp resp;
-		for(HttpTaf taf : tafs) {
-			resp = taf.revalidate(prin);
-			switch(resp) {
-				case NOT_MINE:
-					break;
-				default:
-					return resp;
-			}
-		}
-		return Resp.NOT_MINE;
-	}
-
-	/**
-	 * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE
-	 * like Eclipse.
-	 */
-	public String toString() {
-		StringBuilder sb = new StringBuilder();
-		for(HttpTaf ht : tafs) {
-			sb.append(ht.toString());
-			sb.append(". ");
-		}
-		return sb.toString();
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/HttpTaf.java b/core/src/main/java/com/att/cadi/taf/HttpTaf.java
deleted file mode 100644
index ad22872..0000000
--- a/core/src/main/java/com/att/cadi/taf/HttpTaf.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.Taf.LifeForm;
-
-/**
- * A TAF which is in a specific HTTP environment in which the engine implements 
- * javax Servlet.
- * 
- * Using the Http Request and Response interfaces takes the effort out of implementing in almost any kind of
- * HTTP Container or Engine.
- *  
- *
- */
-public interface HttpTaf {
-	/**
-	 * validate
-	 * 
-	 * Validate the Request, and respond with created TafResp object.
-	 * 
-	 * @param reading
-	 * @param req
-	 * @param resp
-	 * @return
-	 */
-	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp);
-	
-	/**
-	 * Re-Validate Credential
-	 * 
-	 * @param prin
-	 * @return
-	 */
-	public CachedPrincipal.Resp revalidate(CachedPrincipal prin);
-}
diff --git a/core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java b/core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java
deleted file mode 100644
index 8a6acad..0000000
--- a/core/src/main/java/com/att/cadi/taf/LoginPageTafResp.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.io.IOException;
-import java.net.URI;
-import java.util.List;
-
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.Locator;
-import com.att.cadi.Locator.Item;
-
-public class LoginPageTafResp extends AbsTafResp {
-	private final HttpServletResponse httpResp;
-	private final String loginPageURL;
-
-	private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) {
-		super(access, null, "Multiple Possible HTTP Logins available.  Redirecting to Login Choice Page");
-		httpResp = resp;
-		this.loginPageURL = loginPageURL;
-	}
-
-	@Override
-	public RESP authenticate() throws IOException {
-		httpResp.sendRedirect(loginPageURL);
-		return RESP.HTTP_REDIRECT_INVOKED;
-	}
-	
-	@Override
-	public RESP isAuthenticated() {
-		return RESP.TRY_AUTHENTICATING;
-	}
-	
-	public static TafResp create(Access access, Locator<URI> locator, final HttpServletResponse resp, List<Redirectable> redir) {
-		if(locator!=null) {
-			try {
-				Item item = locator.best();
-				URI uri = locator.get(item);
-				if(uri!=null) {
-					StringBuilder sb = new StringBuilder(uri.toString());
-					String query = uri.getQuery();
-					boolean first = query==null || query.length()==0;
-					int count=0;
-					for(Redirectable t : redir) {
-						if(first) {
-							sb.append('?');
-							first=false;
-						}
-						else sb.append('&');
-						sb.append(t.get());
-						++count;
-					}
-					if(count>0)return new LoginPageTafResp(access, resp, sb.toString());
-				}
-			} catch (Exception e) {
-				access.log(e, "Error deriving Login Page location");
-			}
-		} else if(!redir.isEmpty()) { 
-			access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf");
-			return redir.get(0);
-		}
-		return NullTafResp.singleton();
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/NullTaf.java b/core/src/main/java/com/att/cadi/taf/NullTaf.java
deleted file mode 100644
index 0a6f4bb..0000000
--- a/core/src/main/java/com/att/cadi/taf/NullTaf.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.CachedPrincipal.Resp;
-import com.att.cadi.Taf;
-
-
-/**
- * This TAF is set at the very beginning of Filters and Valves so that if any configuration issues hit while
- * starting, the default behavior is to shut down traffic rather than leaving an open hole
- * 
- *
- */
-public class NullTaf implements Taf, HttpTaf {
-	// Singleton Pattern
-	public NullTaf() {}
-
-	/**
-	 * validate 
-	 * 
-	 * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
-	 */
-	public TafResp validate(LifeForm reading, String... info) {
-		return NullTafResp.singleton();
-	}
-
-	/**
-	 * validate 
-	 * 
-	 * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
-	 */
-	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
-		return NullTafResp.singleton();
-	}
-
-	public Resp revalidate(CachedPrincipal prin) {
-		return Resp.NOT_MINE;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/NullTafResp.java b/core/src/main/java/com/att/cadi/taf/NullTafResp.java
deleted file mode 100644
index 8dcfc1e..0000000
--- a/core/src/main/java/com/att/cadi/taf/NullTafResp.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.Access;
-
-/**
- * A Null Pattern for setting responses to "Deny" before configuration is setup.
- *
- */
-class NullTafResp implements TafResp {
-	private NullTafResp(){}
-	
-	private static TafResp singleton = new NullTafResp();
-	
-	public static TafResp singleton() {
-		return singleton;
-	}
-	
-	public boolean isValid() {
-		return false;
-	}
-	
-	public RESP isAuthenticated() {
-		return RESP.NO_FURTHER_PROCESSING;
-	}
-	
-	public String desc() {
-		return "All Authentication denied";
-	}
-	
-	public RESP authenticate() throws IOException {
-		return RESP.NO_FURTHER_PROCESSING;
-	}
-
-	public Principal getPrincipal() {
-		return null;
-	}
-
-	public Access getAccess() {
-		return Access.NULL;
-	}
-
-	/* (non-Javadoc)
-	 * @see com.att.cadi.taf.TafResp#isFailedAttempt()
-	 */
-	public boolean isFailedAttempt() {
-		return true;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/PuntTafResp.java b/core/src/main/java/com/att/cadi/taf/PuntTafResp.java
deleted file mode 100644
index 8951145..0000000
--- a/core/src/main/java/com/att/cadi/taf/PuntTafResp.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.Access;
-
-/**
- * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of
- * request.  It is always the same object, so there is no cost for memory, etc.
- *
- */
-public class PuntTafResp implements TafResp {
-	private PuntTafResp(){}
-	
-	private static TafResp singleton = new PuntTafResp();
-	
-	public static TafResp singleton() {
-		return singleton;
-	}
-	
-	public boolean isValid() {
-		return false;
-	}
-	
-	public RESP isAuthenticated() {
-		return RESP.TRY_ANOTHER_TAF;
-	}
-	
-	public String desc() {
-		return "This Taf can or will not handle this authentication";
-	}
-	
-	public RESP authenticate() throws IOException {
-		return RESP.TRY_ANOTHER_TAF;
-	}
-
-	public Principal getPrincipal() {
-		return null;
-	}
-
-	public Access getAccess() {
-		return NullTafResp.singleton().getAccess();
-	}
-
-	public boolean isFailedAttempt() {
-		return false;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/Redirectable.java b/core/src/main/java/com/att/cadi/taf/Redirectable.java
deleted file mode 100644
index 4ef31bc..0000000
--- a/core/src/main/java/com/att/cadi/taf/Redirectable.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-public interface Redirectable extends TafResp {
-	/**
-	 * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu
-	 * example:
-	 * "Global Login=https://xxxx....."
-	 */
-	public String get();
-}
diff --git a/core/src/main/java/com/att/cadi/taf/TafResp.java b/core/src/main/java/com/att/cadi/taf/TafResp.java
deleted file mode 100644
index 140ac13..0000000
--- a/core/src/main/java/com/att/cadi/taf/TafResp.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.Access;
-import com.att.cadi.CadiException;
-
-/**
- * Response from Taf objects, which inform users what has happened and/or what should be done
- * 
- *
- */
-public interface TafResp {
-	public static enum RESP {
-		IS_AUTHENTICATED, 
-		NO_FURTHER_PROCESSING, 
-		TRY_AUTHENTICATING, 
-		TRY_ANOTHER_TAF,
-		FAIL, 
-		// A note was made to avoid the response REDIRECT.  However, I have deemed that it is 
-		// unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP
-		// Service code to exit without modifying the Response any further.
-		// Therefore, I have changed this to indicate what HAS happened, with should accommodate 
-		// both positions.  JG 10/18/2012
-//		public static final int HTTP_REDIRECT_INVOKED = 11;
-		HTTP_REDIRECT_INVOKED,
-		HAS_PROCESSED};
-	
-	/**
-	 * Basic success check
-	 * @return
-	 */
-	public boolean isValid();
-	
-	/**
-	 *  String description of what has occurred (for logging/exceptions)
-	 * @return
-	 */
-	public String desc();
-	
-	/**
-	 * Check Response
-	 * @return
-	 */
-	public RESP isAuthenticated();
-
-	/**
-	 * Authenticate, returning FAIL or Other Valid indication
-	 * 
-	 * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately.
-	 * @return
-	 * @throws CadiException 
-	 */
-	public RESP authenticate() throws IOException;
-
-	/**
-	 * Once authenticated, this object should hold a Principal created from the authorization
-	 * @return
-	 */
-	public Principal getPrincipal();
-
-	/**
-	 * get the Access object which created this object, allowing the responder to appropriate Log, etc
-	 */
-	public Access getAccess();
-	
-	/**
-	 * Be able to check if part of a Failed attempt
-	 */
-	public boolean isFailedAttempt();
-}
diff --git a/core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java b/core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java
deleted file mode 100644
index 29a299f..0000000
--- a/core/src/main/java/com/att/cadi/taf/TrustNotTafResp.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.Access;
-
-public class TrustNotTafResp implements TafResp {
-	private final TafResp delegate;
-	private final String desc;
-	
-	public TrustNotTafResp(final TafResp delegate, final String desc) {
-		this.delegate = delegate;
-		this.desc = desc;
-	}
-	
-	@Override
-	public boolean isValid() {
-		return false;
-	}
-
-	@Override
-	public String desc() {
-		return desc;
-	}
-
-	@Override
-	public RESP isAuthenticated() {
-		return RESP.NO_FURTHER_PROCESSING;
-	}
-
-	@Override
-	public RESP authenticate() throws IOException {
-		return RESP.NO_FURTHER_PROCESSING;
-	}
-
-	@Override
-	public Principal getPrincipal() {
-		return delegate.getPrincipal();
-	}
-
-	@Override
-	public Access getAccess() {
-		return delegate.getAccess();
-	}
-
-	@Override
-	public boolean isFailedAttempt() {
-		return true;
-	}
-	
-	public String toString() {
-		return desc();
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/TrustTafResp.java b/core/src/main/java/com/att/cadi/taf/TrustTafResp.java
deleted file mode 100644
index 25c665b..0000000
--- a/core/src/main/java/com/att/cadi/taf/TrustTafResp.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.Access;
-
-public class TrustTafResp implements TafResp {
-	private final TafResp delegate;
-	private final Principal principal;
-	private final String desc;
-	
-	public TrustTafResp(final TafResp delegate, final Principal principal, final String desc) {
-		this.delegate = delegate;
-		this.principal = principal;
-		this.desc = desc + ' ' + delegate.desc();
-	}
-	
-	@Override
-	public boolean isValid() {
-		return delegate.isValid();
-	}
-
-	@Override
-	public String desc() {
-		return desc;
-	}
-
-	@Override
-	public RESP isAuthenticated() {
-		return delegate.isAuthenticated();
-	}
-
-	@Override
-	public RESP authenticate() throws IOException {
-		return delegate.authenticate();
-	}
-
-	@Override
-	public Principal getPrincipal() {
-		return principal;
-	}
-
-	@Override
-	public Access getAccess() {
-		return delegate.getAccess();
-	}
-
-	@Override
-	public boolean isFailedAttempt() {
-		return delegate.isFailedAttempt();
-	}
-	
-	public String toString() {
-		return principal.getName() + " by trust of " + desc();
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java b/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java
deleted file mode 100644
index f954a00..0000000
--- a/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTaf.java
+++ /dev/null
@@ -1,159 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.basic;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.BasicCred;
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.CachedPrincipal.Resp;
-import com.att.cadi.CredVal;
-import com.att.cadi.CredVal.Type;
-import com.att.cadi.Taf;
-import com.att.cadi.principal.BasicPrincipal;
-import com.att.cadi.principal.CachedBasicPrincipal;
-import com.att.cadi.taf.HttpTaf;
-import com.att.cadi.taf.TafResp;
-import com.att.cadi.taf.TafResp.RESP;
-import com.att.cadi.taf.dos.DenialOfServiceTaf;
-
-/**
- * BasicHttpTaf
- * 
- * This TAF implements the "Basic Auth" protocol.  
- * 
- * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted.  
- * This is because the expectation, when designed years ago, was that it would only be used in 
- * conjunction with SSL (https).  It is common, however, for users to ignore this on the assumption that
- * their internal network is secure, or just ignorance.  Therefore, a WARNING will be printed
- * when the HTTP Channel is not encrypted (unless explicitly turned off).
- * 
- *
- */
-public class BasicHttpTaf implements HttpTaf {
-	private Access access;
-	private String realm;
-	private CredVal rbac;
-	private boolean warn;
-	private long timeToLive;
-	
-	public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) {
-		this.access = access;
-		this.realm = realm;
-		this.rbac = rbac;
-		this.warn = turnOnWarning;
-		this.timeToLive = timeToLive;
-	}
-
-	/**
-	 * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.  
-	 * @see Taf
-	 */
-	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
-		// See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately
-		if(req instanceof BasicCred) {
-			BasicCred bc = (BasicCred)req;
-			if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null
-				if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) {
-					return DenialOfServiceTaf.respDenyID(access,bc.getUser());
-				}
-				CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
-				// ONLY FOR Last Ditch DEBUGGING... 
-				// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
-				if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred())) {
-					return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
-				} else {
-					//TODO may need timed retries in a given time period
-					return new BasicHttpTafResp(access,null,buildMsg(bp,req,"User/Pass combo invalid for ",bc.getUser()), 
-							RESP.TRY_AUTHENTICATING,resp,realm,true);
-				}
-			}
-		}
-		// Get User/Password from Authorization Header value
-		String authz = req.getHeader("Authorization");
-		if(authz != null && authz.startsWith("Basic ")) {
-			if(warn&&!req.isSecure()) {
-				access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
-			}
-			try {
-				CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);
-				if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
-					return DenialOfServiceTaf.respDenyID(access,ba.getName());
-				}
-
-				// ONLY FOR Last Ditch DEBUGGING... 
-				// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
-				if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())) {
-					return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
-				} else {
-					//TODO may need timed retries in a given time period
-					return new BasicHttpTafResp(access,null,buildMsg(ba,req,"User/Pass combo invalid"), 
-							RESP.TRY_AUTHENTICATING,resp,realm,true);
-				}
-			} catch (IOException e) {
-				String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');
-				access.log(Level.INFO,msg);
-				return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
-			}
-		}
-		return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
-	}
-	
-	protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
-		StringBuilder sb = new StringBuilder();
-		for(Object s : msg) {
-			sb.append(s.toString());
-		}
-		if(pr!=null) {
-			sb.append(" for ");
-			sb.append(pr.getName());
-		}
-		sb.append(" from ");
-		sb.append(req.getRemoteAddr());
-		sb.append(':');
-		sb.append(req.getRemotePort());
-		return sb.toString();
-	}
-
-	@Override
-	public Resp revalidate(CachedPrincipal prin) {
-		if(prin instanceof BasicPrincipal) {
-			BasicPrincipal ba = (BasicPrincipal)prin;
-			if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
-				return Resp.UNVALIDATED;
-			}
-			return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())?Resp.REVALIDATED:Resp.UNVALIDATED;
-		}
-		return Resp.NOT_MINE;
-	}
-	
-	public String toString() {
-		return "Basic Auth enabled on realm: " + realm;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java b/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java
deleted file mode 100644
index 1d43054..0000000
--- a/core/src/main/java/com/att/cadi/taf/basic/BasicHttpTafResp.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.basic;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.taf.AbsTafResp;
-import com.att.cadi.taf.TafResp;
-
-public class BasicHttpTafResp extends AbsTafResp implements TafResp {
-	private HttpServletResponse httpResp;
-	private String realm;
-	private RESP status;
-	private final boolean wasFailed;
-	
-	public BasicHttpTafResp(Access access, Principal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) {
-		super(access,principal, description);
-		httpResp = resp;
-		this.realm = realm;
-		this.status = status;
-		this.wasFailed = wasFailed;
-	}
-
-	public RESP authenticate() throws IOException {
-		httpResp.setStatus(401); // Unauthorized	
-		httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"');
-		return RESP.HTTP_REDIRECT_INVOKED;
-	}
-
-	public RESP isAuthenticated() {
-		return status;
-	}
-
-	public boolean isFailedAttempt() {
-		return wasFailed;
-	}
-
-
-}
diff --git a/core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java b/core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java
deleted file mode 100644
index 5d9624a..0000000
--- a/core/src/main/java/com/att/cadi/taf/cert/CertIdentity.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.cert;
-
-import java.security.Principal;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-import javax.servlet.http.HttpServletRequest;
-
-public interface CertIdentity {
-	/**
-	 * identity from X509Certificate Object and/or certBytes
-	 * 
-	 * If you have both, include them.  If you only have one, leave the other null, and it will be generated if needed
-	 * 
-	 * The Request is there to obtain Header or Attribute info of ultimate user
-	 * 
-	 * @param req
-	 * @param cert
-	 * @param certBytes
-	 * @return
-	 * @throws CertificateException 
-	 */
-	public Principal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException;
-}
diff --git a/core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java b/core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java
deleted file mode 100644
index 8148a4e..0000000
--- a/core/src/main/java/com/att/cadi/taf/cert/X509HttpTafResp.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.cert;
-
-import java.io.IOException;
-import java.security.Principal;
-
-import com.att.cadi.Access;
-import com.att.cadi.taf.AbsTafResp;
-import com.att.cadi.taf.TafResp;
-
-public class X509HttpTafResp extends AbsTafResp implements TafResp {
-	private RESP status;
-	
-	public X509HttpTafResp(Access access, Principal principal, String description, RESP status) {
-		super(access, principal, description);
- 		this.status = status;
-	}
-
-	public RESP authenticate() throws IOException {
-		return RESP.TRY_ANOTHER_TAF;
-	}
-
-	public RESP isAuthenticated() {
-		return status;
-	}
-
-	public String toString() {
-		return status.name();
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/taf/cert/X509Taf.java b/core/src/main/java/com/att/cadi/taf/cert/X509Taf.java
deleted file mode 100644
index 6bef245..0000000
--- a/core/src/main/java/com/att/cadi/taf/cert/X509Taf.java
+++ /dev/null
@@ -1,257 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.cert;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.Signature;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-
-import javax.net.ssl.TrustManagerFactory;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.CachedPrincipal.Resp;
-import com.att.cadi.CadiException;
-import com.att.cadi.Lur;
-import com.att.cadi.Symm;
-import com.att.cadi.Taf.LifeForm;
-import com.att.cadi.config.Config;
-import com.att.cadi.config.SecurityInfoC;
-import com.att.cadi.config.SecurityInfo;
-import com.att.cadi.lur.LocalPermission;
-import com.att.cadi.principal.TGuardPrincipal;
-import com.att.cadi.principal.X509Principal;
-import com.att.cadi.taf.HttpTaf;
-import com.att.cadi.taf.TafResp;
-import com.att.cadi.taf.TafResp.RESP;
-import com.att.cadi.util.Split;
-
-public class X509Taf implements HttpTaf {
-	
-	public static final CertificateFactory certFactory;
-	public static final MessageDigest messageDigest;
-	public static final TrustManagerFactory tmf;
-	private Access access;
-	private CertIdentity[] certIdents;
-	private Lur lur;
-	private ArrayList<String> cadiIssuers;
-	private String env;
-	private SecurityInfo si;
-
-	static {
-		try {
-			certFactory = CertificateFactory.getInstance("X.509");
-			messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone
-			tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm);
-		} catch (Exception e) {
-			throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e);
-		}
-	}
-	
-	public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException {
-		this.access = access;
-		env = access.getProperty(Config.AAF_ENV,null);
-		if(env==null) {
-			throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set.");
-		}
-		this.lur = lur;
-		this.cadiIssuers = new ArrayList<String>();
-		for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "CN=ATT CADI Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT CADI Issuing CA 02, OU=CSO, O=ATT, C=US").split(":")) {
-			cadiIssuers.add(ci);
-		}
-		try {
-			Class<?> dci = access.classLoader().loadClass("com.att.authz.cadi.DirectCertIdentity");
-			CertIdentity temp[] = new CertIdentity[cis.length+1];
-			System.arraycopy(cis, 0, temp, 1, cis.length);
-			temp[0] = (CertIdentity) dci.newInstance();
-			certIdents=temp;
-		} catch (Exception e) {
-			certIdents = cis;
-		}
-		
-		try {
-			si = new SecurityInfo(access);
-		} catch (GeneralSecurityException | IOException e1) {
-			throw new CadiException(e1);
-		}
-	}
-
-	public static final X509Certificate getCert(byte[] certBytes) throws CertificateException {
-		ByteArrayInputStream bais = new ByteArrayInputStream(certBytes);
-		return (X509Certificate)certFactory.generateCertificate(bais);
-	}
-
-	public static final byte[] getFingerPrint(byte[] ba) {
-		MessageDigest md;
-		try {
-			md = (MessageDigest)messageDigest.clone();
-		} catch (CloneNotSupportedException e) {
-			// should never get here
-			return new byte[0];
-		}
-		md.update(ba);
-		return md.digest();
-	}
-
-	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
-		// Check for Mutual SSL
-		try {
-			X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
-			if(certarr!=null && certarr.length>0) {
-				si.checkClientTrusted(certarr);
-				// Note: If the Issuer is not in the TrustStore, it's not added to the Cert list
-				if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) {
-					String x500 = certarr[0].getSubjectDN().getName();
-					int ou=x500.indexOf("OU=");
-					if(ou>0) {
-						ou+=3;
-						int comma = x500.indexOf(',',ou);
-						if(comma>0) {
-							String id= x500.substring(ou,comma);
-							String idenv[] = id.split(":");
-							if(idenv.length==1 || (idenv.length>1 && env.equals(idenv[1]))) {
-								return new X509HttpTafResp(access, 
-									new X509Principal(idenv[0], certarr[0],null), 
-										id + " validated by CADI x509", RESP.IS_AUTHENTICATED);
-							}
-						}
-					}
-				}
-			}
-
-			byte[] array = null;
-			byte[] certBytes = null;
-			X509Certificate cert=null;
-			String responseText=null;
-			String authHeader = req.getHeader("Authorization");
-
-			if(certarr!=null) {  // If cert !=null, Cert is Tested by Mutual Protocol.
-				if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity
-					return new X509HttpTafResp(access, null, "Certificate verified, but another Identity is presented", RESP.TRY_ANOTHER_TAF);
-				}
-				cert = certarr[0];
-				responseText = ", validated by Mutual SSL Protocol";
-			} else {		 // If cert == null, Get Declared Cert (in header), but validate by having them sign something
-				if(authHeader != null && authHeader.startsWith("x509 ")) {
-					ByteArrayOutputStream baos = new ByteArrayOutputStream(authHeader.length());
-					try {
-						array = authHeader.getBytes();
-						ByteArrayInputStream bais = new ByteArrayInputStream(array);
-						Symm.base64noSplit.decode(bais, baos, 5);
-						certBytes = baos.toByteArray();
-						cert = getCert(certBytes);
-						
-						/** 
-						 * Identity from CERT if well know CA and specific encoded information
-						 */
-						// If found Identity doesn't work, try SignedStuff Protocol
-//									cert.checkValidity();
-//									cert.--- GET FINGERPRINT?
-						String stuff = req.getHeader("Signature");
-						if(stuff==null) 
-							return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF);
-						String data = req.getHeader("Data"); 
-//									if(data==null) 
-//										return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF);
-
-						// Note: Data Pos shows is "<signatureType> <data>"
-//									int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm
-						// Get Signature 
-						bais = new ByteArrayInputStream(stuff.getBytes());
-						baos = new ByteArrayOutputStream(stuff.length());
-						Symm.base64noSplit.decode(bais, baos);
-						array = baos.toByteArray();
-//									Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature
-						
-						Signature sig = Signature.getInstance(cert.getSigAlgName()); 
-						sig.initVerify(cert.getPublicKey());
-						sig.update(data.getBytes());
-						if(!sig.verify(array)) {
-							access.log(Level.ERROR, "Signature doesn't Match");
-							return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
-						}
-						responseText = ", validated by Signed Data";
-					} catch (Exception e) {
-						access.log(e, "Exception while validating Cert");
-						return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
-					}
-					
-				} else {
-					return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF);
-				}
-			}
-
-			// A cert has been found, match Identify
-			Principal prin=null;
-			
-			for(int i=0;prin==null && i<certIdents.length;++i) {
-				if((prin=certIdents[i].identity(req, cert, certBytes))!=null) {
-					responseText = prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText;
-//					xresp = new X509HttpTafResp(
-//								access,
-//								prin,
-//								prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText,
-//								RESP.IS_AUTHENTICATED);
-					
-				}
-			}
-
-			// if Principal is found, check for "AS_USER" and whether this entity is trusted to declare
-			if(prin!=null) {
-				String as_user=req.getHeader(Config.CADI_USER_CHAIN);
-				if(as_user!=null) {
-					if(as_user.startsWith("TGUARD ") && lur.fish(prin, new LocalPermission("com.att.aaf.trust|"+prin.getName()+"|tguard"))) {
-						prin = new TGuardPrincipal(as_user.substring(7));
-						responseText=prin.getName() + " set via trust of " + responseText;
-					}
-				}
-				return new X509HttpTafResp(
-					access,
-					prin,
-					responseText,
-					RESP.IS_AUTHENTICATED);
-			}
-		} catch(Exception e) {
-			return new X509HttpTafResp(access, null, e.getMessage(), RESP.TRY_ANOTHER_TAF);	
-		}
-	
-		return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
-	}
-
-	public Resp revalidate(CachedPrincipal prin) {
-		return null;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java b/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java
deleted file mode 100644
index 6bb9252..0000000
--- a/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTaf.java
+++ /dev/null
@@ -1,370 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.dos;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.FileReader;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.CachedPrincipal.Resp;
-import com.att.cadi.CadiException;
-import com.att.cadi.Taf.LifeForm;
-import com.att.cadi.taf.HttpTaf;
-import com.att.cadi.taf.PuntTafResp;
-import com.att.cadi.taf.TafResp;
-import com.att.cadi.taf.TafResp.RESP;
-
-public class DenialOfServiceTaf implements HttpTaf {
-	private static Map<String, Counter> deniedIP=null, deniedID=null;
-	private Access access;
-	private static File dosIP, dosID;
-	
-	/**
-	 * 
-	 * @param hostname
-	 * @param prod
-	 * @throws CadiException
-	 */
-	public DenialOfServiceTaf(Access access) throws CadiException {
-		this.access = access;
-		if(dosIP==null || dosID == null) {
-			String dirStr;
-			if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {
-				dosIP = new File(dirStr+"/dosIP");
-				readIP();
-				dosID = new File(dirStr+"/dosID");
-				readID();
-			}
-		}
-	}
-
-	public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
-		// Performance, when not needed
-		if(deniedIP != null) {
-			String ip;
-			Counter c = deniedIP.get(ip=req.getRemoteAddr());
-			if(c!=null) {
-				c.inc();
-				return respDenyIP(access,ip);
-			}
-		}
-		
-		// Note:  Can't process Principal, because this is the first TAF, and no Principal is created.
-		// Other TAFs use "isDenied()" on this Object to validate.
-		return PuntTafResp.singleton();
-	}
-
-	public Resp revalidate(CachedPrincipal prin) {
-		// We always return NOT MINE, because DOS Taf does not ever validate
-		return Resp.NOT_MINE;
-	}
-
-	/*
-	 *  for use in Other TAFs, before they attempt backend validation of 
-	 */
-	public static Counter isDeniedID(String identity) {
-		if(deniedID!=null) {
-			return deniedID.get(identity);
-		}
-		return null;
-	}
-	
-	/**
-	 *  
-	 */
-	public static Counter isDeniedIP(String ipvX) {
-		if(deniedID!=null) {
-			return deniedID.get(ipvX);
-		}
-		return null;
-	}
-
-	/**
-	 * Return of "True" means IP has been added.
-	 * Return of "False" means IP already added.
-	 * 
-	 * @param ip
-	 * @return
-	 */
-	public static synchronized boolean denyIP(String ip) {
-		boolean rv = false;
-		if(deniedIP==null) {
-			deniedIP = new HashMap<String,Counter>();
-			deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
-			rv= true;
-		} else if(deniedIP.get(ip)==null) {
-			deniedIP.put(ip, new Counter(ip));
-			rv = true;
-		}
-		if(rv) {
-			writeIP();
-		}
-		return rv;
-	}
-	
-	private static void writeIP() {
-		if(dosIP!=null && deniedIP!=null) {
-			if(deniedIP.isEmpty()) {
-				if(dosIP.exists()) {
-					dosIP.delete();
-				}
-			} else {
-				PrintStream fos;
-				try {
-					fos = new PrintStream(new FileOutputStream(dosIP,false));
-					try {
-						for(String ip: deniedIP.keySet()) {
-							fos.println(ip);
-						}
-					} finally {
-						fos.close();
-					}
-				} catch (IOException e) {
-					e.printStackTrace(System.err);
-				}
-			}
-		}
-	}
-	
-	private static void readIP() {
-		if(dosIP!=null && dosIP.exists()) {
-			BufferedReader br;
-			try {
-				br = new BufferedReader(new FileReader(dosIP));
-				if(deniedIP==null) {
-					deniedIP=new HashMap<String,Counter>();
-				}
-
-				try {
-					String line;
-					while((line=br.readLine())!=null) {
-						deniedIP.put(line, new Counter(line));
-					}
-				} finally {
-					br.close();
-				}
-			} catch (IOException e) {
-				e.printStackTrace(System.err);
-			}
-		}
-	}
-
-
-	/**
-	 * Return of "True" means IP has was removed.
-	 * Return of "False" means IP wasn't being denied.
-	 * 
-	 * @param ip
-	 * @return
-	 */
-	public static synchronized boolean removeDenyIP(String ip) {
-		if(deniedIP!=null && deniedIP.remove(ip)!=null) {
-			writeIP();
-			if(deniedIP.isEmpty()) {
-				deniedIP=null;
-			}
-			return true;
-		}
-		return false;
-	}
-
-	/**
-	 * Return of "True" means ID has been added.
-	 * Return of "False" means ID already added.
-	 * 
-	 * @param ip
-	 * @return
-	 */
-	public static synchronized boolean denyID(String id) {
-		boolean rv = false;
-		if(deniedID==null) {
-			deniedID = new HashMap<String,Counter>();
-			deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
-			rv = true;
-		} else if(deniedID.get(id)==null) {
-			deniedID.put(id, new Counter(id));
-			rv = true;
-		}
-		if(rv) {
-			writeID();
-		}
-		return rv;
-
-	}
-
-	private static void writeID() {
-		if(dosID!=null && deniedID!=null) {
-			if(deniedID.isEmpty()) {
-				if(dosID.exists()) {
-					dosID.delete();
-				}
-			} else {
-				PrintStream fos;
-				try {
-					fos = new PrintStream(new FileOutputStream(dosID,false));
-					try {
-						for(String ip: deniedID.keySet()) {
-							fos.println(ip);
-						}
-					} finally {
-						fos.close();
-					}
-				} catch (IOException e) {
-					e.printStackTrace(System.err);
-				}
-			}
-		}
-	}
-
-	private static void readID() {
-		if(dosID!=null && dosID.exists()) {
-			BufferedReader br;
-			try {
-				br = new BufferedReader(new FileReader(dosID));
-				if(deniedID==null) {
-					deniedID=new HashMap<String,Counter>();
-				}
-				try {
-					String line;
-					while((line=br.readLine())!=null) {
-						deniedID.put(line, new Counter(line));
-					}
-				} finally {
-					br.close();
-				}
-			} catch (IOException e) {
-				e.printStackTrace(System.err);
-			}
-		}
-	}
-
-	/**
-	 * Return of "True" means ID has was removed.
-	 * Return of "False" means ID wasn't being denied.
-	 * 
-	 * @param ip
-	 * @return
-	 */
-	public static synchronized boolean removeDenyID(String id) {
-		if(deniedID!=null && deniedID.remove(id)!=null) { 
-			writeID();
-			if(deniedID.isEmpty()) {
-				deniedID=null;
-			}
-
-			return true;
-		}
-		return false;
-	}
-	
-	public List<String> report() {
-		int initSize = 0;
-		if(deniedIP!=null)initSize+=deniedIP.size();
-		if(deniedID!=null)initSize+=deniedID.size();
-		ArrayList<String> al = new ArrayList<String>(initSize);
-		if(deniedID!=null) {
-			for(Counter c : deniedID.values()) {
-				al.add(c.toString());
-			}
-		}
-		if(deniedIP!=null) {
-			for(Counter c : deniedIP.values()) {
-				al.add(c.toString());
-			}
-		}
-		return al;
-	}
-	
-	public static class Counter {
-		private final String name; 
-		private int count = 0;
-		private Date first;
-		private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
-		
-		public Counter(String name) {
-			this.name = name;
-			first = null;
-			last = 0L;
-			count = 0;
-		}
-		
-		public String getName() {
-			return name;
-		}
-		
-		public int getCount() {
-			return count;
-		}
-
-		public long getLast() {
-			return last;
-		}
-		
-		/*
-		 * Only allow Denial of ServiceTaf to increment
-		 */
-		private synchronized void inc() {
-			++count;
-			last = System.currentTimeMillis();
-			if(first==null) {
-				first = new Date(last);
-			}
-		}
-		
-		public String toString() {
-			if(count==0) 
-				return name + " is on the denied list, but has not attempted Access"; 
-			else 
-				return 
-					name +
-					" has been denied " +
-					count +
-					" times since " +
-					first +
-					".  Last denial was " +
-					new Date(last);
-		}
-	}
-
-	public static TafResp respDenyID(Access access, String identity) {
-		return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
-	}
-	
-	public static TafResp respDenyIP(Access access, String ip) {
-		return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java b/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java
deleted file mode 100644
index 1b4efed..0000000
--- a/core/src/main/java/com/att/cadi/taf/dos/DenialOfServiceTafResp.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.dos;
-
-import java.io.IOException;
-
-import com.att.cadi.Access;
-import com.att.cadi.taf.AbsTafResp;
-
-public class DenialOfServiceTafResp extends AbsTafResp  {
-	private RESP ect;  // Homage to Arethra Franklin
-
-	public DenialOfServiceTafResp(Access access, RESP resp, String description ) {
-		super(access, null, description);
-		ect = resp;
-	}
-
-	// Override base behavior of checking Principal and trying another TAF
-	@Override
-	public RESP isAuthenticated() {
-		return ect;
-	}
-	
-
-	public RESP authenticate() throws IOException {
-		return ect;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
deleted file mode 100644
index 67754a9..0000000
--- a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTaf.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.localhost;
-
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.net.SocketException;
-import java.net.UnknownHostException;
-import java.util.Enumeration;
-import java.util.TreeSet;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import com.att.cadi.Access;
-import com.att.cadi.Access.Level;
-import com.att.cadi.CachedPrincipal;
-import com.att.cadi.CachedPrincipal.Resp;
-import com.att.cadi.Taf;
-import com.att.cadi.taf.HttpTaf;
-import com.att.cadi.taf.TafResp;
-import com.att.cadi.taf.TafResp.RESP;
-
-/**
- * Implement the ability to utilize LocalHost as a TAF.
- * 
- * Configure with two properties, 
- * 	localhost.deny
- *  localhost.accept
- *  
- * 1) If localhost.deny==true, then no localhost requests are allowed
- * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the
- *   chain, but don't treat localhost as an acceptable credential)
- * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed, 
- * to run, are treated as validated.  This is primarily for Developer purposes.
- *   
- * 
- *
- */
-public class LocalhostTaf implements HttpTaf {
-	private TafResp isLocalHost,isNotLocalHost;
-	private static final TreeSet<String> addrSet;
-	
-	static {
-		addrSet = new TreeSet<String>();
-		try {
-			for(Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) {
-				NetworkInterface ni = en.nextElement();
-				for(Enumeration<InetAddress> eia = ni.getInetAddresses();eia.hasMoreElements();) {
-					InetAddress ia = eia.nextElement();
-					addrSet.add(ia.getHostAddress());
-				}
-			}
-		} catch (SocketException e) {
-		}
-		
-	}
-
-	public LocalhostTaf(Access access, boolean accept, boolean isDenied) {
-		String hostname = access.getProperty("hostname",null);
-		if(hostname !=null) {
-			try {
-				addrSet.add(InetAddress.getByName(hostname).getHostAddress());
-			} catch (UnknownHostException e) {
-				access.log(e,"Unknown Host");
-			}
-		}
-		
-		if(isDenied) {
-			access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic");
-		} else {
-			access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ",
-					(accept?"and will treat them as authenticated":"but will require other authentication"));
-		}
-		// Set the appropriate behavior for when ID coming in is from localhost
-		isLocalHost = isDenied?	
-			new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"):
-			accept?
-				new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"):
-				new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed");
-		isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost");
-	}
-
-//	@Override
-	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
-		String remote = req.getRemoteAddr();
-		return addrSet.contains(remote)
-			?isLocalHost
-			:isNotLocalHost;
-	}
-
-	/** 
-	 * This function used for other TAFs (i.e. CSP, which can't work on localhost address)
-	 * 
-	 * @param address
-	 * @return
-	 */
-	public static boolean isLocalAddress(String address) {
-		return addrSet.contains(address);
-	}
-	
-	public String toString() {
-		return "Localhost TAF activated: " + isLocalHost.desc();
-	}
-
-	public Resp revalidate(CachedPrincipal prin) {
-		// shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid...
-		return Resp.REVALIDATED;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java b/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java
deleted file mode 100644
index 2a074d1..0000000
--- a/core/src/main/java/com/att/cadi/taf/localhost/LocalhostTafResp.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.taf.localhost;
-
-import java.security.Principal;
-
-import com.att.cadi.Access;
-import com.att.cadi.taf.TafResp;
-
-public class LocalhostTafResp implements TafResp {
-	private RESP action;
-	private String description;
-	private final static Principal principal = new Principal() {
-		private String name = System.getProperty("user.name")+"@localhost";
-//		@Override
-		public String getName() {
-			return name;
-		}
-	};
-
-	private Access access;
-	
-	public LocalhostTafResp(Access access, RESP state, String desc) {
-		action = state;
-		description = desc;
-		this.access = access;
-	}
-	
-//	@Override
-	public boolean isValid() {
-		return action == RESP.IS_AUTHENTICATED;
-	}
-
-//	@Override
-	public String desc() {
-		return description;
-	}
-
-//	@Override
-	public RESP authenticate() {
-		return action;
-	}
-	
-	public RESP isAuthenticated() {
-		return action;
-	}
-
-//	@Override
-	public Principal getPrincipal() {
-		return principal;
-	}
-
-	public Access getAccess() {
-		return access;
-	}
-
-	public boolean isFailedAttempt() {
-		return false;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/util/Chmod.java b/core/src/main/java/com/att/cadi/util/Chmod.java
deleted file mode 100644
index ddde50b..0000000
--- a/core/src/main/java/com/att/cadi/util/Chmod.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-import java.io.File;
-import java.io.IOException;
-
-public interface Chmod {
-	public void chmod(File f) throws IOException;
-	
-	public static final Chmod to755 = new Chmod() {
-		public void chmod(File f) throws IOException {
-			f.setExecutable(true, false);
-			f.setExecutable(true, true);
-			f.setReadable(true, false);
-			f.setReadable(true, true);
-			f.setWritable(false, false);
-			f.setWritable(true, true);
-		}
-	};
-
-	public static final Chmod to644 = new Chmod() {
-		public void chmod(File f) throws IOException {
-			f.setExecutable(false, false);
-			f.setExecutable(false, true);
-			f.setReadable(true, false);
-			f.setReadable(true, true);
-			f.setWritable(false, false);
-			f.setWritable(true, true);
-		}
-	};
-
-	public static final Chmod to400 = new Chmod() {
-		public void chmod(File f) throws IOException {
-			f.setExecutable(false, false);
-			f.setExecutable(false, true);
-			f.setReadable(false, false);
-			f.setReadable(true, true);
-			f.setWritable(false, false);
-			f.setWritable(false, true);
-		}
-	};
-}
diff --git a/core/src/main/java/com/att/cadi/util/JsonOutputStream.java b/core/src/main/java/com/att/cadi/util/JsonOutputStream.java
deleted file mode 100644
index 33deed0..0000000
--- a/core/src/main/java/com/att/cadi/util/JsonOutputStream.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-import java.io.IOException;
-import java.io.OutputStream;
-
-public class JsonOutputStream extends OutputStream {
-	private static final byte[] TWO_SPACE = "  ".getBytes();
-	private OutputStream os;
-	private boolean closeable;
-	private int indent = 0;
-	private int prev,ret=0;
-
-	public JsonOutputStream(OutputStream os) {
-		// Don't close these, or dire consequences.
-		closeable = !os.equals(System.out) && !os.equals(System.err);
-		this.os = os;
-	}
-
-	@Override
-	public void write(int b) throws IOException {
-		if(ret=='\n') {
-			ret = 0;
-			if(prev!=',' || (b!='{' && b!='[')) {
-				os.write('\n');
-				for(int i=0;i<indent;++i) {
-					os.write(TWO_SPACE);
-				}
-			}
-		}
-		switch(b) {
-			case '{':
-			case '[':	
-					ret = '\n';
-					++indent;
-					break;
-			case '}':
-			case ']': 
-					--indent;
-					os.write('\n');
-					for(int i=0;i<indent;++i) {
-						os.write(TWO_SPACE);
-					}
-					break;
-			case ',':
-					ret = '\n';
-					break;
-					
-		}
-		os.write(b);
-		prev = b;
-	}
-	public void resetIndent() {
-		indent = 1;
-	}
-
-	@Override
-	public void flush() throws IOException {
-		os.flush();
-	}
-
-	@Override
-	public void close() throws IOException {
-		if(closeable) {
-			os.close();
-		}
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/util/MaskFormatException.java b/core/src/main/java/com/att/cadi/util/MaskFormatException.java
deleted file mode 100644
index fa3f220..0000000
--- a/core/src/main/java/com/att/cadi/util/MaskFormatException.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-@SuppressWarnings("serial")
-public class MaskFormatException extends Exception {
-
-	public MaskFormatException(String string) {
-			super(string);
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/util/MyConsole.java b/core/src/main/java/com/att/cadi/util/MyConsole.java
deleted file mode 100644
index 4083dea..0000000
--- a/core/src/main/java/com/att/cadi/util/MyConsole.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-public interface MyConsole {
-	public String readLine(String fmt, Object ... args);
-	public char[] readPassword(String fmt, Object ... args);
-	public void printf(String fmt, Object ...args);
-}
diff --git a/core/src/main/java/com/att/cadi/util/NetMask.java b/core/src/main/java/com/att/cadi/util/NetMask.java
deleted file mode 100644
index 9707047..0000000
--- a/core/src/main/java/com/att/cadi/util/NetMask.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-/* 
- * NetMask - a class to quickly validate whether a given IP is part of a mask, as defined by bytes or standard String format.
- * 
- * Needs the IPV6 Mask Builder. 
- */
-public class NetMask {
-	private long mask;
-
-	public NetMask(byte[] inBytes) {
-		mask = derive(inBytes);
-	}
-	
-	public NetMask(String string) throws MaskFormatException {
-		mask = derive(string,true);
-	}
-	
-	public boolean isInNet(byte[] inBytes) {
-		long addr = derive(inBytes);
-		return (mask & addr) == addr;
-	}
-	
-	public boolean isInNet(String str) {
-		long addr;
-		try {
-			addr = derive(str,false);
-			return (mask & addr) == addr;
-		} catch (MaskFormatException e) {
-			// will not hit this code;
-			return false;
-		}
-	}
-
-	public static long derive(byte[] inBytes) {
-		long addr = 0L;
-		int offset = inBytes.length*8;
-		for(int i=0;i<inBytes.length;++i) {
-			addr&=(inBytes[i]<<offset);
-			offset-=8;
-		}
-		return addr;
-	}
-
-	public static long derive(String str, boolean check) throws MaskFormatException {
-		long rv=0L;
-		int idx=str.indexOf(':');
-		int slash = str.indexOf('/');
-
-		if(idx<0) { // Not IPV6, so it's IPV4... Is there a mask of 123/254?
-			idx=str.indexOf('.');
-			int offset = 24;
-			int end = slash>=0?slash:str.length();
-			int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32;
-			if(check && bits>32) {
-				throw new MaskFormatException("Invalid Mask Offset in IPV4 Address");
-			}
-			int prev = 0;
-			long lbyte;
-			while(prev<end) {
-				if(idx<0) {
-					idx = end;
-				}
-				lbyte = Long.parseLong(str.substring(prev, idx));
-				if(check && (lbyte>255 || lbyte<0)) {
-					throw new MaskFormatException("Invalid Byte in IPV4 Address");
-				}
-				rv|=lbyte<<offset;
-				prev = ++idx;
-				idx=str.indexOf('.',prev);
-				offset-=8;
-			}
-			rv|=0x00000000FFFFFFFFL>>bits;
-		}
-		return rv;
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/util/Split.java b/core/src/main/java/com/att/cadi/util/Split.java
deleted file mode 100644
index 07332dd..0000000
--- a/core/src/main/java/com/att/cadi/util/Split.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-/**
- * Split by Char, optional Trim
- *
- * Note: Copied from Inno to avoid linking issues.
- * Note: I read the String split and Pattern split code, and we can do this more efficiently for a single Character
- * 
- * 8/20/2015
- */
-
-public class Split {
-	  public static String[] split(char c, String value) {
-		  // Count items to preallocate Array (memory alloc is more expensive than counting twice)
-		  int count,idx;
-		  for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);
-		  String[] rv = new String[count];
-		  if(count==1) {
-			  rv[0]=value;
-		  } else {
-			  int last=0;
-			  count=-1;
-			  for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) {
-				  rv[++count]=value.substring(last,idx);
-				  last = ++idx;
-			  }
-			  rv[++count]=value.substring(last);
-		  }
-		  return rv;
-	  }
-
-	  public static String[] splitTrim(char c, String value) {
-		  // Count items to preallocate Array (memory alloc is more expensive than counting twice)
-		  int count,idx;
-		  for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);
-		  String[] rv = new String[count];
-		  if(count==1) {
-			  rv[0]=value.trim();
-		  } else {
-			  int last=0;
-			  count=-1;
-			  for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) {
-				  rv[++count]=value.substring(last,idx).trim();
-				  last = ++idx;
-			  }
-			  rv[++count]=value.substring(last).trim();
-		  }
-		  return rv;
-	  }
-
-	  public static String[] splitTrim(char c, String value, int size) {
-		  int idx;
-		  String[] rv = new String[size];
-		  if(size==1) {
-			  rv[0]=value.trim();
-		  } else {
-			  int last=0;
-			  int count=-1;
-			  size-=2;
-			  for(idx=value.indexOf(c);idx>=0 && count<size;idx=value.indexOf(c,idx)) {
-				  rv[++count]=value.substring(last,idx).trim();
-				  last = ++idx;
-			  }
-			  rv[++count]=value.substring(last).trim();
-		  }
-		  return rv;
-	  }
-
-}
diff --git a/core/src/main/java/com/att/cadi/util/SubStandardConsole.java b/core/src/main/java/com/att/cadi/util/SubStandardConsole.java
deleted file mode 100644
index 8a44568..0000000
--- a/core/src/main/java/com/att/cadi/util/SubStandardConsole.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-
-// Substandard, because System.in doesn't do Passwords..
-public class SubStandardConsole implements MyConsole {
-	BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
-	@Override
-	public String readLine(String fmt, Object... args) {
-		String rv;
-		try {
-			System.out.printf(fmt,args);
-			rv = br.readLine();
-			if(args.length==1 && rv.length()==0) {
-				rv = args[0].toString();
-			}
-		} catch (IOException e) {
-			System.err.println("uh oh...");
-			rv = "";
-		}
-		return rv;
-	}
-
-	@Override
-	public char[] readPassword(String fmt, Object... args) {
-		try {
-			System.out.printf(fmt,args);
-			return br.readLine().toCharArray();
-		} catch (IOException e) {
-			System.err.println("uh oh...");
-			return new char[0];
-		}
-	}
-
-	@Override
-	public void printf(String fmt, Object... args) {
-		System.out.printf(fmt, args);
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/util/TheConsole.java b/core/src/main/java/com/att/cadi/util/TheConsole.java
deleted file mode 100644
index 05fcd9b..0000000
--- a/core/src/main/java/com/att/cadi/util/TheConsole.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-public class TheConsole implements MyConsole {
-	@Override
-	public String readLine(String fmt, Object... args) {
-		String rv = System.console().readLine(fmt, args);
-		if(args.length>0 && args[0]!=null && rv.length()==0) {
-			rv = args[0].toString();
-		}
-		return rv;
-	}
-
-	@Override
-	public char[] readPassword(String fmt, Object... args) {
-		return System.console().readPassword(fmt, args);
-	}
-	
-	public static boolean implemented() {
-		return System.console()!=null;
-	}
-
-	@Override
-	public void printf(String fmt, Object... args) {
-		System.console().printf(fmt, args);
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/util/UserChainManip.java b/core/src/main/java/com/att/cadi/util/UserChainManip.java
deleted file mode 100644
index 9f6eeec..0000000
--- a/core/src/main/java/com/att/cadi/util/UserChainManip.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-import com.att.cadi.UserChain;
-
-public class UserChainManip {
-	/** 
-	    Build an element in the correct format for UserChain.
-		Format:<APP>:<ID>:<protocol>[:AS][,<APP>:<ID>:<protocol>]*
-		@see UserChain
-	*/ 
-	public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) {
-		boolean mayAs;
-		if(!(mayAs=sb.length()==0)) {
-			sb.append(',');
-		}
-		sb.append(app);
-		sb.append(':');
-		sb.append(id);
-		sb.append(':');
-		sb.append(proto.name());
-		if(as && mayAs) {
-			sb.append(":AS");
-		}
-		return sb;
-	}
-	
-	public static String idToNS(String id) {
-		if(id==null) {
-			return "";
-		} else {
-			StringBuilder sb = new StringBuilder();
-			char c;
-			int end;
-			boolean first = true;
-			for(int idx = end = id.length()-1;idx>=0;--idx) {
-				if((c = id.charAt(idx))=='@' || c=='.')  {
-					if(idx<end) {
-						if(first) {
-							first = false;
-						} else {
-							sb.append('.');
-						}
-						for(int i=idx+1;i<=end;++i) {
-							sb.append(id.charAt(i));
-						}
-					}
-					end=idx-1;
-					if(c=='@') {
-						break;
-					}
-				}
-			}
-			return sb.toString();
-		}
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/util/Vars.java b/core/src/main/java/com/att/cadi/util/Vars.java
deleted file mode 100644
index 8d0b27e..0000000
--- a/core/src/main/java/com/att/cadi/util/Vars.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.util;
-
-import java.util.List;
-
-public class Vars {
-	/**
-	 * Simplified Conversion based on typical use of getting AT&T style RESTful Error Messages
-	 * @param text
-	 * @param vars
-	 * @return
-	 */
-	public static String convert(final String text, final List<String> vars) {
-		String[] array = new String[vars.size()];
-		StringBuilder sb = new StringBuilder();
-		convert(sb,text,vars.toArray(array));
-		return sb.toString();
-	}
-	/**
-	 * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format
-	 * If "holder" is passed in, it is built with full Message extracted (typically for Logging)
-	 * @param holder
-	 * @param text
-	 * @param vars
-	 * @return
-	 */
-	public static String convert(final StringBuilder holder, final String text, final String ... vars) {
-		StringBuilder sb = null;
-		int idx,index=0,prev = 0;
-		
-		if(text.contains("%s")) {
-			sb = new StringBuilder();
-		}
-		
-		StringBuilder[] sbs = new StringBuilder[] {sb,holder};
-		boolean replace, clearIndex = false;
-		int c;
-		while((idx=text.indexOf('%',prev))>=0) {
-			replace = false;
-			if(clearIndex) {
-				index=0;
-			}
-			if(sb!=null) {
-				sb.append(text,prev,idx);
-			}
-			if(holder!=null) {
-				holder.append(text,prev,idx);
-			}
-			
-			boolean go = true;
-			while(go) {
-				if(text.length()>++idx) {
-					switch(c=text.charAt(idx)) {
-						case '0': case '1': case '2': case '3': case '4': 
-						case '5': case '6': case '7': case '8': case '9':
-							index *=10;
-							index +=(c-'0');
-							clearIndex=replace=true;
-							continue;
-						case 's':
-							++index;
-							replace = true;
-							continue;
-						default:
-							break;
-					}
-				}
-				prev = idx;
-				go=false;
-				if(replace) {
-					if(sb!=null) {
-						sb.append('%');
-						sb.append(index);
-					}
-					if(index<=vars.length) {
-						if(holder!=null) {
-							holder.append(vars[index-1]);
-						}
-					}
-				} else {
-					for(StringBuilder s : sbs) {
-						if(s!=null) {
-							s.append("%");
-						}
-					}
-				}
-			}
-		}
-		
-		if(sb!=null) {
-			sb.append(text,prev,text.length());
-		}
-		if(holder!=null) {
-			holder.append(text,prev,text.length());
-		}
-
-		return sb==null?text:sb.toString();
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/wsse/Action.java b/core/src/main/java/com/att/cadi/wsse/Action.java
deleted file mode 100644
index 0ed99c0..0000000
--- a/core/src/main/java/com/att/cadi/wsse/Action.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse;
-
-/**
- * Interface to specify an action deep within a parsing tree on a local object
- * 
- * We use a Generic so as to be flexible on create what that object actually is.  This is passed in at the
- * root "parse" call of Match.  Similar to a "Visitor" Pattern, this object is passed upon reaching the right
- * point in a parse tree.
- * 
- *
- * @param <OUTPUT>
- */
-interface Action<OUTPUT> {
-	public boolean content(OUTPUT output, String text);
-}
diff --git a/core/src/main/java/com/att/cadi/wsse/Match.java b/core/src/main/java/com/att/cadi/wsse/Match.java
deleted file mode 100644
index e1c1078..0000000
--- a/core/src/main/java/com/att/cadi/wsse/Match.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse;
-
-import javax.xml.namespace.QName;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.events.XMLEvent;
-
-/**
- * Match Class allows you to build an automatic Tree of StAX (or StAX like) 
- * Objects for frequent use.
- * 
- * OBJECT is a type which you which to do some end Actions on, similar to a Visitor pattern, see Action
- * 
- * Note: We have implemented with XReader and XEvent, rather than StAX for performance reasons.
- * 
- * @see Action
- * @see Match
- * @see XEvent
- * @see XReader
- * 
- *
- * @param <OUTPUT>
- */
-//@SuppressWarnings("restriction")
-public class Match<OUTPUT> {
-	private QName qname;
-	private Match<OUTPUT>[] next;
-	private Match<OUTPUT> prev;
-	private Action<OUTPUT> action = null;
-	private boolean stopAfter;
-	private boolean exclusive;
-	
-
-	@SafeVarargs
-	public Match(String ns, String name, Match<OUTPUT> ... next) {
-		this.qname = new QName(ns,name);
-		this.next = next;
-		stopAfter = exclusive = false;
-		for(Match<OUTPUT> m : next) { // add the possible tags to look for
-			if(!m.stopAfter)m.prev = this;
-		}
-	}
-	
-	public Match<OUTPUT> onMatch(OUTPUT output, XReader reader) throws XMLStreamException {
-		while(reader.hasNext()) {
-			XEvent event = reader.nextEvent();
-			switch(event.getEventType()) {
-				case XMLEvent.START_ELEMENT:
-					QName e_qname = event.asStartElement().getName();
-					//System.out.println("Start - " + e_qname);
-					boolean match = false;
-					for(Match<OUTPUT> m : next) {
-						if(e_qname.equals(m.qname)) {
-							match=true;
-							if(m.onMatch(output, reader)==null) {
-								return null; // short circuit Parsing
-							}
-							break;
-						}
-					}
-					if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in
-						return null;
-					break;
-				case XMLEvent.CHARACTERS:
-					//System.out.println("Data - " +event.asCharacters().getData());
-					if(action!=null) {
-						if(!action.content(output,event.asCharacters().getData())) {
-							return null;
-						}
-					}
-					break;
-				case XMLEvent.END_ELEMENT:
-					//System.out.println("End - " + event.asEndElement().getName());
-					if(event.asEndElement().getName().equals(qname)) {
-						return prev;
-					}
-					break;
-				case XMLEvent.END_DOCUMENT:
-					return null; // Exit Chain
-			}
-		}
-		return this;
-	}
-
-	/**
-	 * When this Matched Tag has completed, Stop parsing and end
-	 * @return
-	 */
-	public Match<OUTPUT> stopAfter() {
-		stopAfter = true;
-		return this;
-	}
-	
-	/**
-	 * Mark that this Object MUST be matched at this level or stop parsing and end
-	 * 
-	 * @param action
-	 * @return
-	 */
-	public Match<OUTPUT> exclusive() {
-		exclusive = true;
-		return this;
-	}
-
-	public Match<OUTPUT> set(Action<OUTPUT> action) {
-		this.action = action;
-		return this;
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/wsse/WSSEParser.java b/core/src/main/java/com/att/cadi/wsse/WSSEParser.java
deleted file mode 100644
index 4c7ba90..0000000
--- a/core/src/main/java/com/att/cadi/wsse/WSSEParser.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import javax.xml.stream.XMLStreamException;
-
-import com.att.cadi.BasicCred;
-
-
-/**
- * WSSE Parser
- * 
- * Read the User and Password from WSSE Formatted SOAP Messages 
- * 
- * This class uses StAX so that processing is stopped as soon as the Security User/Password are read into BasicCred, or the Header Ends
- * 
- * This class is intended to be created once (or very few times) and reused as much as possible.
- * 
- * It is as thread safe as StAX parsing is.
- * 
- */
-public class WSSEParser {
-	private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/";
-	private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
-	private Match<BasicCred> parseTree;
-	//private XMLInputFactory inputFactory;
-
-	public WSSEParser() {
-		// soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username]
-		parseTree = new Match<BasicCred>(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is
-			new Match<BasicCred>(SOAP_NS,"Envelope",
-				new Match<BasicCred>(SOAP_NS,"Header",
-					new Match<BasicCred>(WSSE_NS,"Security",
-						new Match<BasicCred>(WSSE_NS,"UsernameToken",
-							new Match<BasicCred>(WSSE_NS,"Password").set(new Action<BasicCred>() {
-								public boolean content(BasicCred bc,String text) {
-									bc.setCred(text.getBytes());
-									return true;
-								}
-							}),
-							new Match<BasicCred>(WSSE_NS,"Username").set(new Action<BasicCred>() {
-								public boolean content(BasicCred bc,String text) {
-									bc.setUser(text);
-									return true;
-								}
-							})
-						).stopAfter() // if found, end when UsernameToken ends (no further processing needed)
-					)
-				).stopAfter() // Stop Processing when Header Ends
-			).exclusive()// Envelope must match Header, and no other.  FYI, Body comes after Header short circuits (see above), so it's ok
-		).exclusive(); // root must be Envelope
-		//inputFactory = XMLInputFactory.newInstance();
-	}
-	
-	public XMLStreamException parse(BasicCred bc, InputStream is) throws IOException {
-		try {
-			parseTree.onMatch(bc, new XReader(is));
-			return null;
-		} catch (XMLStreamException e) {
-			return e;
-		}
-	}
-}
diff --git a/core/src/main/java/com/att/cadi/wsse/XEvent.java b/core/src/main/java/com/att/cadi/wsse/XEvent.java
deleted file mode 100644
index 51a2734..0000000
--- a/core/src/main/java/com/att/cadi/wsse/XEvent.java
+++ /dev/null
@@ -1,135 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse;
-
-import javax.xml.namespace.QName;
-import javax.xml.stream.events.XMLEvent;
-
-/**
- * XEvent
- * 
- * This mechanism mimics a minimal portion of StAX "XMLEvent", enough to work with minimal XReader.
- * 
- * We implement the same interface, as much as minimally necessary, as XMLEvent for these small usages so as to
- * be interchangeable in the future, if so desired
- * 
- *
- */
-// @SuppressWarnings("restriction")
-public abstract class XEvent {
-
-	public abstract int getEventType();
-
-	public StartElement asStartElement() {
-		return (StartElement)this;
-	}
-
-	public Characters asCharacters() {
-		return (Characters)this;
-	}
-
-	public EndElement asEndElement() {
-		return (EndElement)this;
-	}
-
-    public static abstract class NamedXEvent extends XEvent {
-    	private QName qname;
-
-    	public NamedXEvent(QName qname) {
-    		this.qname = qname;
-    	}
-    	
-		public QName getName() {
-    		return qname;
-    	}
-    }
-	public static class StartElement extends NamedXEvent {
-
-		public StartElement(String ns, String tag) {
-			super(new QName(ns,tag));
-		}
-
-		@Override
-		public int getEventType() {
-			return XMLEvent.START_ELEMENT;
-		}
-	}
-
-	public static class EndElement extends NamedXEvent {
-		public EndElement(String ns, String tag) {
-			super(new QName(ns,tag));
-		}
-		
-		@Override
-		public int getEventType() {
-			return XMLEvent.END_ELEMENT;
-		}
-	}
-
-	public static class Characters extends XEvent {
-		private String data;
-
-		public Characters(String data) {
-			this.data = data;
-		}
-		@Override
-		public int getEventType() {
-			return XMLEvent.CHARACTERS;
-		}
-
-		public String getData() {
-			return data;
-		}
-	}
-	
-	public static class StartDocument extends XEvent {
-
-		@Override
-		public int getEventType() {
-			return XMLEvent.START_DOCUMENT;
-		}
-		
-	}
-
-	public static class EndDocument extends XEvent {
-
-		@Override
-		public int getEventType() {
-			return XMLEvent.END_DOCUMENT;
-		}
-		
-	}
-	public static class Comment extends XEvent {
-		public final String value;
-		public Comment(String value) {
-			this.value = value;
-		}
-
-		@Override
-		public int getEventType() {
-			return XMLEvent.COMMENT;
-		}
-	
-	}
-
-}
diff --git a/core/src/main/java/com/att/cadi/wsse/XReader.java b/core/src/main/java/com/att/cadi/wsse/XReader.java
deleted file mode 100644
index 833eb60..0000000
--- a/core/src/main/java/com/att/cadi/wsse/XReader.java
+++ /dev/null
@@ -1,416 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Stack;
-
-import javax.xml.stream.XMLStreamException;
-
-/**
- * XReader
- * This class works similarly as StAX, except StAX has more behavior than is needed.  That would be ok, but 
- * StAX also was Buffering in their code in such as way as to read most if not all the incoming stream into memory,
- * defeating the purpose of pre-reading only the Header
- * 
- * This Reader does no back-tracking, but is able to create events based on syntax and given state only, leaving the
- * Read-ahead mode of the InputStream up to the other classes.
- * 
- * At this time, we only implement the important events, though if this is good enough, it could be expanded, perhaps to 
- * replace the original XMLReader from StAX.
- * 
- *
- */
-// @SuppressWarnings("restriction")
-public class XReader {
-	private XEvent curr,another;
-	private InputStream is;
-	private ByteArrayOutputStream baos;
-	private int state, count, last;
-	
-	private Stack<Map<String,String>> nsses;
-	
-	public XReader(InputStream is) {
-		this.is = is;
-		curr = another = null;
-		baos = new ByteArrayOutputStream();
-		state = BEGIN_DOC; 
-		count = 0;
-		nsses = new Stack<Map<String,String>>();
-	}
-	
-	public boolean hasNext() throws XMLStreamException {
-		if(curr==null) {
-			curr = parse();
-		}
-		return curr!=null;
-	}
-
-	public XEvent nextEvent() {
-		XEvent xe = curr;
-		curr = null;
-		return xe;
-	}
-
-	// 
-	// State Flags
-	//
-	// Note: The State of parsing XML can be complicated.  There are too many to cleanly keep in "booleans".  Additionally,
-	// there are certain checks that can be better made with Bitwise operations within switches
-	// Keeping track of state this way also helps us to accomplish logic without storing any back characters except one
-	private final static int BEGIN_DOC=  0x000001;
-	private final static int DOC_TYPE=   0x000002;
-	private final static int QUESTION_F= 0x000004;
-	private final static int QUESTION =  0x000008;
-	private final static int START_TAG = 0x000010;
-	private final static int END_TAG = 	 0x000020;
-	private final static int VALUE=		 0x000040;
-	private final static int COMMENT =   0x001000;
-	private final static int COMMENT_E = 0x002000;
-	private final static int COMMENT_D1 =0x010000;
-	private final static int COMMENT_D2 =0x020000;
-	private final static int COMMENT_D3 =0x040000;
-	private final static int COMMENT_D4 =0x080000;
-	// useful combined Comment states
-	private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2;
-	private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4;
-	
-	
-	private XEvent parse() throws XMLStreamException {
-		Map<String,String> nss = nsses.isEmpty()?null:nsses.peek();
-
-		XEvent rv;
-		if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not 
-								 // immediately returned.  Save for next parse.  If necessary, this could be turned into
-								 // a FIFO storage, but a single reference is enough for now.
-			another = null;      // "rv" is now set for the Event, and will be returned.  Set to Null.
-		} else {
-			boolean go = true;
-			int c=0;
-			
-			try {
-				while(go && (c=is.read())>=0) {
-					++count;
-					switch(c) {
-						case '<': // Tag is opening
-							state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc
-							XEvent cxe = null;
-							if(baos.size()>0) { // If there are any characters between tags, we send as Character Event
-								String chars = baos.toString().trim();  // Trim out WhiteSpace before and after
-								if(chars.length()>0) { // don't send if Characters were only whitespace
-									cxe = new XEvent.Characters(chars);
-									baos.reset();
-									go = false;
-								}
-							}
-							last = c;  // make sure "last" character is set for use in "ParseTag"
-							Tag t = parseTag(); // call subroutine to process the tag as a unit
-							String ns;
-							switch(t.state&(START_TAG|END_TAG)) {
-								case START_TAG:
-										nss = getNss(nss,t); 			// Only Start Tags might have NS Attributes   
-																		// Get any NameSpace elements from tag.  If there are, nss will become 
-																		// a new Map with all the previous NSs plus the new.  This provides 
-																		// scoping behavior when used with the Stack
-									// drop through on purpose
-								case END_TAG:
-									ns = t.prefix==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists)
-									break;
-								default:
-									ns = "";
-							}
-							if(ns==null)
-								throw new XMLStreamException("Invalid Namespace Prefix at " + count);
-							go = false;
-							switch(t.state) { // based on 
-							  case DOC_TYPE: 
-								  rv = new XEvent.StartDocument();
-								  break;
-							  case COMMENT:
-								  rv = new XEvent.Comment(t.value);
-								  break;
-							  case START_TAG:
-								  rv = new XEvent.StartElement(ns,t.name);
-								  nsses.push(nss);				// Change potential scope for Namespace
-								  break;
-							  case END_TAG:
-								  rv = new XEvent.EndElement(ns,t.name);
-								  nss = nsses.pop();			// End potential scope for Namespace
-								  break;
-							  case START_TAG|END_TAG:			// This tag is both start/end  aka <myTag/>
-								  rv = new XEvent.StartElement(ns,t.name);
-								  if(last=='/')another = new XEvent.EndElement(ns,t.name);
-							}
-							if(cxe!=null) {     // if there is a Character Event, it actually should go first.  ow.
-								another = rv;   // Make current Event the "another" or next event, and 
-								rv = cxe;		// send Character Event now
-							}
-							break;
-						case ' ':
-						case '\t':
-						case '\n':
-							if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore 
-								break;
-							}
-							// fallthrough on purpose
-						default:
-							if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML
-								throw new XMLStreamException("Parse Error: This is not an XML Doc");
-							}
-							baos.write(c); // save off Characters
-					}
-					last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \"
-				}
-			} catch (IOException e) {
-				throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX)
-			}
-			if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { 			   // Normally, end of stream is ok, however, we need to know if the 
-				throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it 
-			}														   // hasn't yet been determined to be an XML Doc
-		}
-		return rv;
-	}
-	
-	/**
-	 * parseTag
-	 * 
-	 * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the 
-	 * higher level Parsing effort
-	 * @return
-	 * @throws IOException
-	 * @throws XMLStreamException
-	 */
-	private Tag parseTag() throws IOException, XMLStreamException {
-		Tag tag = null;
-		boolean go = true;
-		state = 0;
-		int c, quote=0; // If "quote" is 0, then we're not in a quote.  We set ' (in pretag) or " in attribs accordingly to denote quoted
-		String prefix=null,name=null,value=null;
-		baos.reset();
-		
-		while(go && (c=is.read())>=0) {
-			++count;
-			if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \
-				if(c==quote && last!='\\') {
-					quote=0;
-				} else {
-					baos.write(c);
-				}
-			} else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment
-				switch(c) {
-					case '-':
-						switch(state) { // XML has a complicated Quote set... <!-- --> ... we keep track if each has been met with flags. 
-							case COMMENT|COMMENT_E:
-								state|=COMMENT_D1;
-								break;
-							case COMMENT|COMMENT_E|COMMENT_D1:
-								state|=COMMENT_D2;
-								baos.reset();				// clear out "!--", it's a Comment
-								break;
-							case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2:
-								state|=COMMENT_D3;
-								baos.write(c);
-								break;
-							case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3:
-								state|=COMMENT_D4;
-								baos.write(c);
-								break;
-						}
-						break;
-					case '>': // Tag indicator has been found, do we have all the comment characters in line?
-						if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) {
-							byte ba[] = baos.toByteArray();
-							tag = new Tag(null,null, new String(ba,0,ba.length-2));
-							baos.reset();
-							go = false;
-							break;
-						}
-						// fall through on purpose
-					default:
-						state&=~(COMMENT_D3|COMMENT_D4);
-						if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment
-						baos.write(c);
-				}
-			} else { // Normal Tag Processing loop
-				switch(c) {
-					case '?': 
-						switch(state & (QUESTION_F|QUESTION)) {  // Validate the state of Doc tag... <?xml ... ?>
-							case QUESTION_F:
-								state |= DOC_TYPE;
-								state &= ~QUESTION_F;
-								break;
-							case 0:
-								state |=QUESTION_F;
-								break;
-							default:
-								throw new IOException("Bad character [?] at " + count);
-						}
-						break;
-					case '!':
-						if(last=='<') { 
-							state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop
-						}
-						baos.write(c);
-						break;
-					case '/':
-						state|=(last=='<'?END_TAG:(END_TAG|START_TAG));  // end tag indicator </xxx>, ,or both <xxx/>
-						break;
-					case ':':
-						prefix=baos.toString(); // prefix indicator
-						baos.reset();
-						break;
-					case '=':					// used in Attributes
-						name=baos.toString();
-						baos.reset();
-						state|=VALUE;
-						break;
-					case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data
-						go = false;
-						// passthrough on purpose
-					case ' ':
-					case '\t':
-					case '\n': // white space indicates change in internal tag state, ex between name and between attributes
-						if((state&VALUE)==VALUE) {
-							value = baos.toString();	// we're in VALUE state, add characters to Value
-						} else if(name==null) {
-							name = baos.toString();		// we're in Name state (default) add characters to Name
-						}
-						baos.reset();					// we've assigned chars, reset buffer
-						if(name!=null) {				// Name is not null, there's a tag in the offing here...
-							Tag t = new Tag(prefix,name,value);
-							if(tag==null) {				// Set as the tag to return, if not exists
-								tag = t;
-							} else {					// if we already have a Tag, then we'll treat this one as an attribute
-								tag.add(t);
-							}
-						}
-						prefix=name=value=null;			// reset these values in case we loop for attributes.
-						break;
-					case '\'':							// is the character one of two kinds of quote?
-					case '"':
-						if(last!='\\') {
-							quote=c;
-							break;
-						}
-						// Fallthrough ok
-					default:
-						baos.write(c);					// write any unprocessed bytes into buffer
-						
-				}
-			}
-			last = c;
-		}
-		int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag
-		if(type==0) {
-			type=START_TAG;
-		}
-		tag.state|=type;	// add the appropriate Tag States
-		return tag;
-	}
-
-	/**
-	 * getNSS
-	 * 
-	 * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add
-	 * This provides Scoping behavior
-	 * 
-	 * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps.
-	 * 
-	 * @param nss
-	 * @param t
-	 * @return
-	 */
-	private Map<String, String> getNss(Map<String, String> nss, Tag t) {
-		Map<String,String> newnss = null;
-		if(t.attribs!=null) {
-			for(Tag tag : t.attribs) {
-				if("xmlns".equals(tag.prefix)) {
-					if(newnss==null) {
-						newnss = new HashMap<String,String>();
-						if(nss!=null)newnss.putAll(nss);
-					}
-					newnss.put(tag.name, tag.value);
-				}
-			}
-		}
-		return newnss==null?(nss==null?new HashMap<String,String>():nss):newnss;
-	}
-
-	/**
-	 * The result of the parseTag method
-	 * 
-	 * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM
-	 * as Attributes.  
-	 * 
-	 *
-	 */
-	public class Tag {
-		public int state;
-		public String prefix,name,value;
-		public List<Tag> attribs;
-
-		public Tag(String prefix, String name, String value) {
-			this.prefix = prefix;
-			this.name = name;
-			this.value = value;
-			attribs = null;  
-		}
-
-		/**
-		 * add an attribute
-		 * Not all tags need attributes... lazy instantiate to save time and memory
-		 * @param tag
-		 */
-		public void add(Tag attrib) {
-			if(attribs == null) {
-				attribs = new ArrayList<Tag>();
-			}
-			attribs.add(attrib);
-		}
-		
-		public String toString() {
-			StringBuffer sb = new StringBuffer();
-			if(prefix!=null) {
-				sb.append(prefix);
-				sb.append(':');
-			}
-			sb.append(name==null?"!!ERROR!!":name);
-
-			char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"';
-			if(value!=null) {
-				sb.append('=');
-				sb.append(quote);
-				sb.append(value);
-				sb.append(quote);
-			}
-			return sb.toString();
-		}
-	}
-
-}
diff --git a/core/src/main/java/org/onap/aaf/cadi/AES.java b/core/src/main/java/org/onap/aaf/cadi/AES.java
new file mode 100644
index 0000000..515fc27
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/AES.java
@@ -0,0 +1,127 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.onap.aaf.cadi.util.Chmod;
+
+public class AES {
+	public static final String AES = AES.class.getSimpleName();
+	public static final int AES_KEY_SIZE = 128; // 256 isn't supported on all JDKs.
+	
+	private Cipher aesCipher;
+	private SecretKeySpec aeskeySpec;
+
+	public AES() throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
+		aesCipher = Cipher.getInstance(AES);
+	    aeskeySpec = new SecretKeySpec(newKey().getEncoded(), AES);
+	}
+	
+	public static SecretKey newKey() throws NoSuchAlgorithmException {
+		KeyGenerator kgen = KeyGenerator.getInstance(AES);
+	    kgen.init(AES_KEY_SIZE);
+	    return kgen.generateKey();
+	}
+
+	public AES(File keyfile) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
+		aesCipher = Cipher.getInstance(AES);
+		byte[] aesKey = new byte[AES_KEY_SIZE/8];
+		FileInputStream fis = new FileInputStream(keyfile);
+		try {
+			fis.read(aesKey);
+		} finally {
+			fis.close();
+		}
+		aeskeySpec = new SecretKeySpec(aesKey,AES);
+	}
+
+	public AES(byte[] aeskey, int offset, int len) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException {
+		aesCipher = Cipher.getInstance(AES);
+		aeskeySpec = new SecretKeySpec(aeskey,offset,len,AES);
+	}
+	
+	public byte[] encrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+		aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
+		return aesCipher.doFinal(in);
+	}
+	
+	public byte[] decrypt(byte[] in) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+		aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec); 
+		return aesCipher.doFinal(in);
+	}
+	
+	public void save(File keyfile) throws IOException {
+		FileOutputStream fis = new FileOutputStream(keyfile);
+		try {
+			fis.write(aeskeySpec.getEncoded());
+		} finally {
+			fis.close();
+		}
+		Chmod.to400.chmod(keyfile);
+	}
+
+	public CipherOutputStream outputStream(OutputStream os, boolean encrypt) {
+		try {
+			if(encrypt) {
+				aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
+			} else {
+				aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec);
+			}
+		} catch (InvalidKeyException e) {
+			// KeySpec created earlier... no chance being wrong.
+		} 
+		return new CipherOutputStream(os,aesCipher);
+	}
+	
+	public CipherInputStream inputStream(InputStream is, boolean encrypt) {
+		try {
+			if(encrypt) {
+				aesCipher.init(Cipher.ENCRYPT_MODE,aeskeySpec);
+			} else {
+				aesCipher.init(Cipher.DECRYPT_MODE,aeskeySpec);
+			}
+		} catch (InvalidKeyException e) {
+			// KeySpec created earlier... no chance being wrong.
+		} 
+		
+		return new CipherInputStream(is,aesCipher);
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java
new file mode 100644
index 0000000..ceb6ca3
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/AbsCachedPrincipal.java
@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+
+public abstract class AbsCachedPrincipal<TAF> implements CachedPrincipal {
+	protected TAF taf;
+
+	protected AbsCachedPrincipal(TAF taf) {
+		this.taf = taf;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java b/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java
new file mode 100644
index 0000000..1846793
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/AbsUserCache.java
@@ -0,0 +1,408 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Timer;
+import java.util.TimerTask;
+import java.util.TreeMap;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+
+/**
+ * Implement Fast lookup and Cache for Local User Info
+ * 
+ * Include ability to add and remove Users
+ * 
+ * Also includes a Timer Thread (when necessary) to invoke cleanup on expiring Credentials
+ * 
+ *
+ */
+public abstract class AbsUserCache<PERM extends Permission> {
+	static final int MIN_INTERVAL = 15000;
+	static final int MAX_INTERVAL = 1000*60*5; // 5 mins
+	private static Timer timer;
+	// Map of userName to User
+	private final Map<String, User<PERM>> userMap;
+	private final Map<String, Miss> missMap;
+	private Clean clean;
+	protected Access access;
+//	private final static Permission teaser = new LocalPermission("***NoPERM****");
+	
+	protected AbsUserCache(Access access, long cleanInterval, int highCount, int usageCount) {
+		this.access = access;
+		userMap = new ConcurrentHashMap<String, User<PERM>>();
+		missMap = new TreeMap<String,Miss>();
+		if(cleanInterval>0) {
+			cleanInterval = Math.max(MIN_INTERVAL, cleanInterval);
+			synchronized(AbsUserCache.class) { // Lazy instantiate.. in case there is no cleanup needed
+				if(timer==null) {
+					timer = new Timer("CADI Cleanup Timer",true);
+				}
+				
+				timer.schedule(clean = new Clean(access, cleanInterval, highCount, usageCount), cleanInterval, cleanInterval);
+				access.log(Access.Level.INIT, "Cleaning Thread initialized with interval of",cleanInterval, "ms and max objects of", highCount);
+			}
+		}
+	}
+	
+	@SuppressWarnings("unchecked")
+	public AbsUserCache(AbsUserCache<PERM> cache) {
+		this.access = cache.access;
+		userMap = cache.userMap;
+		missMap = cache.missMap;
+		synchronized(AbsUserCache.class) {
+			if(cache.clean!=null && cache.clean.lur==null && this instanceof CachingLur) {
+				cache.clean.lur=(CachingLur<PERM>)this;
+			}
+		}
+	}
+
+	protected void setLur(CachingLur<PERM> lur) {
+		if(clean!=null)clean.lur = lur;
+		
+	}
+	
+	protected void addUser(User<PERM> user) {
+		userMap.put(user.principal.getName(), user);
+	}
+
+	// Useful for looking up by WebToken, etc.
+	protected void addUser(String key, User<PERM> user) {
+		userMap.put(key, user);
+	}
+	
+	/**
+	 * Add miss to missMap.  If Miss exists, or too many tries, returns false.
+	 * 
+	 * otherwise, returns true to allow another attempt.
+	 * 
+	 * @param key
+	 * @param bs
+	 * @return
+	 */
+	protected boolean addMiss(String key, byte[] bs) {
+		Miss miss = missMap.get(key);
+		if(miss==null) {
+			synchronized(missMap) {
+				missMap.put(key, new Miss(bs,clean==null?MIN_INTERVAL:clean.timeInterval));
+			}
+			return true;
+		}
+		return miss.add(bs); 
+	}
+
+	protected Miss missed(String key) {
+		return missMap.get(key);
+	}
+
+	protected User<PERM> getUser(String userName) {
+		User<PERM> u = userMap.get(userName);
+		if(u!=null) {
+			u.incCount();
+		}
+		return u;
+	}
+	
+	protected User<PERM> getUser(Principal principal) {
+		return getUser(principal.getName()); 
+	}
+	
+	/**
+	 * Removes User from the Cache
+	 * @param user
+	 */
+	protected void remove(User<PERM> user) {
+		userMap.remove(user.principal.getName());
+	}
+	
+	/**
+	 * Removes user from the Cache
+	 * 
+	 * @param user
+	 */
+	public void remove(String user) {
+		Object o = userMap.remove(user);
+		if(o!=null) {
+			access.log(Level.INFO, user,"removed from Client Cache by Request");
+		}
+	}
+	
+	/**
+	 * Clear all users from the Client Cache
+	 */
+	public void clearAll() {
+		userMap.clear();
+	}
+	
+	public final List<DumpInfo> dumpInfo() {
+		List<DumpInfo> rv = new ArrayList<DumpInfo>();
+		for(User<PERM> user : userMap.values()) {
+			rv.add(new DumpInfo(user));
+		}
+		return rv;
+	}
+
+	/**
+	 * The default behavior of a LUR is to not handle something exclusively.
+	 */
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+	
+	/**
+	 * Container calls when cleaning up... 
+	 * 
+	 * If overloading in Derived class, be sure to call "super.destroy()"
+	 */
+	public void destroy() {
+		if(timer!=null) {
+			timer.purge();
+			timer.cancel();
+		}
+	}
+	
+	
+
+	// Simple map of Group name to a set of User Names
+	//	private Map<String, Set<String>> groupMap = new HashMap<String, Set<String>>();
+
+	/**
+	 * Class to hold a small subset of the data, because we don't want to expose actual Permission or User Objects
+	 */
+	public final class DumpInfo {
+		public String user;
+		public List<String> perms;
+		
+		public DumpInfo(User<PERM> user) {
+			this.user = user.principal.getName();
+			perms = new ArrayList<String>(user.perms.keySet());
+		}
+	}
+	
+	/**
+	 * Clean will examine resources, and remove those that have expired.
+	 * 
+	 * If "highs" have been exceeded, then we'll expire 10% more the next time.  This will adjust after each run
+	 * without checking contents more than once, making a good average "high" in the minimum speed.
+	 * 
+	 *
+	 */
+	private final class Clean extends TimerTask {
+		private final Access access;
+		private CachingLur<PERM> lur;
+		
+		// The idea here is to not be too restrictive on a high, but to Expire more items by 
+		// shortening the time to expire.  This is done by judiciously incrementing "advance"
+		// when the "highs" are exceeded.  This effectively reduces numbers of cached items quickly.
+		private final int high;
+		private long advance;
+		private final long timeInterval;
+		private final int usageTriggerCount;
+		
+		public Clean(Access access, long cleanInterval, int highCount, int usageTriggerCount) {
+			this.access = access;
+			lur = null;
+			high = highCount;
+			timeInterval = cleanInterval;
+			advance = 0;
+			this.usageTriggerCount=usageTriggerCount;
+		}
+		public void run() {
+			int renewed = 0;
+			int count = 0;
+			int total = 0;
+			try {
+				// look at now.  If we need to expire more by increasing "now" by "advance"
+				ArrayList<User<PERM>> al = new ArrayList<User<PERM>>(userMap.values().size());
+				al.addAll(0, userMap.values());
+				long now = System.currentTimeMillis() + advance;
+				for(User<PERM> user : al) {
+					++total;
+						if(user.count>usageTriggerCount) {
+	//						access.log(Level.AUDIT, "Checking Thread", new Date(now));
+							boolean touched = false, removed=false;
+							if(user.principal instanceof CachedPrincipal) {
+								CachedPrincipal cp = (CachedPrincipal)user.principal;
+								if(cp.expires() < now) {
+									switch(cp.revalidate()) {
+										case INACCESSIBLE:
+											access.log(Level.AUDIT, "AAF Inaccessible.  Keeping credentials");
+											break;
+										case REVALIDATED:
+											user.resetCount();
+			//								access.log(Level.AUDIT, "CACHE revalidated credentials");
+											touched = true;
+											break;
+										default:
+											user.resetCount();
+											remove(user);
+											++count;
+											removed = true;
+											break;
+									}
+								}
+							}
+						
+	//						access.log(Level.AUDIT, "User Perm Expires", new Date(user.permExpires));
+							if(!removed && lur!=null && user.permExpires<= now ) {
+	//							access.log(Level.AUDIT, "Reloading");
+								if(lur.reload(user).equals(Resp.REVALIDATED)) {
+									user.renewPerm();
+									access.log(Level.DEBUG, "Reloaded Perms for",user);
+									touched = true;
+								}
+							}
+							user.resetCount();
+							if(touched) {
+								++renewed;
+							}
+	
+						} else {
+							if(user.permExpired()) {
+								remove(user);
+								++count;
+							}
+						}
+				}
+				
+				// Clean out Misses
+				int missTotal = missMap.keySet().size();
+				int miss = 0;
+				if(missTotal>0) {
+					ArrayList<String> keys = new ArrayList<String>(missTotal);
+					keys.addAll(missMap.keySet());
+					for(String key : keys) {
+						Miss m = missMap.get(key);
+						if(m!=null && m.timestamp<System.currentTimeMillis()) {
+							synchronized(missMap) {
+								missMap.remove(key);
+							}
+							access.log(Level.INFO, key, "has been removed from Missed Credential Map (" + m.tries + " invalid tries)");
+							++miss;
+						}
+					}
+				}
+				
+				if(count+renewed+miss>0) {
+					access.log(Level.INFO, (lur==null?"Cache":lur.getClass().getSimpleName()), "removed",count,
+						"and renewed",renewed,"expired Permissions out of", total,"and removed", miss, "password misses out of",missTotal);
+				}
+	
+				// If High (total) is reached during this period, increase the number of expired services removed for next time.
+				// There's no point doing it again here, as there should have been cleaned items.
+				if(total>high) {
+					// advance cleanup by 10%, without getting greater than timeInterval.
+					advance = Math.min(timeInterval, advance+(timeInterval/10));
+				} else {
+					// reduce advance by 10%, without getting lower than 0.
+					advance = Math.max(0, advance-(timeInterval/10));
+				}
+			} catch (Exception e) {
+				access.log(Level.ERROR,e.getMessage());
+			}
+		}
+	}
+	
+	public static class Miss {
+		private static final int MAX_TRIES = 3;
+
+		long timestamp;
+		byte[][] array;
+
+		private long timetolive;
+
+		private int tries;
+		
+		public Miss(byte[] first, long timeInterval) {
+			array = new byte[MAX_TRIES][];
+			array[0]=first;
+			timestamp = System.currentTimeMillis() + timeInterval;
+			this.timetolive = timeInterval;
+			tries = 1;
+		}
+		
+		public boolean mayContinue(byte[] bs) {
+			if(++tries > MAX_TRIES) return false;
+			for(byte[] a : array) {
+				if(a==null)return true;
+				if(equals(a,bs)) {
+					return false;
+				}
+			}
+			return true;
+		}
+
+		public synchronized boolean add(byte[] bc) {
+			if(++tries>MAX_TRIES)return false;
+			timestamp = System.currentTimeMillis()+timetolive;
+			for(int i=0;i<MAX_TRIES;++i) {
+				if(array[i]==null) {
+					array[i]=bc;
+					return true; // add to array, and allow more tries
+				} else if(equals(array[i],bc)) {
+					return false;
+				}
+			}
+			return false; // no more tries until cache cleared.
+		}
+		
+		private boolean equals(byte[] src, byte[] target) {
+			if(target.length==src.length) {
+				for(int j=0;j<src.length;++j) {
+					if(src[j]!=target[j]) return false;
+				}
+				return true; // same length and same chars
+			}
+			return false;
+		}
+	}
+	
+	/**
+	 * Report on state
+	 */
+	public String toString() {
+		return getClass().getSimpleName() + 
+				" Cache:\n  Users Cached: " +
+				userMap.size() +
+				"\n  Misses Saved: " +
+				missMap.size() +
+				'\n';
+				
+	}
+
+	public void clear(Principal p, StringBuilder sb) {
+		sb.append(toString());
+		userMap.clear();
+		missMap.clear();
+		access.log(Level.AUDIT, p.getName(),"has cleared User Cache in",getClass().getSimpleName());
+		sb.append("Now cleared\n");
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Access.java b/core/src/main/java/org/onap/aaf/cadi/Access.java
new file mode 100644
index 0000000..a8eeda1
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Access.java
@@ -0,0 +1,172 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * Various Environments require different logging mechanisms, or at least allow
+ * for different ones. We need the Framework to be able to hook into any particular instance of logging
+ * mechanism, whether it be a Logging Object within a Servlet Context, or a direct library like log4j.
+ * This interface, therefore, allows maximum pluggability in a variety of different app styles.  
+ *  
+ *
+ */
+public interface Access {
+	// levels to use
+	public enum Level {
+		DEBUG(0x1), INFO(0x10), AUDIT(0x100), WARN(0x2000), ERROR(0x4000), INIT(0x8000),NONE(0XFFFF);
+		private final int bit;
+		
+		Level(int ord) {
+			bit = ord;
+		}
+		
+		public boolean inMask(int mask) {
+			return (mask & bit) == bit;
+		}
+		
+		public int addToMask(int mask) {
+			return mask | bit;
+		}
+
+		public int delFromMask(int mask) {
+			return mask & ~bit;
+		}
+
+		public int toggle(int mask) {
+			if(inMask(mask)) {
+				return delFromMask(mask);
+			} else {
+				return addToMask(mask);
+			}
+		}
+
+
+		public int maskOf() {
+			int mask=0;
+			for(Level l : values()) {
+				if(ordinal()<l.ordinal()) {
+					mask|=l.bit;
+				}
+			}
+			return mask;
+		}
+	}
+
+	/**
+	 * Write a variable list of Object's text via the toString() method with appropriate space, etc.
+	 * @param elements
+	 */
+	public void log(Level level, Object ... elements);
+
+	/**
+	 * Printf mechanism for Access
+	 * @param level
+	 * @param fmt
+	 * @param elements
+	 */
+	public void printf(Level level, String fmt, Object ... elements);
+	
+	/** 
+	 * Check if message will log before constructing
+	 * @param level
+	 * @return
+	 */
+	public boolean willLog(Level level);
+
+	/**
+	 * Write the contents of an exception, followed by a variable list of Object's text via the 
+	 * toString() method with appropriate space, etc.
+	 * 
+	 * The Loglevel is always "ERROR"
+	 * 
+	 * @param elements
+	 */
+	public void log(Exception e, Object ... elements);
+	
+	/**
+	 * Set the Level to compare logging too
+	 */
+	public void setLogLevel(Level level);
+		
+	/**
+	 * It is important in some cases to create a class from within the same Classloader that created
+	 * Security Objects.  Specifically, it's pretty typical for Web Containers to separate classloaders
+	 * so as to allow Apps with different dependencies. 
+	 * @return
+	 */
+	public ClassLoader classLoader();
+
+	public String getProperty(String string, String def);
+	
+	public void load(InputStream is) throws IOException;
+
+	/**
+	 * if "anytext" is true, then decryption will always be attempted.  Otherwise, only if starts with 
+	 * Symm.ENC
+	 * @param encrypted
+	 * @param anytext
+	 * @return
+	 * @throws IOException
+	 */
+	public String decrypt(String encrypted, boolean anytext) throws IOException;
+
+	public static final Access NULL = new Access() {
+		public void log(Level level, Object... elements) {
+		}
+
+		@Override
+		public void printf(Level level, String fmt, Object... elements) {
+		}
+
+		public void log(Exception e, Object... elements) {
+		}
+
+		public ClassLoader classLoader() {
+			return this.classLoader();
+		}
+
+		public String getProperty(String string, String def) {
+			return null;
+		}
+
+		public void load(InputStream is) throws IOException {
+		}
+
+		public void setLogLevel(Level level) {
+		}
+
+		public String decrypt(String encrypted, boolean anytext) throws IOException {
+			return encrypted;
+		}
+
+		@Override
+		public boolean willLog(Level level) {
+			return false;
+		}
+	};
+
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/BasicCred.java b/core/src/main/java/org/onap/aaf/cadi/BasicCred.java
new file mode 100644
index 0000000..a645b83
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/BasicCred.java
@@ -0,0 +1,36 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+/**
+ * An Interface for testing on Requests to see if we can get a User and Password
+ * It works for CadiWrap, but also, Container Specific Wraps (aka Tomcat) should also
+ * implement.
+ * 
+ *
+ */
+public interface BasicCred extends GetCred {
+	public void setUser(String user);
+	public void setCred(byte[] passwd);
+	public String getUser();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/BufferedCadiWrap.java b/core/src/main/java/org/onap/aaf/cadi/BufferedCadiWrap.java
new file mode 100644
index 0000000..56d72aa
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/BufferedCadiWrap.java
@@ -0,0 +1,80 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * BufferedCadiWrap exists to additionally wrap the InputStream with a BufferedInputStream to engage the
+ * "mark()/release()" API of InputStream.
+ * 
+ * This is a requirement for Re-Reading Content for brain-dead Middleware such as SOAP WS-Security.
+ * 
+ * Framework needs to set the TafResp and Lur (typically) later in the 
+ * 
+ *
+ */
+public class BufferedCadiWrap extends CadiWrap {
+	private BufferedServletInputStream sis;
+	
+	public BufferedCadiWrap(HttpServletRequest request) {
+		super(request, null, null); // will need to set TafResp and Lur separately
+		sis = null;
+	}
+
+
+	// @Override
+	public BufferedServletInputStream getInputStream() throws IOException {
+//		System.out.println("getInputStream() from Buffered CadiWrap... sis = " + sis);
+//		try {
+//			throw new Exception("OK, here's where we are...");
+//		} catch (Exception e) {
+//			e.printStackTrace();
+//		}
+		if(sis==null) {
+			sis = new BufferedServletInputStream(super.getInputStream());
+//		} else {
+//			try {
+//			System.out.println("sis has " + sis.buffered() + " buffered bytes, and reports " + sis.available() + " available");
+//			} catch (Exception e) {
+//				e.printStackTrace();
+//			}
+		}
+		return sis;
+	}
+
+	// @Override
+	public BufferedReader getReader() throws IOException {
+//		System.out.println("getReader() from Buffered CadiWrap... sis = " + sis);
+//		try {
+//			throw new Exception("OK, here's where we are...");
+//		} catch (Exception e) {
+//			e.printStackTrace();
+//		}
+		return new BufferedReader(new InputStreamReader(getInputStream()));
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java b/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java
new file mode 100644
index 0000000..345db91
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/BufferedServletInputStream.java
@@ -0,0 +1,214 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.servlet.ServletInputStream;
+
+/**
+ * BufferedServletInputStream
+ * 
+ * There are cases in brain-dead middleware (SOAP) where they store routing information in the content.
+ * 
+ * In HTTP, this requires reading the content from the InputStream which, of course, cannot be re-read.
+ * 
+ * BufferedInputStream exists to implement the "Mark" protocols for Streaming, which will enable being 
+ * re-read.  Unfortunately, J2EE chose to require a "ServletInputStream" as an abstract class, rather than
+ * an interface, which requires we create a delegating pattern, rather than the preferred inheriting pattern. 
+ * 
+ * Unfortunately, the standard "BufferedInputStream" cannot be used, because it simply creates a byte array
+ * in the "mark(int)" method of that size.  This is not appropriate for this application, because the Header 
+ * can be potentially huge, and if a buffer was allocated to accommodate all possibilities, the cost of memory 
+ * allocation would be too large for high performance transactions.
+ *
+ * 
+ *
+ */
+public class BufferedServletInputStream extends ServletInputStream {
+	private static final int NONE = 0;
+	private static final int STORE = 1;
+	private static final int READ = 2;
+	
+	private InputStream is;
+	private int state = NONE;
+	private Capacitor capacitor;
+
+	public BufferedServletInputStream(InputStream is) {
+		this.is = is;
+		capacitor = null;
+	}
+
+
+	// @Override
+	public int read() throws IOException {
+		int value=-1;
+		if(capacitor==null) {
+			value=is.read();
+		} else {
+			switch(state) {
+				case STORE:
+					value = is.read();
+					if(value>=0) {
+						capacitor.put((byte)value);
+					}
+					break;
+				case READ:
+					value = capacitor.read();
+					if(value<0) {
+						capacitor.done();
+						capacitor=null; // all done with buffer
+						value = is.read();
+					}
+			}
+		} 
+		return value;
+	}
+
+	// @Override
+	public int read(byte[] b) throws IOException {
+		return read(b,0,b.length);
+	}
+
+
+	// @Override
+	public int read(byte[] b, int off, int len) throws IOException {
+		int count = -1;
+		if(capacitor==null) {
+			count = is.read(b,off,len);
+		} else {
+			switch(state) {
+				case STORE:
+					count = is.read(b, off, len);
+					if(count>0) {
+						capacitor.put(b, off, count);
+					}
+					break;
+				case READ:
+					count = capacitor.read(b, off, len);
+//					System.out.println("Capacitor read " + count);
+					if(count<=0) {
+						capacitor.done();
+						capacitor=null; // all done with buffer
+					}
+					if(count<len) {
+						int temp = is.read(b, count, len-count);
+//						System.out.println("Capacitor done, stream read " + temp);
+						if(temp>0) { // watch for -1
+							count+=temp;
+						} else {
+							if(count<=0)count = temp; // must account for Stream coming back -1  
+						}
+					}
+					break;
+			}
+		}
+//		System.out.println("read reports " + count);
+		return count;
+	}
+
+	// @Override
+	public long skip(long n) throws IOException {
+		long skipped = capacitor.skip(n);
+		if(skipped<n) {
+			skipped += is.skip(n-skipped);
+		}
+		return skipped;
+	}
+
+
+	// @Override
+	public int available() throws IOException {
+		int count = is.available();
+		if(capacitor!=null)count+=capacitor.available();
+		return count;		
+	}
+	
+	/**
+	 * Return just amount buffered (for debugging purposes, mostly)
+	 * @return
+	 */
+	public int buffered() {
+		return capacitor.available();
+	}
+
+
+	// @Override
+	public void close() throws IOException {
+		if(capacitor!=null) {
+			capacitor.done();
+			capacitor=null;
+		}
+		is.close();
+	}
+
+
+	/**
+	 * Note: Readlimit is ignored in this implementation, because the need was for unknown buffer size which wouldn't 
+	 * require allocating and dumping huge chunks of memory every use, or risk overflow.
+	 */
+	// @Override
+	public synchronized void mark(int readlimit) {
+		switch(state) {
+			case NONE:
+				capacitor = new Capacitor();
+				break;
+			case READ:
+				capacitor.done();
+				break;
+			// ignore case STORE:
+		}
+		state = STORE;
+	}
+
+
+	/**
+	 * Reset Stream
+	 * 
+	 * Calling this twice is not supported in typical Stream situations, but it is allowed in this service.  The caveat is that it can only reset
+	 * the data read in since Mark has been called.  The data integrity is only valid if you have not continued to read past what is stored.
+	 *  
+	 */
+	// @Override
+	public synchronized void reset() throws IOException {
+		switch(state) {
+			case STORE:
+				capacitor.setForRead();
+				state = READ;
+				break;
+			case READ:
+				capacitor.reset();
+				break;
+//				throw new IOException("InputStream is already in READ state");
+			case NONE: 
+				throw new IOException("InputStream has not been marked");
+		}
+	}
+
+
+	// @Override
+	public boolean markSupported() {
+		return true;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/CachedPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/CachedPrincipal.java
new file mode 100644
index 0000000..de90b74
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/CachedPrincipal.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.security.Principal;
+
+/**
+ * Cached Principals need to be able to revalidate in the background.
+ * 
+ *
+ */
+public interface CachedPrincipal extends Principal {
+	public enum Resp {NOT_MINE,UNVALIDATED,REVALIDATED,INACCESSIBLE,DENIED};
+	
+	/**
+	 * Re-validate with Creator
+	 * 
+	 * @return
+	 */
+	public abstract Resp revalidate();
+	
+	/**
+	 * Store when last updated.
+	 * @return
+	 */
+	public abstract long expires();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/CachingLur.java b/core/src/main/java/org/onap/aaf/cadi/CachingLur.java
new file mode 100644
index 0000000..f57a567
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/CachingLur.java
@@ -0,0 +1,35 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.security.Principal;
+
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+
+
+public interface CachingLur<PERM extends Permission> extends Lur {
+	public abstract void remove(String user);
+	public abstract Resp reload(User<PERM> user);
+	public abstract void setDebug(String commaDelimIDsOrNull);
+	public abstract void clear(Principal p, StringBuilder sb);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/CadiException.java b/core/src/main/java/org/onap/aaf/cadi/CadiException.java
new file mode 100644
index 0000000..f8b06ce
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/CadiException.java
@@ -0,0 +1,50 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+/**
+ * CADI Specific Exception
+ */
+public class CadiException extends Exception {
+	/**
+	 *  Generated ID 
+	 */
+	private static final long serialVersionUID = -4180145363107742619L;
+
+	public CadiException() {
+		super();
+	}
+
+	public CadiException(String message) {
+		super(message);
+	}
+
+	public CadiException(Throwable cause) {
+		super(cause);
+	}
+
+	public CadiException(String message, Throwable cause) {
+		super(message, cause);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java b/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java
new file mode 100644
index 0000000..6cf5694
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/CadiWrap.java
@@ -0,0 +1,193 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.filter.NullPermConverter;
+import org.onap.aaf.cadi.filter.PermConverter;
+import org.onap.aaf.cadi.lur.EpiLur;
+import org.onap.aaf.cadi.taf.TafResp;
+
+
+
+/**
+ * Inherit the HttpServletRequestWrapper, which calls methods of delegate it's created with, but
+ * overload the key security mechanisms with CADI mechanisms
+ * 
+ * This works with mechanisms working strictly with HttpServletRequest (i.e. Servlet Filters)
+ * 
+ * Specialty cases, i.e. Tomcat, which for their containers utilize their own mechanisms and Wrappers, you may
+ * need something similar.  See AppServer specific code (i.e. tomcat) for these.
+ * 
+ *
+ */
+public class CadiWrap extends HttpServletRequestWrapper implements HttpServletRequest, BasicCred {
+	private Principal principal;
+	private Lur lur;
+	private String user; // used to set user/pass from brain-dead protocols like WSSE 
+	private byte[] password;
+	private PermConverter pconv;
+	private Access access; 
+	
+	/**
+	 * Standard Wrapper constructor for Delegate pattern
+	 * @param request
+	 */
+	public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur) {
+		super(request);
+		principal = tafResp.getPrincipal();
+		access = tafResp.getAccess();
+		this.lur = lur;
+		pconv = NullPermConverter.singleton();
+	}
+
+	/**
+	 * Standard Wrapper constructor for Delegate pattern, with PermConverter
+	 * @param request
+	 */
+	public CadiWrap(HttpServletRequest request, TafResp tafResp, Lur lur, PermConverter pc) {
+		super(request);
+		principal = tafResp.getPrincipal();
+		access = tafResp.getAccess();
+		this.lur = lur;
+		pconv = pc;
+	}
+
+
+	/**
+	 * Part of the HTTP Security API.  Declare the User associated with this HTTP Transaction.
+	 * CADI does this by reporting the name associated with the Principal obtained, if any.
+	 */
+// @Override
+	public String getRemoteUser() {
+		return principal==null?null:principal.getName();
+	}
+
+	/**
+	 * Part of the HTTP Security API.  Return the User Principal associated with this HTTP 
+	 * Transaction.
+	 */
+// @Override
+	public Principal getUserPrincipal() {
+		return principal;
+	}
+	
+	/**
+	 * This is the key API call for AUTHZ in J2EE.  Given a Role (String passed in), is the user
+	 * associated with this HTTP Transaction allowed to function in this Role?
+	 * 
+	 * For CADI, we pass the responsibility for determining this to the "LUR", which may be
+	 * determined by the Enterprise.
+	 * 
+	 * Note: Role check is also done in "CadiRealm" in certain cases...
+	 * 
+	 *
+	 */
+// @Override
+	public boolean isUserInRole(String perm) {
+		return perm==null?false:checkPerm(access,"(HttpRequest)",principal,pconv,lur,perm);
+	}
+	
+	public static boolean checkPerm(Access access, String caller, Principal principal, PermConverter pconv, Lur lur, String perm) {
+		if(principal== null) {
+			access.log(Level.AUDIT,caller, "No Principal in Transaction");
+			return false;
+		} else { 
+			perm = pconv.convert(perm);
+			if(lur.fish(principal,lur.createPerm(perm))) {
+				access.log(Level.DEBUG,caller, principal.getName(), "has", perm);
+				return true;
+			} else {
+				access.log(Level.DEBUG,caller, principal.getName(), "does not have", perm);
+				return false;
+			}
+		}
+
+	}
+
+	/** 
+	 * CADI Function (Non J2EE standard). GetPermissions will read the Permissions from AAF (if configured) and Roles from Local Lur, etc
+	 *  as implemented with lur.fishAll
+	 *  
+	 *  To utilize, the Request must be a "CadiWrap" object, then call.
+	 */
+	public List<Permission> getPermissions(Principal p) {
+		List<Permission> perms = new ArrayList<Permission>();
+		lur.fishAll(p, perms);
+		return perms;
+	}
+	/**
+	 * Allow setting of tafResp and lur after construction
+	 * 
+	 * This can happen if the CadiWrap is constructed in a Valve other than CadiValve
+	 */
+	public void set(TafResp tafResp, Lur lur) {
+		principal = tafResp.getPrincipal();
+		access = tafResp.getAccess();
+		this.lur = lur;
+	}
+
+	public String getUser() {
+		if(user==null && principal!=null) {
+			user = principal.getName();
+		}
+		return user;
+	}
+
+	public byte[] getCred() {
+		return password;
+	}
+
+	public void setUser(String user) {
+		this.user = user;
+	}
+
+	public void setCred(byte[] passwd) {
+		password = passwd;
+	}
+	
+	public CadiWrap setPermConverter(PermConverter pc) {
+		pconv = pc;
+		return this;
+	}
+	
+	// Add a feature
+	public void invalidate(String id) {
+		if(lur instanceof EpiLur) {
+			((EpiLur)lur).remove(id);
+		} else if(lur instanceof CachingLur) {
+			((CachingLur<?>)lur).remove(id);
+		}
+	}
+	
+	public Lur getLur() {
+		return lur;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Capacitor.java b/core/src/main/java/org/onap/aaf/cadi/Capacitor.java
new file mode 100644
index 0000000..a7aa4f6
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Capacitor.java
@@ -0,0 +1,240 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.nio.ByteBuffer;
+import java.util.ArrayList;
+
+/**
+ * Capacitor
+ * 
+ * Storage mechanism for read data, specifically designed for InputStreams.
+ * 
+ * The Standard BufferedInputStream requires a limit to be set for buffered reading, which is 
+ * impractical for reading SOAP headers, which can be quite large.
+ *
+ */
+public class Capacitor {
+	private static final int DEFAULT_CHUNK = 256;
+	private ArrayList<ByteBuffer> bbs = new ArrayList<ByteBuffer>();
+	private ByteBuffer curr = null;
+	private int idx;
+	
+	// Maintain a private RingBuffer for Memory, for efficiency
+	private static ByteBuffer[] ring = new ByteBuffer[16];
+	private static int start, end;
+	
+	
+	public void put(byte b) {
+		if(curr == null || curr.remaining()==0) { // ensure we have a "curr" buffer ready for data
+			curr = ringGet();
+			bbs.add(curr);
+		}
+		curr.put(b); 
+	}
+
+	public int read() {
+		if(curr!=null) { 
+			if(curr.remaining()>0) { // have a buffer, use it!
+				return curr.get();
+			} else if(idx<bbs.size()){ // Buffer not enough, get next one from array
+				if(idx<bbs.size()) {
+					curr=bbs.get(idx++);
+					return curr.get();
+				}
+			}
+		} // if no curr buffer, treat as end of stream
+		return -1;
+	}
+	
+	/**
+	 * read into an array like Streams
+	 * 
+	 * @param array
+	 * @param offset
+	 * @param length
+	 * @return
+	 */
+	public int read(byte[] array, int offset, int length) {
+		if(curr==null)return -1;
+		int len;
+		int count=0;
+		while(length>0) { // loop through while there's data needed
+			if((len=curr.remaining())>length) { //  if enough data in curr buffer, use this code
+				curr.get(array,offset,length);
+				count+=length;
+				length=0;
+			} else {  // get data from curr, mark how much is needed to fulfil, and loop for next curr.
+				curr.get(array,offset,len);
+				count+=len;
+				offset+=len;
+				length-=len;
+				if(idx<bbs.size()) {
+					curr=bbs.get(idx++);
+				} else {
+					length=0; // stop, and return the count of how many we were able to load
+				}
+			}
+		}
+		return count;
+	}
+
+	/**
+	 * Put an array of data into Capacitor
+	 * 
+	 * @param array
+	 * @param offset
+	 * @param length
+	 */
+	public void put(byte[] array, int offset, int length) {
+		if(curr == null || curr.remaining()==0) {
+			curr = ringGet();
+			bbs.add(curr);
+		}
+		
+		int len;
+		while(length>0) {
+			if((len=curr.remaining())>length) {
+				curr.put(array,offset,length);
+				length=0;
+			} else {
+//				System.out.println(new String(array));
+				curr.put(array,offset,len);
+				length-=len;
+				offset+=len;
+				curr = ringGet();
+				bbs.add(curr);
+			}
+		}
+	}
+	 
+	/**
+	 * Move state from Storage mode into Read mode, changing all internal buffers to read mode, etc
+	 */
+	public void setForRead() {
+		for(ByteBuffer bb : bbs) {
+			bb.flip();
+		}
+		if(bbs.isEmpty()) {
+			curr = null;
+			idx = 0;
+		} else {
+			curr=bbs.get(0);
+			idx=1;
+		}
+	}
+	
+	/**
+	 * reuse all the buffers
+	 */
+	public void done() {
+		for(ByteBuffer bb : bbs) {
+			ringPut(bb);
+		}
+		bbs.clear();
+		curr = null;
+	}
+	
+	/**
+	 * Declare amount of data available to be read at once.
+	 * 
+	 * @return
+	 */
+	public int available() {
+		int count = 0;
+		for(ByteBuffer bb : bbs) {
+			count+=bb.remaining();
+		}
+		return count;
+	}
+	
+	/**
+	 * Returns how many are left that were not skipped
+	 * @param n
+	 * @return
+	 */
+	public long skip(long n) {
+		long skipped=0L;
+		int skip;
+		while(n>0) {
+			if(n<(skip=curr.remaining())) {
+				curr.position(curr.position()+(int)n);
+				skipped+=skip;
+				n=0;
+			} else {
+				curr.position(curr.limit());
+				
+				skipped-=skip;
+				if(idx<bbs.size()) {
+					curr=bbs.get(idx++);
+					n-=skip;
+				} else {
+					n=0;
+				}
+			}
+		}
+		return skipped;
+	}
+	/**
+	 * Be able to re-read data that is stored that has already been re-read.  This is not a standard Stream behavior, but can be useful
+	 * in a standalone mode.
+	 */
+	public void reset() {
+		for(ByteBuffer bb : bbs) {
+			bb.position(0);
+		}
+		if(bbs.isEmpty()) {
+			curr = null;
+			idx = 0;
+		} else {
+			curr=bbs.get(0);
+			idx=1;
+		}
+	}
+
+	/*
+	 * Ring Functions.  Reuse allocated memory 
+	 */
+	private ByteBuffer ringGet() {
+		ByteBuffer bb = null;
+		synchronized(ring) {
+			bb=ring[start];
+			ring[start]=null;
+			if(bb!=null && ++start>15)start=0;
+		}
+		if(bb==null) {
+			bb=ByteBuffer.allocate(DEFAULT_CHUNK);
+		} else {
+			bb.clear();// refresh reused buffer
+		}
+		return bb;
+	}
+	
+	private void ringPut(ByteBuffer bb) {
+		synchronized(ring) {
+			ring[end]=bb; // if null or not, BB will just be Garbage collected
+			if(++end>15)end=0;
+		}
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/CmdLine.java b/core/src/main/java/org/onap/aaf/cadi/CmdLine.java
new file mode 100644
index 0000000..b387c7a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/CmdLine.java
@@ -0,0 +1,356 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.NoSuchAlgorithmException;
+
+import org.onap.aaf.cadi.util.Chmod;
+import org.onap.aaf.cadi.util.JsonOutputStream;
+
+
+
+/**
+ * A Class to run on command line to determine suitability of environment for certain TAFs.
+ * 
+ * For instance, CSP supports services only in certain domains, and while dynamic host
+ * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and
+ * invalid) for CSP because of multiple NetworkInterfaces, etc
+ * 
+ *
+ */
+public class CmdLine {
+
+	/**
+	 * @param args
+	 */
+	public static void main(String[] args) {
+		if(args.length>0) {
+			if("digest".equalsIgnoreCase(args[0]) && (args.length>2 || (args.length>1 && System.console()!=null))) {
+				String keyfile;
+				String password;
+				if(args.length>2) {
+					password = args[1];
+					keyfile = args[2];
+				} else {
+					keyfile = args[1];
+					password = new String(System.console().readPassword("Type here (keystrokes hidden): "));
+				}
+
+				try {
+					Symm symm;
+					FileInputStream fis = new FileInputStream(keyfile);
+					try {
+						symm = Symm.obtain(fis);
+					} finally {
+						fis.close();
+					}
+					symm.enpass(password, System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+					/*  testing code... don't want it exposed
+					System.out.println(" ******** Testing *********");
+					for(int i=0;i<100000;++i) {
+						System.out.println(args[1]);
+						ByteArrayOutputStream baos = new ByteArrayOutputStream();
+						b64.enpass(args[1], baos);
+						String pass; 
+						System.out.println(pass=new String(baos.toByteArray()));
+						ByteArrayOutputStream reconstituted = new ByteArrayOutputStream();
+						b64.depass(pass, reconstituted);
+						String r = reconstituted.toString();
+						System.out.println(r);
+						if(!r.equals(args[1])) {
+							System.err.println("!!!!! STOP - ERROR !!!!!");
+							return;
+						}
+						System.out.println();
+					}
+					System.out.flush();
+					*/
+					 
+				} catch (IOException e) {
+					System.err.println("Cannot digest password");
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+// .  Oh, well, Deployment services need this behavior.  I will put this code in, but leave it undocumented. 
+// One still needs access to the keyfile to read.
+// July 2016 - thought of a tool "CMPass" to reguritate from properties, but only if allowed.
+			} else if("regurgitate".equalsIgnoreCase(args[0]) && args.length>2) {
+				try {
+					Symm symm;
+					FileInputStream fis = new FileInputStream(args[2]);
+					try {
+						symm = Symm.obtain(fis);
+					} finally {
+						fis.close();
+					}
+					boolean isFile = false;
+					if("-i".equals(args[1]) || (isFile="-f".equals(args[1]))) {
+						BufferedReader br;
+						if(isFile) {
+							if(args.length<4) {
+								System.err.println("Filename in 4th position");
+								return;
+							}
+							br = new BufferedReader(new FileReader(args[3]));
+						} else {
+							br = new BufferedReader(new InputStreamReader(System.in));
+						}
+						try {
+							String line;
+							boolean cont = false;
+							StringBuffer sb = new StringBuffer();
+							JsonOutputStream jw = new JsonOutputStream(System.out);
+							while((line=br.readLine())!=null) {
+								if(cont) {
+									int end;
+									if((end=line.indexOf('"'))>=0) {
+										sb.append(line,0,end);
+										cont=false;
+									} else {
+										sb.append(line);
+									}
+								} else {
+									int idx;
+									if((idx = line.indexOf(' '))>=0 
+											&& (idx = line.indexOf(' ',++idx))>0
+											&& (idx = line.indexOf('=',++idx))>0
+											&& (idx = line.indexOf('=',++idx))>0
+											) {
+										System.out.println(line.substring(0, idx-5));
+										int start = idx+2;
+										int end;
+										if((end=line.indexOf('"',start))<0) {
+											end = line.length();
+											cont = true;
+										}
+										sb.append(line,start,end);
+									}
+								}
+								if(sb.length()>0) {
+									symm.depass(sb.toString(),jw);
+									if(!cont) {
+										System.out.println();
+									}
+								}
+								System.out.flush();
+								sb.setLength(0);
+								if(!cont) {
+									jw.resetIndent();
+								}
+							}
+						} finally {
+							if(isFile) {
+								br.close();
+							}
+						}
+					} else {
+						symm.depass(args[1], System.out);
+					}
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot regurgitate password");
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("encode64".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64.encode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot encode Base64 with " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("decode64".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64.decode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot decode Base64 text from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("encode64url".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64url.encode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot encode Base64url with " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("decode64url".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					Symm.base64url.decode(args[1], System.out);
+					System.out.println();
+					System.out.flush();
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot decode Base64url text from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			} else if("md5".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					System.out.println(Hash.encryptMD5asStringHex(args[1]));
+					System.out.flush();
+				} catch (NoSuchAlgorithmException e) {
+					System.err.println("Cannot hash MD5 from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+				return;
+			} else if("sha256".equalsIgnoreCase(args[0]) && args.length>1) {
+				try {
+					if(args.length>2) {
+						int salt = Integer.parseInt(args[2]);
+						System.out.println(Hash.hashSHA256asStringHex(args[1],salt));
+					} else { 
+						System.out.println(Hash.hashSHA256asStringHex(args[1]));
+					}
+				} catch (NoSuchAlgorithmException e) {
+					System.err.println("Cannot hash SHA256 text from " + args[1]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+				System.out.flush();
+				return;
+			} else if("keygen".equalsIgnoreCase(args[0])) {
+				try {
+					if(args.length>1) {
+						File f = new File(args[1]);
+						FileOutputStream fos = new FileOutputStream(f);
+						try {
+							fos.write(Symm.baseCrypt().keygen());
+							fos.flush();
+						} finally {
+							fos.close();
+							Chmod.to400.chmod(f);
+						}
+					} else {
+						// create a Symmetric Key out of same characters found in base64
+						System.out.write(Symm.baseCrypt().keygen());
+						System.out.flush();
+					}
+					return;
+				} catch (IOException e) {
+					System.err.println("Cannot create a key " + args[0]);
+					System.err.println("   \""+ e.getMessage() + '"');
+				}
+			
+			} else if("passgen".equalsIgnoreCase(args[0])) {
+				int numDigits;
+				if(args.length <= 1) {
+					numDigits = 24;
+				} else {
+					numDigits = Integer.parseInt(args[1]); 
+					if(numDigits<8)numDigits = 8;
+				}
+				String pass;
+				boolean noLower,noUpper,noDigits,noSpecial,repeats;
+				do {
+					pass = Symm.randomGen(numDigits);
+					noLower=noUpper=noDigits=noSpecial=true;
+					repeats=false;
+					int c=-1,last;
+					for(int i=0;i<numDigits;++i) {
+						last = c;
+						c = pass.charAt(i);
+						if(c==last) {
+							repeats=true;
+							break;
+						}
+						
+						if(noLower) {
+							noLower=!(c>=0x61 && c<=0x7A);
+							continue;
+						} 
+						if(noUpper) {
+							noUpper=!(c>=0x41 && c<=0x5A);
+							continue;
+						} 
+						if(noDigits) {
+							noDigits=!(c>=0x30 && c<=0x39);
+							continue;
+						} 
+						if(noSpecial) {
+							noSpecial = "+!@#$%^&*(){}[]?:;,.".indexOf(c)<0;
+							continue;
+						} 
+						
+						break;
+					}
+				} while(noLower || noUpper || noDigits || noSpecial || repeats);
+				System.out.println(pass.substring(0,numDigits));
+			} else if("urlgen".equalsIgnoreCase(args[0])) {
+				int numDigits;
+				if(args.length < 1) {
+					numDigits = 24;
+				} else {
+					numDigits = Integer.parseInt(args[1]); 
+				}
+				System.out.println(Symm.randomGen(Symm.base64url.codeset, numDigits).substring(0,numDigits));
+			
+			} else if("csptest".equalsIgnoreCase(args[0])) {
+				try {
+					System.out.println("CSP Compatibility test");
+					
+					String hostName = InetAddress.getLocalHost().getCanonicalHostName();
+					
+					System.out.println("  Your automatic hostname is reported as \"" + hostName + "\"\n");
+					System.out.flush();
+					return;
+				} catch (UnknownHostException e) {
+					e.printStackTrace(System.err);
+				}
+			}
+		} else {
+			System.out.println("Usage: java -jar <this jar> ...");
+			System.out.println("  keygen [<keyfile>]                     (Generates Key on file, or Std Out)");
+			System.out.println("  digest <keyfile>                       (Encrypts to Key with \"keyfile\")");
+			System.out.println("  passgen <digits>                       (Generate Password of given size)");
+			System.out.println("  urlgen <digits>                        (Generate URL field of given size)");
+			System.out.println("  csptest                                (Tests for CSP compatibility)");
+			System.out.println("  encode64 <your text>                   (Encodes to Base64)");
+			System.out.println("  decode64 <base64 encoded text>         (Decodes from Base64)");
+			System.out.println("  encode64url <your text>                (Encodes to Base64 URL charset)");
+			System.out.println("  decode64url <base64url encoded text>   (Decodes from Base64 URL charset)");
+			System.out.println("  sha256 <text>                          (Digest String into SHA256 Hash)");
+			System.out.println("  md5 <text>                             (Digest String into MD5 Hash)");
+		}
+		System.exit(1);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Connector.java b/core/src/main/java/org/onap/aaf/cadi/Connector.java
new file mode 100644
index 0000000..0a55b0d
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Connector.java
@@ -0,0 +1,27 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+public interface Connector {
+	public Lur newLur() throws CadiException;
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/CredVal.java b/core/src/main/java/org/onap/aaf/cadi/CredVal.java
new file mode 100644
index 0000000..324746b
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/CredVal.java
@@ -0,0 +1,42 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+
+/**
+ * UserPass
+ * 
+ * The essential interface required by BasicAuth to determine if a given User/Password combination is 
+ * valid.  This is done as an interface.
+ * 
+ */
+public interface CredVal {
+	public enum Type{PASSWORD};
+	/**
+	 *  Validate if the User/Password combination matches records 
+	 * @param user
+	 * @param pass
+	 * @return
+	 */
+	public boolean validate(String user, Type type, byte[] cred);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/GetCred.java b/core/src/main/java/org/onap/aaf/cadi/GetCred.java
new file mode 100644
index 0000000..c0917a5
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/GetCred.java
@@ -0,0 +1,27 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+public interface GetCred {
+	byte[] getCred();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Hash.java b/core/src/main/java/org/onap/aaf/cadi/Hash.java
new file mode 100644
index 0000000..9d8719a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Hash.java
@@ -0,0 +1,202 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+public class Hash {
+	private static char hexDigit[] = "0123456789abcdef".toCharArray();
+	
+/////////////////////////////////
+// MD5
+/////////////////////////////////
+	/**
+	 * Encrypt MD5 from Byte Array to Byte Array
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static byte[] encryptMD5 (byte[] input) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("MD5");
+		md.update(input); 
+		return md.digest();
+	}
+
+	/**
+	 * Encrypt MD5 from Byte Array to Byte Array
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static byte[] encryptMD5 (byte[] input, int offset, int length) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("MD5");
+		md.update(input,offset,length); 
+		return md.digest();
+	}
+
+
+
+	/**
+	 * Convenience Function: Encrypt MD5 from String to String Hex representation 
+	 * 
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static String encryptMD5asStringHex(String input) throws NoSuchAlgorithmException {
+		byte[] output = encryptMD5(input.getBytes());
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : output) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+
+/////////////////////////////////
+// SHA256
+/////////////////////////////////
+	/**
+	 * SHA256 Hashing
+	 */
+	public static byte[] hashSHA256(byte[] input) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		md.update(input); 
+		return md.digest();
+	}
+
+	/**
+	 * SHA256 Hashing
+	 */
+	public static byte[] hashSHA256(byte[] input, int offset, int length) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		md.update(input,offset,length); 
+		return md.digest();
+	}
+	
+	/**
+	 * Convenience Function: Hash from String to String Hex representation
+	 * 
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static String hashSHA256asStringHex(String input) throws NoSuchAlgorithmException {
+		byte[] output = hashSHA256(input.getBytes());
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : output) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+
+	/**
+	 * Convenience Function: Hash from String to String Hex representation
+	 * 
+	 * @param input
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 */
+	public static String hashSHA256asStringHex(String input, int salt) throws NoSuchAlgorithmException {
+		byte[] in = input.getBytes();
+		ByteBuffer bb = ByteBuffer.allocate(Integer.SIZE + in.length);
+		bb.putInt(salt);
+		bb.put(input.getBytes());
+		byte[] output = Hash.hashSHA256(bb.array());
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : output) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+	
+	/**
+	 * Compare two byte arrays for equivalency
+	 * @param ba1
+	 * @param ba2
+	 * @return
+	 */
+	public static boolean isEqual(byte ba1[], byte ba2[]) {
+		if(ba1.length!=ba2.length)return false;
+		for(int i = 0;i<ba1.length; ++i) {
+			if(ba1[i]!=ba2[i])return false;
+		}
+		return true;
+	}
+
+	public static int compareTo(byte[] a, byte[] b) {
+		int end = Math.min(a.length, b.length);
+		int compare = 0;
+		for(int i=0;compare == 0 && i<end;++i) {
+			compare = a[i]-b[i];
+		}
+		if(compare==0)compare=a.length-b.length;
+		return compare;
+	}
+	
+	public static String toHex(byte[] ba) {
+		StringBuilder sb = new StringBuilder("0x");
+		 for (byte b : ba) {
+		    sb.append(hexDigit[(b >> 4) & 0x0f]);
+		    sb.append(hexDigit[b & 0x0f]);
+		 }
+		 return sb.toString();
+	}
+	
+	public static byte[] fromHex(String s)  throws CadiException{
+		if(!s.startsWith("0x")) {
+			throw new CadiException("HexString must start with \"0x\"");
+		}
+		boolean high = true;
+		int c;
+		byte b;
+		byte[] ba = new byte[(s.length()-2)/2];
+		int idx;
+		for(int i=2;i<s.length();++i) {
+			c = s.charAt(i);
+			if(c>=0x30 && c<=0x39) {
+				b=(byte)(c-0x30);
+			} else if(c>=0x61 && c<=0x66) {
+				b=(byte)(c-0x57);  // account for "A"
+			} else if(c>=0x41 && c<=0x46) {
+				b=(byte)(c-0x37);
+			} else {
+				throw new CadiException("Invalid char '" + c + "' in HexString");
+			}
+			idx = (i-2)/2;
+			if(high) {
+				ba[idx]=(byte)(b<<4);
+				high = false;
+			} else {
+				ba[idx]|=b;
+				high = true;
+			}
+		}
+		return ba;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Locator.java b/core/src/main/java/org/onap/aaf/cadi/Locator.java
new file mode 100644
index 0000000..05b6442
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Locator.java
@@ -0,0 +1,36 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+public interface Locator<T> {
+	public T get(Locator.Item item) throws LocatorException;
+	public boolean hasItems();
+	public void invalidate(Locator.Item item) throws LocatorException;
+	public Locator.Item best() throws LocatorException;
+	public Item first() throws LocatorException;
+	public Item next(Item item) throws LocatorException;
+	public boolean refresh();
+	public void destroy();
+	
+	public interface Item {}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/LocatorException.java b/core/src/main/java/org/onap/aaf/cadi/LocatorException.java
new file mode 100644
index 0000000..43127ec
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/LocatorException.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+public class LocatorException extends Exception {
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = -4267929804321134469L;
+
+	public LocatorException(String arg0) {
+		super(arg0);
+	}
+
+	public LocatorException(Throwable arg0) {
+		super(arg0);
+	}
+
+	public LocatorException(String arg0, Throwable arg1) {
+		super(arg0, arg1);
+	}
+
+	public LocatorException(CharSequence cs) {
+		super(cs.toString());
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Lur.java b/core/src/main/java/org/onap/aaf/cadi/Lur.java
new file mode 100644
index 0000000..afbf2dd
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Lur.java
@@ -0,0 +1,94 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.security.Principal;
+import java.util.List;
+
+
+
+/**
+ * LUR: Local User Registry
+ *
+ * Concept by Robert Garskof, Implementation by Jonathan Gathman
+ * 
+ * Where we can keep local copies of users and roles for faster Authorization when asked.
+ * 
+ * Note: Author cannot resist the mental image of using a Fishing Lure to this LUR pattern 
+ * 
+ *
+ */
+public interface Lur {
+	/**
+	 * Allow the Lur, which has correct Permission access, to create and hand back. 
+	 */
+	public Permission createPerm(String p);
+	
+	/** 
+	 * Fish for Principals in a Pond
+	 * 
+	 *   or more boringly, is the User identified within a named collection representing permission.
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public boolean fish(Principal bait, Permission pond);
+
+	/** 
+	 * Fish all the Principals out a Pond
+	 * 
+	 *   For additional humor, pronounce the following with a Southern Drawl, "FishOil"
+	 * 
+	 *   or more boringly, load the List with Permissions found for Principal
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public void fishAll(Principal bait, List<Permission> permissions);
+
+	/**
+	 * Allow implementations to disconnect, or cleanup resources if unneeded
+	 */
+	public void destroy();
+
+	/**
+	 * Does this LUR handle this pond exclusively?  Important for EpiLUR to determine whether 
+	 * to try another (more expensive) LUR 
+	 * @param pond
+	 * @return
+	 */
+	public boolean handlesExclusively(Permission pond);  
+	
+	/**
+	 * What domain of User does this LUR support?  (used to avoid asking when not possible)
+	 * 
+	 * @param bait
+	 * @return
+	 */
+	public boolean supports(String userName);
+	
+	/**
+	 * Clear: Clear any Caching, if exists
+	 */
+	public void clear(Principal p, StringBuilder report);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Permission.java b/core/src/main/java/org/onap/aaf/cadi/Permission.java
new file mode 100644
index 0000000..ac0ec46
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Permission.java
@@ -0,0 +1,29 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+public interface Permission {
+	public String permType();
+	public String getKey();
+	public boolean match(Permission p);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/PropAccess.java b/core/src/main/java/org/onap/aaf/cadi/PropAccess.java
new file mode 100644
index 0000000..d866e85
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/PropAccess.java
@@ -0,0 +1,321 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.text.SimpleDateFormat;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Map.Entry;
+
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.SecurityInfo;
+
+import java.util.Properties;
+
+public class PropAccess implements Access {
+	private static final SimpleDateFormat iso8601 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+
+	public static Level DEFAULT = Level.AUDIT;
+	
+	private Symm symm;
+	private int level;
+	private Properties props;
+	private List<String> recursionProtection = null;
+	private PrintStream out;
+	
+	private String name;
+
+	public PropAccess() {
+		out=System.out;
+		init(null);
+	}
+	
+	/**
+	 * This Constructor soley exists to instantiate Servlet Context Based Logging that will call "init" later.
+	 * @param sc
+	 */
+	protected PropAccess(Object o) {
+		out=System.out;
+		props = new Properties();
+	}
+	
+	public PropAccess(String ... args) {
+		this(System.out,args);
+	}
+	
+	public PropAccess(PrintStream ps, String[] args) {
+		out=ps==null?System.out:ps;
+		Properties nprops=new Properties();
+		int eq;
+		for(String arg : args) {
+			if((eq=arg.indexOf('='))>0) {
+				nprops.setProperty(arg.substring(0, eq),arg.substring(eq+1));
+			}
+		}
+		init(nprops);
+	}
+
+	public PropAccess(Properties p) {
+		this(System.out,p);
+	}
+	
+	public PropAccess(PrintStream ps, Properties p) {
+		out=ps==null?System.out:ps;
+		init(p);
+	}
+	
+	protected void init(Properties p) {
+		// Make sure these two are set before any changes in Logging
+		name = "cadi";
+		level=DEFAULT.maskOf();
+		
+		props = new Properties();
+		// First, load related System Properties
+		for(Entry<Object,Object> es : System.getProperties().entrySet()) {
+			String key = es.getKey().toString();
+			for(String start : new String[] {"cadi_","aaf_","cm_","csp_"}) {
+				if(key.startsWith(start)) {
+					props.put(key, es.getValue());
+				}
+			}			
+		}
+		// Second, overlay or fill in with Passed in Props
+		if(p!=null) {
+			props.putAll(p);
+		}
+		
+		// Third, load any Chained Property Files
+		load(props.getProperty(Config.CADI_PROP_FILES));
+		
+		String sLevel = props.getProperty(Config.CADI_LOGLEVEL); 
+		if(sLevel!=null) {
+			level=Level.valueOf(sLevel).maskOf(); 
+		}
+		// Setup local Symmetrical key encryption
+		if(symm==null) {
+			symm = Symm.obtain(this);
+		}
+		
+		name = props.getProperty(Config.CADI_LOGNAME, name);
+		
+		// Critical - if no Security Protocols set, then set it.  We'll just get messed up if not
+		if(props.get(Config.CADI_PROTOCOLS)==null) {
+			props.setProperty(Config.CADI_PROTOCOLS, SecurityInfo.HTTPS_PROTOCOLS_DEFAULT);
+		}
+	}
+
+	private void load(String cadi_prop_files) {
+		String prevKeyFile = props.getProperty(Config.CADI_KEYFILE);
+
+		if(cadi_prop_files!=null) {
+			int prev = 0, end = cadi_prop_files.length();
+			int idx;
+			String filename;
+			while(prev<end) {
+				idx = cadi_prop_files.indexOf(File.pathSeparatorChar,prev);
+				if(idx<0) {
+					idx = end;
+				}
+				File file = new File(filename=cadi_prop_files.substring(prev,idx));
+				if(file.exists()) {
+					printf(Level.INIT,"Loading CADI Properties from %s",file.getAbsolutePath());
+					try {
+						FileInputStream fis = new FileInputStream(file);
+						try {
+							props.load(fis);
+							// Recursively Load
+							String chainProp = props.getProperty(Config.CADI_PROP_FILES);
+							if(chainProp!=null) {
+								if(recursionProtection==null) {
+									recursionProtection = new ArrayList<String>();
+									recursionProtection.add(cadi_prop_files);
+								}
+								if(!recursionProtection.contains(chainProp)) {
+									recursionProtection.add(chainProp);
+									load(chainProp); // recurse
+								}
+							}
+						} finally {
+							fis.close();
+						}
+					} catch (Exception e) {
+						log(e,filename,"cannot be opened");
+					}
+				} else {
+					printf(Level.WARN,"Warning: recursive CADI Property %s does not exist",file.getAbsolutePath());
+				}
+				prev = idx+1;
+			}
+		}
+		// Reset Symm if Keyfile Changes:
+		String newKeyFile = props.getProperty(Config.CADI_KEYFILE);
+		if((prevKeyFile==null && newKeyFile!=null) || (newKeyFile!=null && !newKeyFile.equals(prevKeyFile))) {
+			symm = Symm.obtain(this);
+			prevKeyFile=newKeyFile;
+		}
+		
+		String loglevel = props.getProperty(Config.CADI_LOGLEVEL);
+		if(loglevel!=null) {
+			try {
+				level=Level.valueOf(loglevel).maskOf();
+			} catch (IllegalArgumentException e) {
+				printf(Level.ERROR,"%s=%s is an Invalid Log Level",Config.CADI_LOGLEVEL,loglevel);
+			}
+		}
+	}
+	
+	@Override
+	public void load(InputStream is) throws IOException {
+		props.load(is);
+		load(props.getProperty(Config.CADI_PROP_FILES));
+	}
+
+	@Override
+	public void log(Level level, Object ... elements) {
+		if(willLog(level)) {
+			StringBuilder sb = buildMsg(level, elements);
+			out.println(sb);
+			out.flush();
+		}
+	}
+	
+	protected StringBuilder buildMsg(Level level, Object[] elements) {
+		StringBuilder sb = new StringBuilder(iso8601.format(new Date()));
+		sb.append(' ');
+		sb.append(level.name());
+		sb.append(" [");
+		sb.append(name);
+		
+		int end = elements.length;
+		if(end<=0) {
+			sb.append("] ");
+		} else {
+			int idx = 0;
+			if(elements[idx] instanceof Integer) {
+				sb.append('-');
+				sb.append(elements[idx]);
+				++idx;
+			}
+			sb.append("] ");
+			String s;
+			boolean first = true;
+			for(Object o : elements) {
+				if(o!=null) {
+					s=o.toString();
+					if(first) {
+						first = false;
+					} else {
+						int l = s.length();
+						if(l>0)	{
+							switch(s.charAt(l-1)) {
+								case ' ':
+									break;
+								default:
+									sb.append(' ');
+							}
+						}
+					}
+					sb.append(s);
+				}
+			}
+		}
+		return sb;
+	}
+
+	@Override
+	public void log(Exception e, Object... elements) {
+		log(Level.ERROR,e.getMessage(),elements);
+		e.printStackTrace(System.err);
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object... elements) {
+		if(willLog(level)) {
+			log(level,String.format(fmt, elements));
+		}
+	}
+
+	@Override
+	public void setLogLevel(Level level) {
+		this.level = level.maskOf();
+	}
+
+	@Override
+	public boolean willLog(Level level) {
+		return level.inMask(this.level);
+	}
+
+	@Override
+	public ClassLoader classLoader() {
+		return ClassLoader.getSystemClassLoader();
+	}
+
+	@Override
+	public String getProperty(String tag, String def) {
+		return props.getProperty(tag,def);
+	}
+
+	@Override
+	public String decrypt(String encrypted, boolean anytext) throws IOException {
+		return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC)))
+			? symm.depass(encrypted)
+			: encrypted;
+	}
+	
+	public String encrypt(String unencrypted) throws IOException {
+		return Symm.ENC+symm.enpass(unencrypted);
+	}
+
+	//////////////////
+	// Additional
+	//////////////////
+	public String getProperty(String tag) {
+		return props.getProperty(tag);
+	}
+	
+
+	public Properties getProperties() {
+		return props;
+	}
+
+	public void setProperty(String tag, String value) {
+		if(value!=null) {
+			props.put(tag, value);
+			if(Config.CADI_KEYFILE.equals(tag)) {
+				// reset decryption too
+				symm = Symm.obtain(this);
+			}
+		}
+	}
+
+	public Properties getDME2Properties() {
+		return Config.getDME2Props(this);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Revalidator.java b/core/src/main/java/org/onap/aaf/cadi/Revalidator.java
new file mode 100644
index 0000000..68b2661
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Revalidator.java
@@ -0,0 +1,35 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+
+public interface Revalidator<TRANS> {
+	/**
+	 * Re-Validate Credential
+	 * 
+	 * @param prin
+	 * @return
+	 */
+	public CachedPrincipal.Resp revalidate(TRANS trans, CachedPrincipal prin);
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java b/core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java
new file mode 100644
index 0000000..33b7050
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/SLF4JAccess.java
@@ -0,0 +1,100 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.util.Properties;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SLF4JAccess extends PropAccess {
+	private static final Logger slf4j = LoggerFactory.getLogger("AAF");
+	
+	public SLF4JAccess(final Properties initial) throws CadiException {
+		super(initial);
+	}
+
+	public void log(Level level, Object... elements) {
+		switch(level) {
+			case AUDIT:
+				slf4j.info(msg(elements).toString());
+				break;
+			case DEBUG:
+				slf4j.debug(msg(elements).toString());
+				break;
+			case ERROR:
+				slf4j.error(msg(elements).toString());
+				break;
+			case INFO:
+				slf4j.info(msg(elements).toString());
+				break;
+			case INIT:
+				slf4j.info(msg(elements).toString());
+				break;
+			case WARN:
+				slf4j.warn(msg(elements).toString());
+				break;
+			default:
+				slf4j.info(msg(elements).toString());
+				break;
+		}
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level)
+	 */
+	@Override
+	public boolean willLog(Level level) {
+		switch(level) {
+			case DEBUG:
+				return slf4j.isDebugEnabled();
+			case ERROR:
+				return slf4j.isErrorEnabled();
+			case WARN:
+				return slf4j.isWarnEnabled();
+//			case INFO:
+//			case INIT:
+//			case AUDIT:
+			default:
+				return slf4j.isInfoEnabled();
+		}
+	}
+
+	private StringBuilder msg(Object ... elements) {
+		StringBuilder sb = new StringBuilder();
+		boolean first = true;
+		for(Object o : elements) {
+			if(first) first = false;
+			else {
+				sb.append(' ');
+			}
+			sb.append(o.toString());
+		}
+		return sb;
+	}
+
+	public void log(Exception e, Object... elements) {
+		slf4j.error(msg(elements).toString(),e);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java b/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java
new file mode 100644
index 0000000..88c45b0
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/SecuritySetter.java
@@ -0,0 +1,44 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+
+/**
+ *  Apply any particular security mechanism
+ *  
+ *  This allows the definition of various mechanisms involved outside of DRcli jars 
+ *  
+ *
+ */
+public interface SecuritySetter<CT> {
+	public String getID();
+	
+	public void setSecurity(CT client) throws CadiException;
+	
+	/**
+	 * Returns number of bad logins registered
+	 * @param respCode
+	 * @return
+	 */
+	public int setLastResponse(int respCode);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java b/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java
new file mode 100644
index 0000000..6c288d5
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/ServletContextAccess.java
@@ -0,0 +1,69 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+import java.util.Enumeration;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+
+import org.onap.aaf.cadi.config.Config;
+
+public class ServletContextAccess extends PropAccess {
+
+	private ServletContext context;
+
+	public ServletContextAccess(FilterConfig filterConfig) {
+		super(filterConfig); // protected contstructor... does not have "init" called.
+		context = filterConfig.getServletContext();
+
+		for(Enumeration<?> en = filterConfig.getInitParameterNames();en.hasMoreElements();) {
+			String name = (String)en.nextElement();
+			setProperty(name, filterConfig.getInitParameter(name));
+		}
+		init(getProperties());
+		Config.getDME2Props(this);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#log(com.att.cadi.Access.Level, java.lang.Object[])
+	 */
+	@Override
+	public void log(Level level, Object... elements) {
+		if(willLog(level)) {
+			StringBuilder sb = buildMsg(level, elements);
+			context.log(sb.toString());
+		}
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#log(java.lang.Exception, java.lang.Object[])
+	 */
+	@Override
+	public void log(Exception e, Object... elements) {
+		StringBuilder sb = buildMsg(Level.ERROR, elements);
+		context.log(sb.toString(),e);
+	}
+
+	public ServletContext context() {
+		return context;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/StrLur.java b/core/src/main/java/org/onap/aaf/cadi/StrLur.java
new file mode 100644
index 0000000..1a86c8e
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/StrLur.java
@@ -0,0 +1,56 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.util.List;
+
+
+
+/**
+ * StrLUR: Implements fish with String, skipping the need to be a Principal where it doesn't make sense.
+ *
+ *
+ */
+public interface StrLur extends Lur {
+	/** 
+	 * Fish for Principals in a Pond
+	 * 
+	 *   or more boringly, is the User identified within a named collection representing permission.
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public boolean fish(String bait, Permission pond);
+
+	/** 
+	 * Fish all the Principals out a Pond
+	 * 
+	 *   For additional humor, pronounce the following with a Southern Drawl, "FishOil"
+	 * 
+	 *   or more boringly, load the List with Permissions found for Principal
+	 * 
+	 * @param principalName
+	 * @return
+	 */
+	public void fishAll(String bait, List<Permission> permissions);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Symm.java b/core/src/main/java/org/onap/aaf/cadi/Symm.java
new file mode 100644
index 0000000..beb0c40
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Symm.java
@@ -0,0 +1,811 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Random;
+
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+
+/**
+ * Key Conversion, primarily "Base64"
+ * 
+ * Base64 is required for "Basic Authorization", which is an important part of the overall CADI Package.
+ * 
+ * Note: This author found that there is not a "standard" library for Base64 conversion within Java.  
+ * The source code implementations available elsewhere were surprisingly inefficient, requiring, for 
+ * instance, multiple string creation, on a transaction pass.  Integrating other packages that might be
+ * efficient enough would put undue Jar File Dependencies given this Framework should have none-but-Java 
+ * dependencies.
+ * 
+ * The essential algorithm is good for a symmetrical key system, as Base64 is really just
+ * a symmetrical key that everyone knows the values.  
+ * 
+ * This code is quite fast, taking about .016 ms for encrypting, decrypting and even .08 for key 
+ * generation. The speed quality, especially of key generation makes this a candidate for a short term token 
+ * used for identity.
+ * 
+ * It may be used to easily avoid placing Clear-Text passwords in configurations, etc. and contains 
+ * supporting functions such as 2048 keyfile generation (see keygen).  This keyfile should, of course, 
+ * be set to "400" (Unix) and protected as any other mechanism requires. 
+ * 
+ * However, this algorithm has not been tested against hackers.  Until such a time, utilize more tested
+ * packages to protect Data, especially sensitive data at rest (long term). 
+ *
+ */
+public class Symm {
+	private static final byte[] DOUBLE_EQ = new byte[] {'=','='}; 
+	public static final String ENC = "enc:";
+	private static final SecureRandom random = new SecureRandom();
+	
+	public final char[] codeset;
+	private final int splitLinesAt;
+	private final String encoding;
+	private final Convert convert;
+	private final boolean endEquals;
+	//Note: AES Encryption is not Thread Safe.  It is Synchronized
+	private static AES aes = null;  // only initialized from File, and only if needed for Passwords
+	
+	/**
+	 * This is the standard base64 Key Set.
+	 * RFC 2045
+	 */
+	public static final Symm base64 = new Symm(
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray()
+			,76, Config.UTF_8,true);
+
+	public static final Symm base64noSplit = new Symm(
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".toCharArray()
+			,Integer.MAX_VALUE, Config.UTF_8,true);
+
+	/**
+	 * This is the standard base64 set suitable for URLs and Filenames
+	 * RFC 4648
+	 */
+	public static final Symm base64url = new Symm(
+			"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_".toCharArray()
+			,76, Config.UTF_8,true);
+
+	/**
+	 * A Password set, using US-ASCII
+	 * RFC 4648
+	 */
+	public static final Symm encrypt = new Symm(base64url.codeset,1024, "US-ASCII", false);
+
+	/**
+	 * A typical set of Password Chars
+	 * Note, this is too large to fit into the algorithm. Only use with PassGen
+	 */
+	private static char passChars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+!@#$%^&*(){}[]?:;,.".toCharArray();
+			
+
+
+	/**
+	 * Use this to create special case Case Sets and/or Line breaks
+	 * 
+	 * If you don't know why you need this, use the Singleton Method
+	 * 
+	 * @param codeset
+	 * @param split
+	 */
+	public Symm(char[] codeset, int split, String charset, boolean useEndEquals) {
+		this.codeset = codeset;
+		splitLinesAt = split;
+		encoding = charset;
+		endEquals = useEndEquals;
+		char prev = 0, curr=0, first = 0;
+		int offset=Integer.SIZE; // something that's out of range for integer array
+		
+		// There can be time efficiencies gained when the underlying keyset consists mainly of ordered 
+		// data (i.e. abcde...).  Therefore, we'll quickly analyze the keyset.  If it proves to have
+		// too much entropy, the "Unordered" algorithm, which is faster in such cases is used.
+		ArrayList<int[]> la = new ArrayList<int[]>();
+		for(int i=0;i<codeset.length;++i) {
+			curr = codeset[i];
+			if(prev+1==curr) { // is next character in set
+				prev = curr;
+			} else {
+				if(offset!=Integer.SIZE) { // add previous range 
+					la.add(new int[]{first,prev,offset});
+				}
+				first = prev = curr;
+				offset = curr-i;
+			}
+		}
+		la.add(new int[]{first,curr,offset});
+		if(la.size()>codeset.length/3) {
+			convert = new Unordered(codeset);
+		} else { // too random to get speed enhancement from range algorithm
+			int[][] range = new int[la.size()][];
+			la.toArray(range);
+			convert = new Ordered(range);
+		}
+	}
+	
+	public Symm copy(int lines) {
+		return new Symm(codeset,lines,encoding,endEquals);
+	}
+	
+	// Only used by keygen, which is intentionally randomized. Therefore, always use unordered
+	private  Symm(char[] codeset, Symm parent) {
+		this.codeset = codeset;
+		splitLinesAt = parent.splitLinesAt;
+		endEquals = parent.endEquals;
+		encoding = parent.encoding;
+		convert = new Unordered(codeset);
+	}
+
+	/**
+	 * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc.
+	 * @return
+	 */
+	@Deprecated
+	public static final Symm base64() {
+		return base64;
+	}
+
+	/**
+	 * Obtain the base64() behavior of this class, for use in standard BASIC AUTH mechanism, etc.  
+	 * No Line Splitting
+	 * @return
+	 */
+	@Deprecated
+	public static final Symm base64noSplit() {
+		return base64noSplit;
+	}
+
+	/**
+	 * Obtain the base64 "URL" behavior of this class, for use in File Names, etc. (no "/")
+	 */
+	@Deprecated
+	public static final Symm base64url() {
+		return base64url;
+	}
+
+	/**
+	 * Obtain a special ASCII version for Scripting, with base set of base64url use in File Names, etc. (no "/")
+	 */
+	public static final Symm baseCrypt() {
+		return encrypt;
+	}
+
+	/*
+	 *  Note: AES Encryption is NOT thread-safe.  Must surround entire use with synchronized
+	 */
+	private synchronized void exec(AESExec exec) throws IOException {
+		if(aes == null) {
+			try {
+				byte[] bytes = new byte[AES.AES_KEY_SIZE/8];
+				int offset = (Math.abs(codeset[0])+47)%(codeset.length-bytes.length);
+				for(int i=0;i<bytes.length;++i) {
+					bytes[i] = (byte)codeset[i+offset];
+				}
+				aes = new AES(bytes,0,bytes.length);
+			} catch (Exception e) {
+				throw new IOException(e);
+			}
+		}
+		exec.exec(aes);
+	}
+	
+	private static interface AESExec {
+		public void exec(AES aes) throws IOException;
+	}
+	
+    public byte[] encode(byte[] toEncrypt) throws IOException {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(toEncrypt.length*1.25));
+		encode(new ByteArrayInputStream(toEncrypt),baos);
+		return baos.toByteArray();
+	}
+
+    public byte[] decode(byte[] encrypted) throws IOException {
+		ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(encrypted.length*1.25));
+		decode(new ByteArrayInputStream(encrypted),baos);
+		return baos.toByteArray();
+	}
+
+	/**
+     *  Helper function for String API of "Encode"
+     *  use "getBytes" with appropriate char encoding, etc.
+     *  
+     * @param str
+     * @return
+     * @throws IOException
+     */
+    public String encode(String str) throws IOException {
+    	byte[] array;
+    	try { 
+    		array = str.getBytes(encoding);
+    	} catch (IOException e) {
+    		array = str.getBytes(); // take default
+    	}
+    	// Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code
+    	ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*1.363)); // account for 4 bytes for 3 and a byte or two more
+    	
+    	encode(new ByteArrayInputStream(array),baos);
+    	return baos.toString(encoding);
+    }
+    
+    /**
+     * Helper function for the String API of "Decode"
+     * use "getBytes" with appropriate char encoding, etc.
+     * @param str
+     * @return
+     * @throws IOException
+     */
+    public String decode(String str) throws IOException {
+    	byte[] array;
+    	try { 
+    		array = str.getBytes(encoding);
+    	} catch (IOException e) {
+    		array = str.getBytes(); // take default
+    	}
+    	// Calculate expected size to avoid any buffer expansion copies within the ByteArrayOutput code
+    	ByteArrayOutputStream baos = new ByteArrayOutputStream((int)(array.length*.76)); // Decoding is 3 bytes for 4.  Allocate slightly more than 3/4s
+    	decode(new ByteArrayInputStream(array), baos);
+    	return baos.toString(encoding);
+	}
+
+	/**
+     * Convenience Function
+     * 
+     * encode String into InputStream and call encode(InputStream, OutputStream)
+     * 
+     * @param string
+     * @param out
+     * @throws IOException
+     */
+  	public void encode(String string, OutputStream out) throws IOException {
+  		encode(new ByteArrayInputStream(string.getBytes()),out);
+	}
+
+	/**
+	 * Convenience Function
+	 * 
+	 * encode String into InputStream and call decode(InputStream, OutputStream)
+	 * 
+	 * @param string
+	 * @param out
+	 * @throws IOException
+	 */
+	public void decode(String string, OutputStream out) throws IOException {
+		decode(new ByteArrayInputStream(string.getBytes()),out);
+	}
+
+    public void encode(InputStream is, OutputStream os, byte[] prefix) throws IOException {
+    	os.write(prefix);
+    	encode(is,os);
+    }
+
+	/** 
+     * encode InputStream onto Output Stream
+     * 
+     * @param is
+     * @param estimate
+     * @return
+     * @throws IOException
+     */
+    public void encode(InputStream is, OutputStream os) throws IOException {
+    	// StringBuilder sb = new StringBuilder((int)(estimate*1.255)); // try to get the right size of StringBuilder from start.. slightly more than 1.25 times 
+    	int prev=0;
+    	int read, idx=0, line=0;
+    	boolean go;
+    	do {
+    		read = is.read();
+    		if(go = read>=0) {
+    			if(line>=splitLinesAt) {
+	    			os.write('\n');
+	    			line = 0;
+	    		}
+	    		switch(++idx) { // 1 based reading, slightly faster ++
+	    			case 1: // ptr is the first 6 bits of read
+	    				os.write(codeset[read>>2]);
+	    				prev = read;
+	    				break;
+	    			case 2: // ptr is the last 2 bits of prev followed by the first 4 bits of read
+	    				os.write(codeset[((prev & 0x03)<<4) | (read>>4)]);
+    					prev = read;
+	    				break;
+	    			default: //(3+) 
+	    					// Char 1 is last 4 bits of prev plus the first 2 bits of read
+	    				    // Char 2 is the last 6 bits of read
+	    				os.write(codeset[(((prev & 0xF)<<2) | (read>>6))]);
+	    				if(line==splitLinesAt) { // deal with line splitting for two characters
+	    					os.write('\n');
+	    					line=0;
+	    				}
+	    				os.write(codeset[(read & 0x3F)]);
+	    				++line;
+	    				idx = 0;
+	    				prev = 0;
+	    		}
+	    		++line;
+    		} else { // deal with any remaining bits from Prev, then pad
+    			switch(idx) {
+    				case 1: // just the last 2 bits of prev
+	    				os.write(codeset[(prev & 0x03)<<4]);
+    					if(endEquals)os.write(DOUBLE_EQ);
+    					break;
+    				case 2: // just the last 4 bits of prev
+	    				os.write(codeset[(prev & 0xF)<<2]);
+	    				if(endEquals)os.write('=');
+	    				break;
+    			}
+    			idx = 0;
+    		}
+    		
+    	} while(go);
+    }
+
+    public void decode(InputStream is, OutputStream os, int skip) throws IOException {
+    	is.skip(skip);
+    	decode(is,os);
+    }
+
+    /**
+	 * Decode InputStream onto OutputStream
+	 * @param is
+	 * @param os
+	 * @throws IOException
+	 */
+    public void decode(InputStream is, OutputStream os) throws IOException {
+	   int read, idx=0;
+	   int prev=0, index;
+	   	while((read = is.read())>=0) {
+	   		index = convert.convert(read);
+	   		if(index>=0) {
+	    		switch(++idx) { // 1 based cases, slightly faster ++
+	    			case 1: // index goes into first 6 bits of prev
+	    				prev = index<<2; 
+	    				break;
+	    			case 2: // write second 2 bits of into prev, write byte, last 4 bits go into prev
+	    				os.write((byte)(prev|(index>>4)));
+	    				prev = index<<4;
+	    				break;
+	    			case 3: // first 4 bits of index goes into prev, write byte, last 2 bits go into prev
+	    				os.write((byte)(prev|(index>>2)));
+	    				prev = index<<6;
+	    				break;
+	    			default: // (3+) | prev and last six of index
+	    				os.write((byte)(prev|(index&0x3F)));
+	    				idx = prev = 0;
+	    		}
+	   		}
+	   	};
+	   	os.flush();
+   }
+   
+   /**
+    * Interface to allow this class to choose which algorithm to find index of character in Key
+    *
+    */
+   private interface Convert {
+	   public int convert(int read) throws IOException;
+   }
+
+   /**
+    * Ordered uses a range of orders to compare against, rather than requiring the investigation
+    * of every character needed.
+    *
+    */
+   private static final class Ordered implements Convert {
+	   private int[][] range;
+	   public Ordered(int[][] range) {
+		   this.range = range;
+	   }
+	   public int convert(int read) throws IOException {
+		   switch(read) {
+			   case -1: 
+			   case '=':
+			   case '\n': 
+				   return -1;
+		   }
+		   for(int i=0;i<range.length;++i) {
+			   if(read >= range[i][0] && read<=range[i][1]) {
+				   return read-range[i][2];
+			   }
+		   }
+		   throw new IOException("Unacceptable Character in Stream");
+	   }
+   }
+   
+   /**
+    * Unordered, i.e. the key is purposely randomized, simply has to investigate each character
+    * until we find a match.
+    *
+    */
+   private static final class Unordered implements Convert {
+	   private char[] codec;
+	   public Unordered(char[] codec) {
+		   this.codec = codec;
+	   }
+	   public int convert(int read) throws IOException {
+		   switch(read) {
+			   case -1: 
+			   case '=':
+			   case '\n': 
+				   return -1;
+		   }
+		   for(int i=0;i<codec.length;++i) {
+			   if(codec[i]==read)return i;
+		   }
+		  // don't give clue in Encryption mode
+		  throw new IOException("Unacceptable Character in Stream");
+	   }
+   }
+
+   /**
+    * Generate a 2048 based Key from which we extract our code base
+    * 
+    * @return
+    * @throws IOException
+    */
+   public byte[] keygen() throws IOException {
+		byte inkey[] = new byte[0x600];
+		new SecureRandom().nextBytes(inkey);
+		ByteArrayOutputStream baos = new ByteArrayOutputStream(0x800);
+		base64url.encode(new ByteArrayInputStream(inkey), baos);
+		return baos.toByteArray();
+   }
+   
+   // A class allowing us to be less predictable about significant digits (i.e. not picking them up from the
+   // beginning, and not picking them up in an ordered row.  Gives a nice 2048 with no visible patterns.
+   private class Obtain {
+	   private int last;
+	   private int skip;
+	   private int length;
+	   private byte[] key;
+  
+	   private Obtain(Symm b64, byte[] key) {
+		   skip = Math.abs(key[key.length-13]%key.length);
+		   if((key.length&0x1) == (skip&0x1)) { // if both are odd or both are even
+			   ++skip;
+		   }
+		   length = b64.codeset.length;
+		   last = 17+length%59; // never start at beginning
+		   this.key = key;
+	   }
+	   
+	   private int next() {
+  		   return Math.abs(key[(++last*skip)%key.length])%length;
+	   }
+   };
+  
+   /**
+    * Obtain a Symm from "keyfile" (Config.KEYFILE) property
+    * 
+    * @param acesss
+    * @return
+    */
+   public static Symm obtain(Access access) {
+		Symm symm = Symm.baseCrypt();
+
+		String keyfile = access.getProperty(Config.CADI_KEYFILE,null);
+		if(keyfile!=null) {
+			File file = new File(keyfile);
+			try {
+				access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getCanonicalPath());
+			} catch (IOException e1) {
+				access.log(Level.INIT, Config.CADI_KEYFILE,"points to",file.getAbsolutePath());
+			}
+			if(file.exists()) {
+				try {
+					FileInputStream fis = new FileInputStream(file);
+					try {
+						symm = Symm.obtain(fis);
+					} finally {
+						try {
+						   fis.close();
+						} catch (IOException e) {
+						}
+					}
+				} catch (IOException e) {
+					access.log(e, "Cannot load keyfile");
+				}
+			}
+		}
+		return symm;
+   }
+  /**
+   *  Create a new random key 
+   */
+  public Symm obtain() throws IOException {
+		byte inkey[] = new byte[0x800];
+		new SecureRandom().nextBytes(inkey);
+		return obtain(inkey);
+  }
+  
+  /**
+   * Obtain a Symm from 2048 key from a String
+   * 
+   * @param key
+   * @return
+   * @throws IOException
+   */
+  public static Symm obtain(String key) throws IOException {
+	  return obtain(new ByteArrayInputStream(key.getBytes()));
+  }
+  
+  /**
+   * Obtain a Symm from 2048 key from a Stream
+   * 
+   * @param is
+   * @return
+   * @throws IOException
+   */
+  public static Symm obtain(InputStream is) throws IOException {
+	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  try {
+		  base64url.decode(is, baos);
+	  } catch (IOException e) {
+		  // don't give clue
+		  throw new IOException("Invalid Key");
+	  }
+	  byte[] bkey = baos.toByteArray();
+	  if(bkey.length<0x88) { // 2048 bit key
+		  throw new IOException("Invalid key");
+	  }
+	  return baseCrypt().obtain(bkey);
+  }
+
+  /**
+   * Convenience for picking up Keyfile
+   * 
+   * @param f
+   * @return
+   * @throws IOException
+   */
+  public static Symm obtain(File f) throws IOException {
+	  FileInputStream fis = new FileInputStream(f);
+	  try {
+		  return obtain(fis);
+	  } finally {
+		  fis.close();
+	  }
+  }
+  /**
+   * Decrypt into a String
+   *
+   *  Convenience method
+   * 
+   * @param password
+   * @return
+   * @throws IOException
+   */
+  public String enpass(String password) throws IOException {
+	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  enpass(password,baos);
+	  return new String(baos.toByteArray());
+  }
+
+  /**
+   * Create an encrypted password, making sure that even short passwords have a minimum length.
+   * 
+   * @param password
+   * @param os
+   * @throws IOException
+   */
+  public void enpass(final String password, final OutputStream os) throws IOException {
+		final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		DataOutputStream dos = new DataOutputStream(baos);
+		byte[] bytes = password.getBytes();
+		if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization
+			dos.write(bytes);
+		} else {
+			
+			Random r = new SecureRandom();
+			int start = 0;
+			byte b;
+			for(int i=0;i<3;++i) {
+				dos.writeByte(b=(byte)r.nextInt());
+				start+=Math.abs(b);
+			}
+			start%=0x7;
+			for(int i=0;i<start;++i) {
+				dos.writeByte(r.nextInt());
+			}
+			dos.writeInt((int)System.currentTimeMillis());
+			int minlength = Math.min(0x9,bytes.length);
+			dos.writeByte(minlength); // expect truncation
+			if(bytes.length<0x9) {
+				for(int i=0;i<bytes.length;++i) {
+					dos.writeByte(r.nextInt());
+					dos.writeByte(bytes[i]);
+				}
+				// make sure it's long enough
+				for(int i=bytes.length;i<0x9;++i) {
+					dos.writeByte(r.nextInt());
+				}
+			} else {
+				dos.write(bytes);
+			}
+		}
+		
+		// 7/21/2016 jg add AES Encryption to the mix
+		exec(new AESExec() {
+			@Override
+			public void exec(AES aes) throws IOException {
+				CipherInputStream cis = aes.inputStream(new ByteArrayInputStream(baos.toByteArray()), true);
+				try {
+					encode(cis,os);
+				} finally {
+					os.flush();
+					cis.close();
+				}
+			}
+		});
+		synchronized(ENC) {
+		}
+	}
+
+  /**
+   * Decrypt a password into a String
+   * 
+   * Convenience method
+   * 
+   * @param password
+   * @return
+   * @throws IOException
+   */
+  public String depass(String password) throws IOException {
+	  if(password==null)return null;
+	  ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  depass(password,baos);
+	  return new String(baos.toByteArray());
+  }
+  
+  /**
+   * Decrypt a password
+   * 
+   * Skip Symm.ENC
+   * 
+   * @param password
+   * @param os
+   * @return
+   * @throws IOException
+   */
+  public long depass(final String password, final OutputStream os) throws IOException {
+	  int offset = password.startsWith(ENC)?4:0;
+	  final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+	  final ByteArrayInputStream bais =  new ByteArrayInputStream(password.getBytes(),offset,password.length()-offset);
+	  exec(new AESExec() {
+		@Override
+		public void exec(AES aes) throws IOException {
+			  CipherOutputStream cos = aes.outputStream(baos, false);
+			  decode(bais,cos);
+			  cos.close(); // flush
+		}
+	  });
+	  byte[] bytes = baos.toByteArray();
+	  DataInputStream dis = new DataInputStream(new ByteArrayInputStream(bytes));
+	  long time;
+	  if(this.getClass().getSimpleName().startsWith("base64")) { // don't expose randomization
+		  os.write(bytes);
+		  time = 0L;
+	  } else {
+		  int start=0;
+		  for(int i=0;i<3;++i) {
+			  start+=Math.abs(dis.readByte());
+		  }
+		  start%=0x7;
+		  for(int i=0;i<start;++i) {
+			  dis.readByte();
+		  }
+		  time = (dis.readInt() & 0xFFFF)|(System.currentTimeMillis()&0xFFFF0000);
+		  int minlength = dis.readByte();
+		  if(minlength<0x9){
+			DataOutputStream dos = new DataOutputStream(os);
+			for(int i=0;i<minlength;++i) {
+				dis.readByte();
+				dos.writeByte(dis.readByte());
+			}
+		  } else {
+			  int pre =((Byte.SIZE*3+Integer.SIZE+Byte.SIZE)/Byte.SIZE)+start; 
+			  os.write(bytes, pre, bytes.length-pre);
+		  }
+	  }
+	  return time;
+  }
+
+  public static String randomGen(int numBytes) {
+	  return randomGen(passChars,numBytes);  
+  }
+  
+  public static String randomGen(char[] chars ,int numBytes) {
+	    int rint;
+	    StringBuilder sb = new StringBuilder(numBytes);
+	    for(int i=0;i<numBytes;++i) {
+	    	rint = random.nextInt(chars.length);
+	    	sb.append(chars[rint]);
+	    }
+	    return sb.toString();
+  }
+  // Internal mechanism for helping to randomize placement of characters within a Symm codeset
+  // Based on an incoming data stream (originally created randomly, but can be recreated within 
+  // 2048 key), go after a particular place in the new codeset.  If that codeset spot is used, then move
+  // right or left (depending on iteration) to find the next available slot.  In this way, key generation 
+  // is speeded up by only enacting N iterations, but adds a spreading effect of the random number stream, so that keyset is also
+  // shuffled for a good spread. It is, however, repeatable, given the same number set, allowing for 
+  // quick recreation when the official stream is actually obtained.
+  public Symm obtain(byte[] key) throws IOException {
+	  try {
+		byte[] bytes = new byte[AES.AES_KEY_SIZE/8];
+		int offset = (Math.abs(key[(47%key.length)])+137)%(key.length-bytes.length);
+		for(int i=0;i<bytes.length;++i) {
+			bytes[i] = key[i+offset];
+		}
+
+	  	aes = new AES(bytes,0,bytes.length);
+	  } catch (Exception e) {
+		  throw new IOException(e);
+	  }
+		int filled = codeset.length;
+		char[] seq = new char[filled];
+		int end = filled--;
+		
+		boolean right = true;
+		int index;
+		Obtain o = new Obtain(this,key);
+		
+		while(filled>=0) {
+			index = o.next();
+			if(index<0 || index>=codeset.length) {
+				System.out.println("uh, oh");
+			}
+			if(right) { // alternate going left or right to find the next open slot (keeps it from taking too long to hit something) 
+				for(int j=index;j<end;++j) {
+					if(seq[j]==0) {
+						seq[j]=codeset[filled];
+						--filled;
+						break;
+					}
+				}
+				right = false;
+			} else {
+				for(int j=index;j>=0;--j) {
+					if(seq[j]==0) {
+						seq[j]=codeset[filled];
+						--filled;
+						break;
+					}
+				}
+				right = true;
+			}
+		}
+		return new Symm(seq,this);
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Taf.java b/core/src/main/java/org/onap/aaf/cadi/Taf.java
new file mode 100644
index 0000000..d4b2211
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Taf.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import org.onap.aaf.cadi.taf.TafResp;
+
+
+/**
+ * TAF - Transmutative Assertion Framework.  
+ * 
+ * This main Interface embodies the essential of the assertion, where a number of different TAFs might be used to authenticate
+ * and that authentication to be recognized through other elements.
+ * 
+ * Concept by Robert Garskof.  Implemented by Jonathan Gathman
+ *  
+ *
+ */
+public interface Taf {
+	enum LifeForm {CBLF, SBLF, LFN};
+	/**
+	 * The lifeForm param is a humorous way of describing whether the interaction is proceeding from direct Human Interaction via a browser 
+	 * or App which can directly query a memorized password, key sequence, bio-feedback, from that user, or a machine mechanism for which identity
+	 * can more easily be determined by Certificate, Mechanical ID/Password etc.  Popularized in modern culture and Science Fiction (especially 
+	 * Star Trek), we (starting with Robert Garskof) use the terms "Carbon Based Life Form" (CBLF) for mechanisms with people at the end of them, or 
+	 * "Silicon Based Life Forms" (SBLF) to indicate machine only interactions.  I have added "LFN" for (Life-Form Neutral) to aid identifying
+	 * processes for which it doesn't matter whether there is a human at the immediate end of the chain, or cannot be determined mechanically.  
+	 * 
+	 * The variable parameter is not necessarily ideal, but with too many unknown Tafs to be created, flexibility,
+	 * is unfortunately required at this point.  Future versions could lock this down more.  JG 10/18/2012
+	 * 
+	 * @param lifeForm
+	 * @param info
+	 * @return
+	 */
+	public TafResp validate(LifeForm reading, String ... info);
+	
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/Transmutate.java b/core/src/main/java/org/onap/aaf/cadi/Transmutate.java
new file mode 100644
index 0000000..950f28f
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/Transmutate.java
@@ -0,0 +1,45 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.security.Principal;
+
+/**
+ * The unique element of TAF is that we establish the relationship/mechanism to mutate the Principal derived from
+ * one Authentication mechanism into a trustable Principal of another.  The mechanism needs to be decided by system
+ * trusting.  
+ * 
+ * The Generic "T" is used so that the code used will be very specific for the implementation, enforced by Compiler
+ * 
+ * This interface will allow differences of trusting Transmutation of Authentication 
+ *
+ */
+public interface Transmutate<T> {
+	/**
+	 * Mutate the (assumed validated) Principal into the expected Principal name to be used to construct
+	 * 
+	 * @param p
+	 * @return
+	 */
+	public T mutate(Principal p);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java b/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java
new file mode 100644
index 0000000..feade74
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/TrustChecker.java
@@ -0,0 +1,53 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.onap.aaf.cadi.taf.TafResp;
+
+/**
+ * Change to another Principal based on Trust of caller and User Chain (if desired)
+ * 
+ *
+ */
+public interface TrustChecker {
+	public TafResp mayTrust(TafResp tresp, HttpServletRequest req);
+	
+	/**
+	 * A class that trusts no-one else, so just return same TResp
+	 */
+	public static TrustChecker NOTRUST = new TrustChecker() {
+		@Override
+		public TafResp mayTrust(TafResp tresp, HttpServletRequest req) {
+			return tresp;
+		}
+
+		@Override
+		public void setLur(Lur lur) {
+		}
+	};
+
+	public void setLur(Lur lur);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/User.java b/core/src/main/java/org/onap/aaf/cadi/User.java
new file mode 100644
index 0000000..372e9bc
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/User.java
@@ -0,0 +1,144 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.onap.aaf.cadi.lur.LocalPermission;
+
+/**
+ * Class to hold info from the User Perspective.
+ * 
+ *
+ */
+public final class User<PERM extends Permission> {
+	private static Map<String,Permission> NULL_MAP = new HashMap<String,Permission>();
+	public Principal principal;
+	Map<String, Permission> perms ;
+	long permExpires;
+	private final long interval;
+	int count;
+	
+	// Note: This should only be used for Local RBAC (in memory)
+	public User(Principal principal) {
+		this.principal = principal;
+		perms = NULL_MAP;
+		permExpires = Long.MAX_VALUE; // Never.  Well, until 64 bits of millis since 1970 expires...
+		interval = 0L;
+		count = 0;
+	}
+
+	public User(Principal principal, long expireInterval) {
+		this.principal = principal;
+		perms = NULL_MAP;
+		expireInterval = Math.max(expireInterval, 0); // avoid < 1
+		interval = Math.max(AbsUserCache.MIN_INTERVAL,Math.min(expireInterval,AbsUserCache.MAX_INTERVAL));
+		permExpires = 0;
+		count = 0;
+	}
+	
+	public void renewPerm() {
+		permExpires = System.currentTimeMillis()+interval;
+	}
+	
+	public long permExpires() {
+		return permExpires;
+	}
+	
+	public boolean permExpired() {
+		return System.currentTimeMillis() > permExpires;
+	}
+
+	public boolean noPerms() {
+		return perms==null || perms.values().size()==0; 
+	}
+	
+	public void setNoPerms() {
+		perms=NULL_MAP;
+		permExpires = System.currentTimeMillis() + interval;
+	}
+
+	public boolean permsUnloaded() {
+		return perms==null;
+	}
+
+	public synchronized void incCount() {
+		++count;
+	}
+	
+	public synchronized void resetCount() {
+		count=0;
+	}
+	
+	public Map<String,Permission> newMap() {
+		return new ConcurrentHashMap<String,Permission>();
+	}
+
+	public void add(LocalPermission permission) {
+		if(perms==NULL_MAP)perms=newMap();
+		perms.put(permission.getKey(),permission);
+	}
+
+	public void add(Map<String, Permission> newMap, PERM permission) {
+		newMap.put(permission.getKey(),permission);
+	}
+
+	public void setMap(Map<String, Permission> newMap) {
+		perms = newMap;
+	}
+
+	public boolean contains(Permission perm) {
+		for (Permission p : perms.values()) {
+			if (p.match(perm)) return true;
+		}
+		return false;
+	}
+	
+	public void copyPermsTo(List<Permission> sink) {
+		sink.addAll(perms.values());
+	}
+	
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		sb.append(principal.getName());
+		sb.append('|');
+		boolean first = true;
+		synchronized(perms) {
+			for(Permission gp : perms.values()) {
+				if(first) {
+					first = false;
+					sb.append(':');
+				} else {
+					sb.append(',');
+				}
+				sb.append(gp.getKey());
+			}
+		}
+		return sb.toString();
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/UserChain.java b/core/src/main/java/org/onap/aaf/cadi/UserChain.java
new file mode 100644
index 0000000..ac04792
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/UserChain.java
@@ -0,0 +1,43 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+/**
+ * Interface to add a User Chain String to Principal
+ * 
+ * 
+ * 
+ *  Where
+ *  APP is name suitable for Logging (i.e. official App Acronym) 
+ *  ID is official User or MechID, best if includes Identity Source (i.e. ab1234@csp.att.com)
+ *  Protocol is the Security protocol,
+ *  
+ *  Format:<ID>:<APP>:<protocol>[:AS][,<ID>:<APP>:<protocol>]*
+ *  
+ * 
+ *
+ */
+public interface UserChain  {
+	public enum Protocol {BasicAuth,Cookie,Cert,OAuth};
+	public String userChain();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/Config.java b/core/src/main/java/org/onap/aaf/cadi/config/Config.java
new file mode 100644
index 0000000..4128665
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/Config.java
@@ -0,0 +1,815 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.net.InetAddress;
+import java.net.URI;
+import java.net.UnknownHostException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map.Entry;
+
+import org.onap.aaf.cadi.AbsUserCache;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CachingLur;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.lur.EpiLur;
+import org.onap.aaf.cadi.lur.LocalLur;
+import org.onap.aaf.cadi.lur.NullLur;
+import org.onap.aaf.cadi.taf.HttpEpiTaf;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.basic.BasicHttpTaf;
+import org.onap.aaf.cadi.taf.cert.X509Taf;
+import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
+
+import java.util.Properties;
+import java.util.TimerTask;
+
+/**
+ * Create a Consistent Configuration mechanism, even when configuration styles are as vastly different as
+ * Properties vs JavaBeans vs FilterConfigs...
+ * 
+ *
+ */
+public class Config {
+
+	private static final String HIDE_PASS = "***************";
+
+	public static final String UTF_8 = "UTF-8";
+
+	// Property Names associated with configurations.
+	// As of 1.0.2, these have had the dots removed so as to be compatible with JavaBean style
+	// configurations as well as property list style.
+	public static final String HOSTNAME = "hostname";
+	public static final String CADI_PROP_FILES = "cadi_prop_files"; // Additional Properties files (separate with ;)
+	public static final String CADI_LOGLEVEL = "cadi_loglevel";
+	public static final String CADI_LOGNAME = "cadi_logname";
+	public static final String CADI_KEYFILE = "cadi_keyfile";
+	public static final String CADI_KEYSTORE = "cadi_keystore";
+	public static final String CADI_KEYSTORE_PASSWORD = "cadi_keystore_password";
+	public static final String CADI_ALIAS = "cadi_alias";
+	public static final String CADI_LOGINPAGE_URL = "cadi_loginpage_url";
+
+	public static final String CADI_KEY_PASSWORD = "cadi_key_password";
+	public static final String CADI_TRUSTSTORE = "cadi_truststore";
+	public static final String CADI_TRUSTSTORE_PASSWORD = "cadi_truststore_password";
+	public static final String CADI_X509_ISSUERS = "cadi_x509_issuers";
+	public static final String CADI_TRUST_MASKS="cadi_trust_masks";
+	public static final String CADI_TRUST_PERM="cadi_trust_perm"; //  IDs with this perm can utilize the "AS " user concept
+	public static final String CADI_PROTOCOLS = "cadi_protocols";
+	public static final String CADI_NOAUTHN = "cadi_noauthn";
+	public static final String CADI_LOC_LIST = "cadi_loc_list";
+	
+	public static final String CADI_USER_CHAIN_TAG = "cadi_user_chain";
+	public static final String CADI_USER_CHAIN = "USER_CHAIN";
+
+	
+	
+	public static final String CSP_DOMAIN = "csp_domain";
+	public static final String CSP_HOSTNAME = "csp_hostname";
+	public static final String CSP_DEVL_LOCALHOST = "csp_devl_localhost";
+	public static final String CSP_USER_HEADER = "CSP_USER";
+	public static final String CSP_SYSTEMS_CONF = "CSPSystems.conf";
+    public static final String CSP_SYSTEMS_CONF_FILE = "csp_systems_conf_file";
+
+
+	public static final String TGUARD_ENV="tguard_env";
+	public static final String TGUARD_DOMAIN = "tguard_domain";
+	public static final String TGUARD_TIMEOUT = "tguard_timeout";
+	public static final String TGUARD_TIMEOUT_DEF = "5000";
+	public static final String TGUARD_CERTS = "tguard_certs"; // comma delimited SHA-256 finger prints
+//	public static final String TGUARD_DEVL_LOCALHOST = "tguard_devl_localhost";
+//	public static final String TGUARD_USER_HEADER = "TGUARD_USER";
+
+	public static final String LOCALHOST_ALLOW = "localhost_allow";
+	public static final String LOCALHOST_DENY = "localhost_deny";
+	
+	public static final String BASIC_REALM = "basic_realm";  // what is sent to the client 
+	public static final String BASIC_WARN = "basic_warn";  // Warning of insecure channel 
+	public static final String USERS = "local_users";
+	public static final String GROUPS = "local_groups";
+	public static final String WRITE_TO = "local_writeto"; // dump RBAC to local file in Tomcat Style (some apps use)
+	
+	public static final String AAF_ENV = "aaf_env";
+	public static final String AAF_ROOT_NS = "aaf_root_ns";
+	public static final String AAF_ROOT_COMPANY = "aaf_root_company";
+	public static final String AAF_URL = "aaf_url"; //URL for AAF... Use to trigger AAF configuration
+	public static final String AAF_MECHID = "aaf_id";
+	public static final String AAF_MECHPASS = "aaf_password";
+	public static final String AAF_LUR_CLASS = "aaf_lur_class";
+	public static final String AAF_TAF_CLASS = "aaf_taf_class";
+	public static final String AAF_CONNECTOR_CLASS = "aaf_connector_class";
+	public static final String AAF_LOCATOR_CLASS = "aaf_locator_class";
+	public static final String AAF_CONN_TIMEOUT = "aaf_conn_timeout";
+	public static final String AAF_CONN_TIMEOUT_DEF = "3000";
+	public static final String AAF_READ_TIMEOUT = "aaf_timeout";
+	public static final String AAF_READ_TIMEOUT_DEF = "5000";
+	public static final String AAF_USER_EXPIRES = "aaf_user_expires";
+	public static final String AAF_USER_EXPIRES_DEF = "600000"; // Default is 10 mins
+	public static final String AAF_CLEAN_INTERVAL = "aaf_clean_interval";
+	public static final String AAF_CLEAN_INTERVAL_DEF = "30000"; // Default is 30 seconds
+	public static final String AAF_REFRESH_TRIGGER_COUNT = "aaf_refresh_trigger_count";
+	public static final String AAF_REFRESH_TRIGGER_COUNT_DEF = "3"; // Default is 10 mins
+	
+	public static final String AAF_HIGH_COUNT = "aaf_high_count";
+	public static final String AAF_HIGH_COUNT_DEF = "1000"; // Default is 1000 entries
+	public static final String AAF_PERM_MAP = "aaf_perm_map";
+	public static final String AAF_DEPLOYED_VERSION = "DEPLOYED_VERSION";
+	public static final String AAF_CERT_IDS = "aaf_cert_ids";
+	public static final String AAF_DEBUG_IDS = "aaf_debug_ids"; // comma delimited
+	
+	public static final String GW_URL = "gw_url";
+	public static final String CM_URL = "cm_url";
+	public static final String CM_TRUSTED_CAS = "cm_trusted_cas";
+
+	public static final String PATHFILTER_URLPATTERN = "pathfilter_urlpattern";
+	public static final String PATHFILTER_STACK = "pathfilter_stack";
+	public static final String PATHFILTER_NS = "pathfilter_ns";
+	public static final String PATHFILTER_NOT_AUTHORIZED_MSG = "pathfilter_not_authorized_msg";
+
+	public static final String AFT_DME2_TRUSTSTORE_PASSWORD = "AFT_DME2_TRUSTSTORE_PASSWORD";
+	public static final String AFT_DME2_TRUSTSTORE = "AFT_DME2_TRUSTSTORE";
+	public static final String AFT_DME2_KEYSTORE_PASSWORD = "AFT_DME2_KEYSTORE_PASSWORD";
+	public static final String AFT_DME2_KEY_PASSWORD = "AFT_DME2_KEY_PASSWORD";
+	public static final String AFT_DME2_KEYSTORE = "AFT_DME2_KEYSTORE";
+	public static final String AFT_DME2_SSL_TRUST_ALL = "AFT_DME2_SSL_TRUST_ALL";
+	public static final String AFT_DME2_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_SSL_INCLUDE_PROTOCOLS";
+
+
+	// DME2 Client.  First property must be set to "false", and the others set in order to use SSL Client
+	public static final String AFT_DME2_CLIENT_IGNORE_SSL_CONFIG="AFT_DME2_CLIENT_IGNORE_SSL_CONFIG";
+	public static final String AFT_DME2_CLIENT_KEYSTORE = "AFT_DME2_CLIENT_KEYSTORE";
+	public static final String AFT_DME2_CLIENT_KEYSTORE_PASSWORD = "AFT_DME2_CLIENT_KEYSTORE_PASSWORD";
+	public static final String AFT_DME2_CLIENT_TRUSTSTORE = "AFT_DME2_CLIENT_TRUSTSTORE";
+	public static final String AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD = "AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD";
+	public static final String AFT_DME2_CLIENT_SSL_CERT_ALIAS = "AFT_DME2_CLIENT_SSL_CERT_ALIAS"; 
+	public static final String AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS = "AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS";
+
+	
+	// This one should go unpublic
+	public static final String AAF_DEFAULT_REALM = "aaf_default_realm";
+	private static String defaultRealm="none";
+
+	public static final String AAF_DOMAIN_SUPPORT = "aaf_domain_support";
+	//public static final String AAF_DOMAIN_SUPPORT_DEF = ".com";
+	public static final String AAF_DOMAIN_SUPPORT_DEF = ".org";
+
+
+	public static void setDefaultRealm(Access access) throws CadiException {
+		try {
+			boolean hasCSP;
+			try {
+				Class.forName("com.att.cadi.taf.csp.CSPTaf");
+				hasCSP=true;
+			} catch(ClassNotFoundException e) {
+				hasCSP = logProp(access,Config.CSP_DOMAIN, null)!=null;
+			}
+			defaultRealm = logProp(access,Config.AAF_DEFAULT_REALM,
+					hasCSP?"csp.att.com":
+					logProp(access,Config.BASIC_REALM,
+						logProp(access,HOSTNAME,InetAddress.getLocalHost().getHostName())
+						)
+					);
+		} catch (UnknownHostException e) {
+			//defaultRealm="none";
+		}
+	}
+	
+
+	public static HttpTaf configHttpTaf(Access access, TrustChecker tc, CredVal up, Lur lur, Object ... additionalTafLurs) throws CadiException {
+		/////////////////////////////////////////////////////
+		// Setup AAFCon for any following
+		/////////////////////////////////////////////////////
+		Object aafcon = null;
+		if(lur != null) {
+			Field f = null;
+			try {
+				f = lur.getClass().getField("aaf");
+				aafcon = f.get(lur);
+			} catch (Exception nsfe) {
+			}
+		}
+		// IMPORTANT!  Don't attempt to load AAF Connector if there is no AAF URL
+		String aafURL = access.getProperty(AAF_URL,null);
+		if(aafcon==null && aafURL!=null) {
+			aafcon = loadAAFConnector(access, aafURL);	
+		}
+		
+		HttpTaf taf;
+		// Setup Host, in case Network reports an unusable Hostname (i.e. VTiers, VPNs, etc)
+		String hostname = logProp(access, HOSTNAME,null);
+		if(hostname==null) {
+			try {
+				hostname = InetAddress.getLocalHost().getHostName();
+			} catch (UnknownHostException e1) {
+				throw new CadiException("Unable to determine Hostname",e1);
+			}
+		}
+		
+		access.log(Level.INIT, "Hostname set to",hostname);
+		// Get appropriate TAFs
+		ArrayList<HttpTaf> htlist = new ArrayList<HttpTaf>();
+
+		/////////////////////////////////////////////////////
+		// Add a Denial of Service TAF
+		// Note: how IPs and IDs are added are up to service type.
+		// They call "DenialOfServiceTaf.denyIP(String) or denyID(String)
+		/////////////////////////////////////////////////////
+		htlist.add(new DenialOfServiceTaf(access));
+
+		/////////////////////////////////////////////////////
+		// Configure LocalHost 
+		/////////////////////////////////////////////////////
+		
+		String truststore = logProp(access, CADI_TRUSTSTORE, access.getProperty("AFT_DME2_TRUSTSTORE", null));
+		if(truststore!=null) {
+			String truststore_pwd = access.getProperty(CADI_TRUSTSTORE_PASSWORD, access.getProperty("AFT_DME2_TRUSTSTORE_PASSWORD",null));
+			if(truststore_pwd!=null) {
+				if(truststore_pwd.startsWith(Symm.ENC)) {
+					try {
+						truststore_pwd = access.decrypt(truststore_pwd,false);
+					} catch (IOException e) {
+						throw new CadiException(CADI_TRUSTSTORE_PASSWORD + " cannot be decrypted",e);
+					}
+				}
+				try {
+					htlist.add(new X509Taf(access,lur));
+					access.log(Level.INIT,"Certificate Authorization enabled");
+				} catch (SecurityException e) {
+					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
+				} catch (IllegalArgumentException e) {
+					access.log(Level.INIT,"AAFListedCertIdentity cannot be instantiated. Certificate Authorization is now disabled",e);
+				} catch (CertificateException e) {
+					access.log(Level.INIT,"Certificate Authorization failed, it is disabled",e);
+				} catch (NoSuchAlgorithmException e) {
+					access.log(Level.INIT,"Certificate Authorization failed, wrong Security Algorithm",e);
+				}
+			}
+		} else {
+			access.log(Level.INIT,"Certificate Authorization not enabled");
+		}
+		
+		/////////////////////////////////////////////////////
+		// Configure Basic Auth (local content)
+		/////////////////////////////////////////////////////
+		String basic_realm = logProp(access, BASIC_REALM,null);
+		boolean basic_warn = "TRUE".equals(access.getProperty(BASIC_WARN,"FALSE"));
+		if(basic_realm!=null && up!=null) {
+			access.log(Level.INIT,"Basic Authorization is enabled using realm",basic_realm);
+			// Allow warning about insecure channel to be turned off
+			if(!basic_warn)access.log(Level.INIT,"WARNING! The basic_warn property has been set to false.",
+					" There will be no additional warning if Basic Auth is used on an insecure channel"
+					);
+			String aafCleanup = logProp(access, AAF_USER_EXPIRES,AAF_USER_EXPIRES_DEF); // Default is 10 mins
+			long userExp = Long.parseLong(aafCleanup);
+
+			htlist.add(new BasicHttpTaf(access, up, basic_realm, userExp, basic_warn));
+		} else {
+			access.log(Level.INIT,"Local Basic Authorization is disabled.  Enable by setting basic_realm=<appropriate realm, i.e. my.att.com>");
+		}
+		
+		/////////////////////////////////////////////////////
+		// Configure AAF Driven Basic Auth
+		/////////////////////////////////////////////////////
+		boolean getRemoteAAF = true;
+		if(additionalTafLurs!=null) {
+			for(Object o : additionalTafLurs) {
+				if(o.getClass().getSimpleName().equals("DirectAAFLur")) {
+					getRemoteAAF = false;
+					break;
+				}
+			}
+		}
+		HttpTaf aaftaf=null;
+		if(getRemoteAAF) {
+			if(aafcon==null) {
+				access.log(Level.INIT,"AAF Connection (AAFcon) is null.  Cannot create an AAF TAF");
+			} else if(aafURL==null) {
+				access.log(Level.INIT,"No AAF URL in properties, Cannot create an AAF TAF");
+			} else {// There's an AAF_URL... try to configure an AAF 
+				String defName = aafURL.contains("version=2.0")?"com.att.cadi.aaf.v2_0.AAFTaf":"";
+				String aafTafClassName = logProp(access, AAF_TAF_CLASS,defName);
+				// Only 2.0 available at this time
+				if("com.att.cadi.aaf.v2_0.AAFTaf".equals(aafTafClassName)) { 
+					try {
+						Class<?> aafTafClass = loadClass(access,aafTafClassName);
+						Class<?> aafConClass = loadClass(access,"com.att.cadi.aaf.v2_0.AAFCon");
+	
+						Constructor<?> cstr = aafTafClass.getConstructor(aafConClass,boolean.class,AbsUserCache.class);
+						if(cstr!=null) {
+							aaftaf = (HttpTaf)cstr.newInstance(aafcon,basic_warn,lur);
+							if(aaftaf==null) {
+								access.log(Level.INIT,"ERROR! AAF TAF Failed construction.  NOT Configured");
+							} else {
+								access.log(Level.INIT,"AAF TAF Configured to ",aafURL);
+								// Note: will add later, after all others configured
+							}
+						}
+					} catch(Exception e) {
+						access.log(Level.INIT,"ERROR! AAF TAF Failed construction.  NOT Configured");
+					}
+				}
+			}
+		}
+		
+		
+		String alias = logProp(access, CADI_ALIAS,null);
+
+		/////////////////////////////////////////////////////
+		// Configure tGuard... (AT&T Client Repo)
+		/////////////////////////////////////////////////////
+		// TGUARD Environment, translated to any other remote Environment validation mechanism...
+		String tGuard_domain = logProp(access, TGUARD_DOMAIN,null);
+		String tGuard_env = logProp(access, TGUARD_ENV, null);
+
+		if(!("PROD".equals(tGuard_env) || "STAGE".equals(tGuard_env))) {
+			access.log(Level.INIT, "tGuard Authorization is disabled.  Enable by setting", TGUARD_ENV, "to \"PROD\" or \"STAGE\"");
+		} else if(tGuard_domain==null) {
+			access.log(Level.INIT,TGUARD_DOMAIN + " must be set:  tGuard Authorization is disabled.");
+		} else if(alias == null) {
+			access.log(Level.INIT,CADI_ALIAS + " must be set:  tGuard Authorization is disabled.");
+		} else {
+			try {
+				Class<?> tGuardClass = loadClass(access,"com.att.cadi.tguard.TGuardHttpTaf");
+				if(aaftaf!=null) {
+					Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, AbsUserCache.class});
+					htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {access,aaftaf}));
+					access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");
+				} else {
+					Constructor<?> tGuardCnst = tGuardClass.getConstructor(new Class[]{Access.class, int.class, int.class, int.class});
+					htlist.add((HttpTaf)tGuardCnst.newInstance(new Object[] {
+							access,
+							Integer.parseInt(logProp(access, AAF_CLEAN_INTERVAL,AAF_CLEAN_INTERVAL_DEF)),
+							Integer.parseInt(logProp(access, AAF_HIGH_COUNT, AAF_HIGH_COUNT_DEF)),
+							Integer.parseInt(logProp(access, AAF_REFRESH_TRIGGER_COUNT, AAF_REFRESH_TRIGGER_COUNT_DEF))
+							}));
+					access.log(Level.INIT,"tGuard Authorization is enabled on",tGuard_env,"on the",tGuard_domain," tGuard Domain");
+				}
+			} catch(Exception e) {
+				access.log(e, Level.INIT,"tGuard Class cannot be loaded:  tGuard Authorization is disabled.");
+			}
+		}
+		
+		/////////////////////////////////////////////////////
+		// Adding BasicAuth (AAF) last, after other primary Cookie Based
+		// Needs to be before Cert... see below
+		/////////////////////////////////////////////////////
+		if(aaftaf!=null) {
+			htlist.add(aaftaf);
+		}
+
+
+		/////////////////////////////////////////////////////
+		// Any Additional Lurs passed in Constructor
+		/////////////////////////////////////////////////////
+		if(additionalTafLurs!=null) {
+			for(Object additional : additionalTafLurs) {
+				if(additional instanceof HttpTaf) {
+					htlist.add((HttpTaf)additional);
+					access.log(Level.INIT,additional);
+				}
+			}
+		}
+
+		/////////////////////////////////////////////////////
+		// Create EpiTaf from configured TAFs
+		/////////////////////////////////////////////////////
+		if(htlist.size()==1) {
+			// just return the one
+			taf = htlist.get(0);
+		} else {
+			HttpTaf[] htarray = new HttpTaf[htlist.size()];
+			htlist.toArray(htarray);
+			Locator<URI> locator = loadLocator(access, logProp(access, CADI_LOGINPAGE_URL, null));
+			
+			taf = new HttpEpiTaf(access,locator, tc, htarray); // ok to pass locator == null
+			String level = logProp(access, CADI_LOGLEVEL, null);
+			if(level!=null) {
+				access.setLogLevel(Level.valueOf(level));
+			}
+		}
+		
+		return taf;
+	}
+	
+	public static String logProp(Access access,String tag, String def) {
+		String rv = access.getProperty(tag, def);
+		if(rv == null) {
+			access.log(Level.INIT,tag,"is not set");
+		} else {
+			access.log(Level.INIT,tag,"is set to",rv);
+		}
+		return rv;
+	}
+	
+	public static Lur configLur(Access access, Object ... additionalTafLurs) throws CadiException {
+		List<Lur> lurs = new ArrayList<Lur>();
+		
+		/////////////////////////////////////////////////////
+		// Configure a Local Property Based RBAC/LUR
+		/////////////////////////////////////////////////////
+		try {
+			String users = access.getProperty(USERS,null);
+			String groups = access.getProperty(GROUPS,null);
+
+			if(groups!=null || users!=null) {
+				LocalLur ll;
+				lurs.add(ll = new LocalLur(access, users, groups)); // note b64==null is ok.. just means no encryption.
+				
+				String writeto = access.getProperty(WRITE_TO,null);
+				if(writeto!=null) {
+					String msg = UsersDump.updateUsers(writeto, ll);
+					if(msg!=null) access.log(Level.INIT,"ERROR! Error Updating ",writeto,"with roles and users:",msg);
+				}
+			}
+		} catch (IOException e) {
+			throw new CadiException(e);
+		}
+		
+		/////////////////////////////////////////////////////
+		// Configure the AAF Lur (if any)
+		/////////////////////////////////////////////////////
+		String aafURL = logProp(access,AAF_URL,null); // Trigger Property
+		String aaf_env = access.getProperty(AAF_ENV,null);
+		if(aaf_env == null && aafURL!=null && access instanceof PropAccess) { // set AAF_ENV from AAF_URL
+			int ec = aafURL.indexOf("envContext=");
+			if(ec>0) {
+				ec += 11; // length of envContext=
+				int slash = aafURL.indexOf('/', ec);
+				if(slash>0) {
+					aaf_env = aafURL.substring(ec, slash);
+					((PropAccess)access).setProperty(AAF_ENV, aaf_env);
+					access.printf(Level.INIT, "Setting aaf_env to %s from aaf_url value",aaf_env);
+				}
+			}
+		}
+			
+		if(aafURL==null) {
+			access.log(Level.INIT,"No AAF LUR properties, AAF will not be loaded");
+		} else {// There's an AAF_URL... try to configure an AAF
+			String aafLurClassStr = logProp(access,AAF_LUR_CLASS,"com.att.cadi.aaf.v2_0.AAFLurPerm");
+			////////////AAF Lur 2.0 /////////////
+			if(aafLurClassStr.startsWith("com.att.cadi.aaf.v2_0")) { 
+				try {
+					Object aafcon = loadAAFConnector(access, aafURL);
+					if(aafcon==null) {
+						access.log(Level.INIT,"AAF LUR class,",aafLurClassStr,"cannot be constructed without valid AAFCon object.");
+					} else {
+						Class<?> aafAbsAAFCon = loadClass(access, "com.att.cadi.aaf.v2_0.AAFCon");
+						Method mNewLur = aafAbsAAFCon.getMethod("newLur");
+						Object aaflur = mNewLur.invoke(aafcon);
+	
+						if(aaflur==null) {
+							access.log(Level.INIT,"ERROR! AAF LUR Failed construction.  NOT Configured");
+						} else {
+							access.log(Level.INIT,"AAF LUR Configured to ",aafURL);
+							lurs.add((Lur)aaflur);
+							String debugIDs = logProp(access,Config.AAF_DEBUG_IDS, null);
+							if(debugIDs !=null && aaflur instanceof CachingLur) {
+								((CachingLur<?>)aaflur).setDebug(debugIDs);
+							}
+						}
+					}
+				} catch (Exception e) {
+					access.log(e,"AAF LUR class,",aafLurClassStr,"could not be constructed with given Constructors.");
+				}
+			} 
+		} 
+
+		/////////////////////////////////////////////////////
+		// Any Additional passed in Constructor
+		/////////////////////////////////////////////////////
+		if(additionalTafLurs!=null) {
+			for(Object additional : additionalTafLurs) {
+				if(additional instanceof Lur) {
+					lurs.add((Lur)additional);
+					access.log(Level.INIT, additional);
+				}
+			}
+		}
+
+		/////////////////////////////////////////////////////
+		// Return a Lur based on how many there are... 
+		/////////////////////////////////////////////////////
+		switch(lurs.size()) {
+			case 0: 
+				access.log(Level.INIT,"WARNING! No CADI LURs configured");
+				// Return a NULL Lur that does nothing.
+				return new NullLur();
+			case 1:
+				return lurs.get(0); // Only one, just return it, save processing
+			default:
+				// Multiple Lurs, use EpiLUR to handle
+				Lur[] la = new Lur[lurs.size()];
+				lurs.toArray(la);
+				return new EpiLur(la);
+		}
+	}
+	
+	private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2 = "com.att.cadi.aaf.v2_0.AAFConDME2";
+	private static final String COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP = "com.att.cadi.aaf.v2_0.AAFConHttp";
+	public static Object loadAAFConnector(Access access, String aafURL) {
+		Object aafcon = null;
+		Class<?> aafConClass = null;
+
+		try {
+			if(aafURL!=null) {
+				String aafConnector = access.getProperty(AAF_CONNECTOR_CLASS, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);
+				if(COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2.equals(aafConnector) || aafURL.contains("/service=")) {
+					aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_DME2);
+					if(aafConClass!=null) {
+						Constructor<?> cons = aafConClass.getConstructor(PropAccess.class);
+						aafcon = cons.newInstance(access);
+					} else {
+						access.log(Level.ERROR, "URL contains '/service=', which requires DME2");
+					}
+				} else if(COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP.equals(aafConnector)) {
+					aafConClass = loadClass(access, COM_ATT_CADI_AAF_V2_0_AAF_CON_HTTP);
+					for(Constructor<?> c : aafConClass.getConstructors()) {
+						List<Object> lo = new ArrayList<Object>();
+						for(Class<?> pc : c.getParameterTypes()) {
+							if(pc.equals(PropAccess.class)) {
+								lo.add(access);
+							} else if(pc.equals(Locator.class)) {
+								lo.add(loadLocator(access, aafURL));
+							} else {
+								continue;
+							}
+						}
+						if(c.getParameterTypes().length!=lo.size()) {
+							continue; // back to another Constructor
+						} else {
+							aafcon = c.newInstance(lo.toArray());
+						}
+						break;
+					}
+				}
+				if(aafcon!=null) {
+					String mechid = logProp(access,Config.AAF_MECHID, null);
+					String pass = access.getProperty(Config.AAF_MECHPASS, null);
+					if(mechid!=null && pass!=null) {
+						try {
+							Method basicAuth = aafConClass.getMethod("basicAuth", String.class, String.class);
+							basicAuth.invoke(aafcon, mechid,pass);
+						} catch (NoSuchMethodException nsme) {
+							// it's ok, don't use
+						}
+					}
+				}
+			}
+		} catch (Exception e) {
+			access.log(e,"AAF Connector could not be constructed with given Constructors.");
+		}
+		
+		return aafcon;
+	}
+
+	public static Class<?> loadClass(Access access, String className) {
+		Class<?> cls=null;
+		try {
+			cls = access.classLoader().loadClass(className);
+		} catch (ClassNotFoundException cnfe) {
+			try {
+				cls = access.getClass().getClassLoader().loadClass(className);
+			} catch (ClassNotFoundException cnfe2) {
+				// just return null
+			}
+		}
+		return cls;
+	}
+
+	@SuppressWarnings("unchecked")
+	public static Locator<URI> loadLocator(Access access, String url) {
+		Locator<URI> locator = null;
+		if(url==null) {
+			access.log(Level.INIT,"No URL for AAF Login Page. Disabled");
+		} else {
+			if(url.contains("DME2RESOLVE")) {
+				try {
+					Class<?> lcls = loadClass(access,"com.att.cadi.locator.DME2Locator");
+					Class<?> dmcls = loadClass(access,"com.att.aft.dme2.api.DME2Manager");
+					Constructor<?> cnst = lcls.getConstructor(new Class[] {Access.class,dmcls,String.class});
+					locator = (Locator<URI>)cnst.newInstance(new Object[] {access,null,url});
+					access.log(Level.INFO, "DME2Locator enabled with " + url);
+				} catch (Exception e) {
+					access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires DME2. It is now disabled",e);
+				}
+			} else {
+				try {
+					Class<?> cls = loadClass(access,"com.att.cadi.locator.PropertyLocator");
+					Constructor<?> cnst = cls.getConstructor(new Class[] {String.class});
+					locator = (Locator<URI>)cnst.newInstance(new Object[] {url});
+					access.log(Level.INFO, "PropertyLocator enabled with " + url);
+				} catch (Exception e) {
+					access.log(Level.INIT,"AAF Login Page accessed by " + url + " requires PropertyLocator. It is now disabled",e);
+				}
+			}
+		}
+		return locator;
+	}
+
+	/*
+	 * DME2 can only read Passwords as clear text properties.  Leaving in "System Properties" un-encrypted exposes these passwords
+	 */
+	public static class PasswordRemoval extends TimerTask {
+		private Access access;
+		
+		private final List<String> pws;
+
+		public PasswordRemoval(Access access) {
+			this.access = access;
+			pws = new ArrayList<String>();
+		}
+		
+		@Override
+		public void run() {
+			for(String key:pws) {
+				access.log(Level.INIT, "Scrubbing " + key);
+				System.clearProperty(key);
+			}
+		}		
+		public void add(String key) {
+			pws.add(key);
+		}
+	}
+
+	private static final String Y = "Y";
+
+	private static String[][] CONVERTER_STRINGS=new String[][] {
+			{AFT_DME2_KEYSTORE,CADI_KEYSTORE,null},
+			{AFT_DME2_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},
+			{AFT_DME2_KEY_PASSWORD,CADI_KEY_PASSWORD,null},
+			{AFT_DME2_TRUSTSTORE,CADI_TRUSTSTORE,null},
+			{AFT_DME2_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},
+			{AFT_DME2_CLIENT_KEYSTORE,CADI_KEYSTORE,null},
+			{AFT_DME2_CLIENT_KEYSTORE_PASSWORD,CADI_KEYSTORE_PASSWORD,null},
+			{AFT_DME2_CLIENT_TRUSTSTORE,CADI_TRUSTSTORE,null},
+			{AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD,CADI_TRUSTSTORE_PASSWORD,null},
+			{AFT_DME2_CLIENT_SSL_CERT_ALIAS,CADI_ALIAS,null},
+			{AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},
+			{"AFT_DME2_HOSTNAME",HOSTNAME,null},
+			{"AFT_LATITUDE",null,Y},
+			{"AFT_LONGITUDE",null,Y},
+			{"AFT_ENVIRONMENT",null,Y},
+			{"SCLD_PLATFORM",null,Y},
+			{"DME2_EP_REGISTRY_CLASS",null,Y},// for Developer local access
+			{"AFT_DME2_EP_REGISTRY_FS_DIR",null,Y},
+			{"DME2.DEBUG",null,null},
+			{"AFT_DME2_HTTP_EXCHANGE_TRACE_ON",null,null},
+			{"AFT_DME2_SSL_ENABLE",null,null},
+			{"AFT_DME2_SSL_WANT_CLIENT_AUTH",null,null},
+			{AFT_DME2_SSL_INCLUDE_PROTOCOLS,CADI_PROTOCOLS,null},
+			{"AFT_DME2_SSL_VALIDATE_CERTS",null,null},
+			{AFT_DME2_CLIENT_IGNORE_SSL_CONFIG,null,null},
+			{"https.protocols",CADI_PROTOCOLS,Y},
+			};
+
+
+
+	public static Properties getDME2Props(PropAccess access) {
+		Properties dprops = new Properties();
+		String value = null;
+		boolean reqClientConfig = false;
+		for(String[] row : CONVERTER_STRINGS) {
+			value = access.getProperty(row[0],null);
+			if(value==null) {
+				value = System.getProperty(row[0]);
+				if(value==null && row[1]!=null) {
+					value = access.getProperty(row[1],null);
+					if(value == null) {
+						value = System.getProperty(row[1]);
+					}
+				}
+			}
+			if(value!=null) {
+				if(row[0].contains("_SSL_")) {
+					reqClientConfig = true;
+				}
+				if(row[0].startsWith("AFT") || row[0].startsWith("SCLD") || row[0].contains("DME2")) {
+					if(value.startsWith("enc:")) {
+						try {
+							value = access.decrypt(value, true);
+						} catch (IOException e) {
+							access.log(Level.ERROR, e);
+						}
+						System.setProperty(row[0], value);
+					} else if(Y.equals(row[2])) {
+						System.setProperty(row[0], value);
+						dprops.setProperty(row[0], value);
+					} else if(row[0].contains("PASSWORD") || row[0].contains("STORE")) {
+						System.setProperty(row[0], value);
+					} else {
+						dprops.setProperty(row[0], value);
+					}
+				}
+				
+			}
+			
+		}
+		
+		Properties sprops = System.getProperties();
+		if(reqClientConfig && sprops.getProperty(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG)==null) {
+			sprops.put(AFT_DME2_CLIENT_IGNORE_SSL_CONFIG, "false");
+			replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE,AFT_DME2_TRUSTSTORE);
+			replaceKeyWithTrust(sprops,AFT_DME2_KEYSTORE_PASSWORD,AFT_DME2_TRUSTSTORE_PASSWORD);
+			replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE,AFT_DME2_CLIENT_TRUSTSTORE);
+			replaceKeyWithTrust(sprops,AFT_DME2_CLIENT_KEYSTORE_PASSWORD,AFT_DME2_CLIENT_TRUSTSTORE_PASSWORD);
+		}
+		
+		if(sprops.getProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS)==null) {
+			sprops.setProperty(AFT_DME2_CLIENT_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
+		}
+
+		if(sprops.getProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS)==null) {
+			sprops.setProperty(AFT_DME2_SSL_INCLUDE_PROTOCOLS, access.getProperty(CADI_PROTOCOLS,SecurityInfo.HTTPS_PROTOCOLS_DEFAULT));
+		}
+		
+		if(access.willLog(Level.DEBUG)) {
+			if(access instanceof PropAccess) {
+				access.log(Level.DEBUG,"Access Properties");
+				for(Entry<Object, Object> es : ((PropAccess)access).getProperties().entrySet()) {
+					access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),es.getValue().toString());
+				}
+			}
+			access.log(Level.DEBUG,"DME2 Properties()");
+			for(Entry<Object, Object> es : dprops.entrySet()) {
+				value = es.getValue().toString();
+				if(es.getKey().toString().contains("PASS")) {
+					if(value==null || !value.contains("enc:")) {
+						value = HIDE_PASS;
+					}
+				}
+				access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),value);
+			}
+			
+			access.log(Level.DEBUG,"System (AFT) Properties");
+			for(Entry<Object, Object> es : System.getProperties().entrySet()) {
+				if(es.getKey().toString().startsWith("AFT")) {
+					value = es.getValue().toString();
+					if(es.getKey().toString().contains("PASS")) {
+						if(value==null || !value.contains("enc:")) {
+							value = HIDE_PASS;
+						}
+					}
+					access.printf(Level.DEBUG,"    %s=%s",es.getKey().toString(),value);
+				}
+			}
+		}
+		// Cover any not specific AFT props
+		String key;
+		for(Entry<Object, Object> es : access.getProperties().entrySet()) {
+			if((key=es.getKey().toString()).startsWith("AFT_") && 
+					!key.contains("PASSWORD") &&
+					dprops.get(key)==null) {
+				dprops.put(key, es.getValue());
+			}
+		}
+		return dprops;
+	}
+	
+	private static void replaceKeyWithTrust(Properties props, String ks, String ts) {
+		String value;
+		if(props.get(ks)==null && (value=props.getProperty(ts))!=null) {
+			props.put(ks,value);
+			props.remove(ts);
+		}
+	}
+	// Set by CSP, or is hostname.
+	public static String getDefaultRealm() {
+		return defaultRealm;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/Get.java b/core/src/main/java/org/onap/aaf/cadi/config/Get.java
new file mode 100644
index 0000000..ea06c87
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/Get.java
@@ -0,0 +1,97 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+import java.lang.reflect.Method;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+
+public interface Get {
+	public String get(String name, String def, boolean print);
+	
+	
+	/**
+	 * A class for Getting info out of "JavaBean" format
+	 *
+	 */
+	public static class Bean implements Get {
+		private Object bean;
+		private Class<?> bc;
+		private Class<?>[] params;
+		private Object[] args;
+		
+		public Bean(Object bean) {
+			this.bean = bean;
+			bc = bean.getClass();
+			params = new Class<?>[0]; // note, this will allow to go out of scope after config
+			args = new Object[0];
+		}
+		
+		public String get(String name, String def, boolean print) {
+			String str = null;
+			String gname = "get"+Character.toUpperCase(name.charAt(0))+name.substring(1);
+			try {
+				Method meth = bc.getMethod(gname, params);
+				Object obj = meth.invoke(bean, args);
+				str = obj==null?null:obj.toString(); // easy string convert... 
+			} catch (Exception e) {
+			}
+			
+			// Take def if nothing else
+			if(str==null) {
+				str = def;
+				// don't log defaults
+			} else {
+				str = str.trim(); // this is vital in Property File based values, as spaces can hide easily
+			}
+			// Note: Can't log during configuration
+			return str;
+		}
+	}
+
+	public static Get NULL = new Get() {
+		public String get(String name, String def, boolean print) {
+			return def;
+		}
+	};
+
+	public static class AccessGet implements Get {
+		private Access access;
+		public AccessGet(Access access) {
+			this.access = access;
+		}
+		public String get(String name, String def, boolean print) {
+			String gotten = access.getProperty(name, def);
+			if(print) {
+				if(gotten == null) {
+					access.log(Level.INIT,name, "is not set");
+				} else {
+					access.log(Level.INIT,name, "is set to", gotten);
+				}
+			}
+			return gotten;
+		}
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java b/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java
new file mode 100644
index 0000000..dc5e4ef
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/GetAccess.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+import org.onap.aaf.cadi.PropAccess;
+
+public class GetAccess extends PropAccess {
+	private final Get getter;
+	
+	public GetAccess(Get getter) {
+		super(new String[]{"cadi_prop_files="+getter.get("cadi_prop_files", null, true)});
+		this.getter = getter;
+	}
+	
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#getProperty(java.lang.String, java.lang.String)
+	 */
+	@Override
+	public String getProperty(String tag, String def) {
+		String rv;
+		rv = super.getProperty(tag, null);
+		if(rv==null && getter!=null) {
+			rv = getter.get(tag, null, true);
+		}
+		return rv==null?def:rv;
+	}
+	/* (non-Javadoc)
+	 * @see com.att.cadi.PropAccess#getProperty(java.lang.String)
+	 */
+	@Override
+	public String getProperty(String tag) {
+		String rv;
+		rv = super.getProperty(tag, null);
+		if(rv==null && getter!=null) {
+			rv = getter.get(tag, null, true);
+		}
+		return rv;
+	}
+
+	public Get get() {
+		return getter;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java b/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java
new file mode 100644
index 0000000..551018c
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/MultiGet.java
@@ -0,0 +1,43 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+public class MultiGet implements Get {
+    private Get[] getters;
+
+    public MultiGet(Get ... getters) {
+        this.getters = getters;
+    }
+
+    @Override
+    public String get(String name, String def, boolean print) {
+        String str;
+        for(Get getter : getters) {
+            str = getter.get(name, null, print);
+            if(str!=null) 
+                return str;
+        }
+        return def;
+    }
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java b/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java
new file mode 100644
index 0000000..4301d53
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfo.java
@@ -0,0 +1,243 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.rmi.AccessException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.util.MaskFormatException;
+import org.onap.aaf.cadi.util.NetMask;
+
+public class SecurityInfo {
+	private static final String SECURITY_ALGO = "RSA";
+	private static final String HTTPS_PROTOCOLS = "https.protocols";
+	private static final String JDK_TLS_CLIENT_PROTOCOLS = "jdk.tls.client.protocols";
+
+	public static final String HTTPS_PROTOCOLS_DEFAULT = "TLSv1.1,TLSv1.2";
+	public static final String REGEX_COMMA = "\\s*,\\s*";
+	public static final String SslKeyManagerFactoryAlgorithm;
+	
+	private SSLSocketFactory scf;
+	private X509KeyManager[] km;
+	private X509TrustManager[] tm;
+	public final String default_alias;
+	private NetMask[] trustMasks;
+	private SSLContext ctx;
+	private HostnameVerifier maskHV;
+
+	// Change Key Algorithms for IBM's VM.  Could put in others, if needed.
+	static {
+		if(System.getProperty("java.vm.vendor").equalsIgnoreCase("IBM Corporation")) {
+			SslKeyManagerFactoryAlgorithm = "IbmX509";
+		} else {
+			SslKeyManagerFactoryAlgorithm = "SunX509";
+		}
+	}
+	
+
+	public SecurityInfo(final Access access) throws GeneralSecurityException, IOException {
+		// reuse DME2 Properties for convenience if specific Properties don't exist
+		String keyStore = access.getProperty(Config.CADI_KEYSTORE,
+				access.getProperty(Config.AFT_DME2_KEYSTORE,null));
+		String keyStorePasswd = access.getProperty(Config.CADI_KEYSTORE_PASSWORD,
+				access.getProperty(Config.AFT_DME2_KEYSTORE_PASSWORD, null));
+		keyStorePasswd = keyStorePasswd==null?null:access.decrypt(keyStorePasswd,false);
+		String trustStore = access.getProperty(Config.CADI_TRUSTSTORE,
+				access.getProperty(Config.AFT_DME2_TRUSTSTORE, null));
+		String trustStorePasswd = access.getProperty(Config.CADI_TRUSTSTORE_PASSWORD,
+				access.getProperty(Config.AFT_DME2_TRUSTSTORE_PASSWORD,null));
+		trustStorePasswd = trustStorePasswd==null?null:access.decrypt(trustStorePasswd,false);
+		default_alias = access.getProperty(Config.CADI_ALIAS, 
+				access.getProperty(Config.AFT_DME2_CLIENT_SSL_CERT_ALIAS,null));
+		
+		String keyPasswd = access.getProperty(Config.CADI_KEY_PASSWORD,null);
+		keyPasswd = keyPasswd==null?keyStorePasswd:access.decrypt(keyPasswd,false);
+		String tips=access.getProperty(Config.CADI_TRUST_MASKS, null);
+		if(tips!=null) {
+			access.log(Level.INIT,"Explicitly accepting valid X509s from",tips);
+			String[] ipsplit = tips.split(REGEX_COMMA);
+			trustMasks = new NetMask[ipsplit.length];
+			for(int i=0;i<ipsplit.length;++i) {
+				try {
+					trustMasks[i]=new NetMask(ipsplit[i]);
+				} catch (MaskFormatException e) {
+					throw new AccessException("Invalid IP Mask in " + Config.CADI_TRUST_MASKS,e);
+				}
+			}
+		}
+		String https_protocols = Config.logProp(access,Config.CADI_PROTOCOLS, 
+				access.getProperty(Config.AFT_DME2_SSL_INCLUDE_PROTOCOLS, 
+					access.getProperty(HTTPS_PROTOCOLS,HTTPS_PROTOCOLS_DEFAULT)
+					));
+		System.setProperty(HTTPS_PROTOCOLS,https_protocols);
+		System.setProperty(JDK_TLS_CLIENT_PROTOCOLS, https_protocols);
+		
+		KeyManagerFactory kmf = KeyManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
+		File file;
+
+
+		if(keyStore==null || keyStorePasswd == null) { 
+			km = new X509KeyManager[0];
+		} else {
+			ArrayList<X509KeyManager> kmal = new ArrayList<X509KeyManager>();
+			for(String ksname : keyStore.split(REGEX_COMMA)) {
+				file = new File(ksname);
+				String keystoreFormat;
+				if(ksname.endsWith("pkcs12")) {
+					keystoreFormat = "PKCS12";
+				} else {
+					keystoreFormat = "JKS";
+				}
+				if(file.exists()) {
+					FileInputStream fis = new FileInputStream(file);
+					try {
+						KeyStore ks = KeyStore.getInstance(keystoreFormat);
+						ks.load(fis, keyStorePasswd.toCharArray());
+						kmf.init(ks, keyPasswd.toCharArray());
+					} finally {
+						fis.close();
+					}
+				}
+			}
+			for(KeyManager km : kmf.getKeyManagers()) {
+				if(km instanceof X509KeyManager) {
+					kmal.add((X509KeyManager)km);
+				}
+			}
+			km = new X509KeyManager[kmal.size()];
+			kmal.toArray(km);
+		}
+
+		TrustManagerFactory tmf = TrustManagerFactory.getInstance(SslKeyManagerFactoryAlgorithm);
+		if(trustStore!=null) {
+			for(String tsname : trustStore.split(REGEX_COMMA)) {
+				file = new File(tsname);
+				if(file.exists()) {
+					FileInputStream fis = new FileInputStream(file);
+					try {
+						KeyStore ts = KeyStore.getInstance("JKS");
+						ts.load(fis, trustStorePasswd.toCharArray());
+						tmf.init(ts); 
+					} finally {
+						fis.close();
+					}
+				}
+			}
+			TrustManager tms[] = tmf.getTrustManagers();
+			tm = new X509TrustManager[tms==null?0:tms.length];
+			for(int i=0;i<tms.length;++i) {
+				try {
+					tm[i]=(X509TrustManager)tms[i];
+				} catch (ClassCastException e) {
+					access.log(Level.WARN, "Non X509 TrustManager", tm[i].getClass().getName(),"skipped in SecurityInfo");
+				}
+			}
+		}
+		
+		if(trustMasks!=null) {
+			final HostnameVerifier origHV = HttpsURLConnection.getDefaultHostnameVerifier();
+			HttpsURLConnection.setDefaultHostnameVerifier(maskHV = new HostnameVerifier() {
+				@Override
+				public boolean verify(final String urlHostName, final SSLSession session) {
+					try {
+						// This will pick up /etc/host entries as well as DNS
+						InetAddress ia = InetAddress.getByName(session.getPeerHost());
+						for(NetMask tmask : trustMasks) {
+							if(tmask.isInNet(ia.getHostAddress())) {
+								return true;
+							}
+						}
+					} catch (UnknownHostException e) {
+						// It's ok. do normal Verify
+					}
+					return origHV.verify(urlHostName,session);
+				};
+			});
+		}
+		ctx = SSLContext.getInstance("TLS");
+		ctx.init(km, tm, null);
+		SSLContext.setDefault(ctx);
+		scf = ctx.getSocketFactory();
+	}
+
+	/**
+	 * @return the scf
+	 */
+	public SSLSocketFactory getSSLSocketFactory() {
+		return scf;
+	}
+
+	public SSLContext getSSLContext() {
+		return ctx;
+	}
+
+	/**
+	 * @return the km
+	 */
+	public X509KeyManager[] getKeyManagers() {
+		return km;
+	}
+
+	public void checkClientTrusted(X509Certificate[] certarr) throws CertificateException {
+		for(X509TrustManager xtm : tm) {
+			xtm.checkClientTrusted(certarr, SECURITY_ALGO);
+		}
+	}
+
+	public void checkServerTrusted(X509Certificate[] certarr) throws CertificateException {
+		for(X509TrustManager xtm : tm) {
+			xtm.checkServerTrusted(certarr, SECURITY_ALGO);
+		}
+	}
+
+	public void setSocketFactoryOn(HttpsURLConnection hsuc) {
+		hsuc.setSSLSocketFactory(scf);
+		if(maskHV!=null && !maskHV.equals(hsuc.getHostnameVerifier())) {
+			hsuc.setHostnameVerifier(maskHV);
+		}
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java b/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java
new file mode 100644
index 0000000..e631928
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/SecurityInfoC.java
@@ -0,0 +1,44 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.SecuritySetter;
+
+
+public class SecurityInfoC<CLIENT> extends SecurityInfo {
+	public SecuritySetter<CLIENT> defSS;
+
+	public SecurityInfoC(Access access) throws GeneralSecurityException, IOException {
+		super(access);
+	}
+
+	public SecurityInfoC<CLIENT> set(SecuritySetter<CLIENT> defSS) {
+		this.defSS = defSS;
+		return this;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java b/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java
new file mode 100644
index 0000000..e0893e6
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/config/UsersDump.java
@@ -0,0 +1,158 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.config;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.util.Date;
+import java.util.HashSet;
+
+import org.onap.aaf.cadi.AbsUserCache;
+import org.onap.aaf.cadi.lur.LocalLur;
+
+public class UsersDump {
+
+	/**
+	 * @param args
+	 */
+	public static boolean write(OutputStream os, AbsUserCache<?> lur) {
+		PrintStream ps;
+		if(os instanceof PrintStream) {
+			ps = (PrintStream)os;
+		} else {
+			ps = new PrintStream(os);
+		}
+		try {
+			ps.println("<?xml version='1.0' encoding='utf-8'?>");
+			ps.println("<!--");
+			ps.print(  "     Code Generated Tomcat Users and Roles from AT&T LUR on ");
+			ps.println(new Date());
+			ps.println(  "-->");
+			ps.println("<tomcat-users>");
+
+			// We loop through Users, but want to write Groups first... therefore, save off print
+			StringBuilder sb = new StringBuilder();
+			
+			// Obtain all unique role names
+			HashSet<String> groups = new HashSet<String>();
+			for(AbsUserCache<?>.DumpInfo di : lur.dumpInfo()) {
+				sb.append("\n  <user username=\"");
+				sb.append(di.user);
+				sb.append("\" roles=\"");
+				boolean first = true;
+				for(String role : di.perms) {
+					groups.add(role);
+					if(first)first = false;
+					else sb.append(',');
+					sb.append(role);
+				}
+				sb.append("\"/>");
+
+			}
+
+			// Print roles
+			for(String group : groups) {
+				ps.print("  <role rolename=\"");
+				ps.print(group);
+				ps.println("\"/>");
+			}
+	
+			ps.println(sb);
+
+			ps.println("</tomcat-users>");
+			ps.flush();
+		} catch (Throwable t) {
+			t.printStackTrace(ps);
+			return false;
+		}
+		return true;
+	}
+	
+	/**
+	 * 
+	 * Note: This method returns a String if there's an error, or null if ok.
+	 * This unusual style is necessitated by the fact that any Exceptions thrown are likely to 
+	 * be unlogged and hidden from view, making debugging almost impossible.
+	 * 
+	 * @param writeto
+	 * @param up
+	 * @return
+	 */
+	public static String updateUsers(String writeto, LocalLur up) {
+		// Dump a Tomcat-user.xml lookalike (anywhere)
+		if(writeto!=null) {
+			// First read content
+			ByteArrayOutputStream baos = new ByteArrayOutputStream();
+			if(UsersDump.write(baos, up)) {
+				byte[] postulate = baos.toByteArray();
+				// now get contents of file
+				File file = new File(writeto);
+				boolean writeIt;
+				if(file.exists()) {
+					try {
+						FileInputStream fis = new FileInputStream(file);
+						byte[] orig = new byte[(int)file.length()];
+						try {
+							fis.read(orig);
+						} finally {
+							fis.close();
+						}
+						// Starting at third "<" (<tomcat-users> line)
+						int startA=0, startB=0;
+						for(int i=0;startA<orig.length && i<3;++startA) if(orig[startA]=='<')++i;
+						for(int i=0;startB<orig.length && i<3;++startB) if(postulate[startB]=='<')++i;
+						
+						writeIt=orig.length-startA!=postulate.length-startB; // first, check if remaining length is the same
+						while(!writeIt && startA<orig.length && startB<postulate.length) {
+							if(orig[startA++]!=postulate[startB++])writeIt = true;
+						}
+					} catch (Exception e) {
+						writeIt = true;
+					}
+				} else {
+					writeIt = true;
+				}
+				
+				if(writeIt) {
+					try {
+						FileOutputStream fos = new FileOutputStream(file);
+						try {
+							fos.write(postulate);
+						} finally {
+							fos.close();
+						}
+					} catch (IOException e) {
+						return e.getMessage();
+					}
+				}
+			}
+		}
+		return null; // no message means ok.
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZ.java b/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZ.java
new file mode 100644
index 0000000..49a1634
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZ.java
@@ -0,0 +1,37 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.servlet.Servlet;
+
+@Target({TYPE})
+@Retention(RUNTIME)
+public @interface AUTHZ {
+	Class<? extends Servlet> value();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java b/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java
new file mode 100644
index 0000000..871dee3
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/AUTHZServlet.java
@@ -0,0 +1,100 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import java.io.IOException;
+
+import javax.servlet.Servlet;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * 
+ *
+ */
+public class AUTHZServlet<S extends Servlet> implements Servlet {
+	private String[] roles;
+	private Servlet delegate;
+
+	protected AUTHZServlet(Class<S> cls) {
+		try {
+			delegate = cls.newInstance();
+		} catch (Exception e) {
+			delegate = null;
+		}
+		RolesAllowed rolesAllowed = cls.getAnnotation(RolesAllowed.class);
+		if(rolesAllowed == null) {
+			roles = null;
+		} else {
+			roles = rolesAllowed.value();
+		}
+	}
+	
+	public void init(ServletConfig sc) throws ServletException {
+		if(delegate == null) throw new ServletException("Invalid Servlet Delegate");
+		delegate.init(sc);
+	}
+	
+	public ServletConfig getServletConfig() {
+		return delegate.getServletConfig();
+	}
+
+	public String getServletInfo() {
+		return delegate.getServletInfo();
+	}
+
+	public void service(ServletRequest req, ServletResponse resp) throws ServletException, IOException {
+		if(roles==null) {
+			delegate.service(req,resp);
+		} else { // Validate
+			try {
+				HttpServletRequest hreq = (HttpServletRequest)req;
+				boolean proceed = false;
+				for(String role : roles) {
+					if(hreq.isUserInRole(role)) {
+						proceed = true;
+						break;
+					}
+				}
+				if(proceed) {
+					delegate.service(req,resp);
+				} else {
+					//baseRequest.getServletContext().log(hreq.getUserPrincipal().getName()+" Refused " + roles);
+					((HttpServletResponse)resp).sendError(403); // forbidden
+				}
+			} catch(ClassCastException e) {
+				throw new ServletException("JASPIServlet only supports HTTPServletRequest/HttpServletResponse");
+			}
+		}
+	}
+
+	public void destroy() {
+		delegate.destroy();
+	}
+
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java b/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java
new file mode 100644
index 0000000..596afd2
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/AccessGetter.java
@@ -0,0 +1,37 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.config.Get;
+
+public class AccessGetter implements Get {
+	private final Access access;
+	public AccessGetter(Access access) {
+		this.access = access;
+	}
+	public String get(String name, String def, boolean print) {
+		return access.getProperty(name, def);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java
new file mode 100644
index 0000000..2ccd29a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/CadiAccess.java
@@ -0,0 +1,243 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.Get;
+
+public class CadiAccess implements Access {
+	// constants for a couple of very commonly used strings.
+	protected static final String FROM = "from";
+	protected static final String FOR = "for";
+
+	// Properties derived from <pass> sources (could be property files, Valve Configurations, Filter
+	// configs, etc. 
+	protected Properties props;
+
+	// Will we write Logs?
+	protected Level willWrite = Level.INFO;
+	
+	protected ServletContext context;
+	protected Get getter = Get.NULL; // replace with Derived Class getter
+	private Symm symm;
+
+	public CadiAccess(Map<String, Object> map) {
+		if(map!=null && !map.isEmpty()) {
+			props = new Properties();
+			for(Entry<String, Object> es : map.entrySet()) {
+				Object v = es.getValue();
+				if(v!=null) {
+					props.put(es.getKey(), v.toString());
+				}
+			}
+			Object keyfile = props.get(Config.CADI_KEYFILE);
+			if(keyfile!=null) {
+				try {
+					FileInputStream fis = new FileInputStream(keyfile.toString());
+					symm = Symm.obtain(fis);
+				} catch (Exception e) {
+				}
+			}
+
+		}
+	}
+	
+	public Level willWrite() {
+		return willWrite;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Access#willLog(com.att.cadi.Access.Level)
+	 */
+	@Override
+	public boolean willLog(Level level) {
+		return willWrite.compareTo(level)<=0;
+	}
+
+	/**
+	 * Add the "Level" to the Buildline for Logging types that don't specify, or straight Streams, etc.  Then buildline
+	 * 
+	 * Build a line of code onto a StringBuilder based on Objects.  Analyze whether 
+	 * spaces need including.
+	 *
+	 * @param level
+	 * @param sb
+	 * @param elements
+	 * @return
+	 */
+	public final static StringBuilder buildLine(Level level, StringBuilder sb, Object[] elements) {
+		sb.append(level.name());
+		return buildLine(sb,elements);
+	}
+	
+	/*
+	 * Build a line of code onto a StringBuilder based on Objects.  Analyze whether 
+	 * spaces need including.
+	 * 
+	 * @param sb
+	 * @param elements
+	 * @return
+	 */
+	public final static StringBuilder buildLine(StringBuilder sb, Object[] elements) {
+		sb.append(' ');
+		String str;
+		boolean notFirst = false;
+		for(Object o : elements) {
+			if(o!=null) {
+				str = o.toString();
+				
+				if(str.length()>0) {
+					if(notFirst && shouldAddSpace(str,true) && shouldAddSpace(sb,false)) {
+						sb.append(' ');
+					} else {
+						notFirst=true;
+					}
+					sb.append(str);
+				}
+			}
+		}
+		return sb;
+	}
+	
+	private static boolean shouldAddSpace(CharSequence c,boolean start) {
+		if(c.length()>0)
+			switch(c.charAt(start?0:c.length()-1)) {
+				case ' ':
+				case '\t':
+				case '\n':
+				case '\'':
+				case '"':
+				case '|':
+					return false;
+			}
+		return true;
+	}
+
+	/**
+	 * Standard mechanism for logging, given being within a Servlet Context
+	 * 
+	 * Here, we treat
+	 * 
+	 * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup 
+	 * scenarios)
+	 *
+	 */
+	public void log(Level level, Object... elements) {
+		if(willWrite.compareTo(level)<=0) {
+			StringBuilder sb = buildLine(level, new StringBuilder(),elements);
+			if(context==null) {
+				System.out.println(sb.toString());
+			} else {
+				context.log(sb.toString());
+			}
+		}
+	}
+
+	/**
+	 * Standard mechanism for logging an Exception, given being within a Servlet Context, etc
+	 * 
+	 * if context exists, log to it, otherwise log to Std Out (The latter is usually for startup 
+	 * scenarios)
+	 *
+	 */
+	public void log(Exception e, Object... elements) {
+		if(willWrite.compareTo(Level.ERROR)<=0) {
+			StringBuilder sb = buildLine(Level.ERROR, new StringBuilder(),elements);
+		
+			if(context==null) {
+				sb.append(e.toString());
+				System.out.println(sb.toString());
+			} else {
+				context.log(sb.toString(),e);
+			}
+		}
+	}
+	
+	public void setLogLevel(Level level) {
+		willWrite = level;
+	}
+	
+	/**
+	 * Pass back the classloader of the Servlet Context, if it exists. Otherwise, get the classloader
+	 * of this object.
+	 */
+	public ClassLoader classLoader() { // Use the Classloader that Context was created with
+		return (context==null?this:context).getClass().getClassLoader();
+	}
+
+	/**
+	 * Get the Property from Context
+	 */
+	public String getProperty(String string, String def) {
+		String rv = null;
+
+        if ( props != null )
+            rv = props.getProperty( string, def );
+        
+		if(rv==null) {
+            rv = context.getInitParameter(string);
+		}
+		return rv==null?def:rv;
+
+	}
+
+	public void load(InputStream is) throws IOException {
+		if(this.props==null) {
+			this.props = new Properties();
+		}
+		this.props.load(is);
+		symm = Symm.obtain(this);
+	}
+
+	public String decrypt(String encrypted, boolean anytext) throws IOException {
+		if(symm==null) {
+			String keyfile = getter.get(Config.CADI_KEYFILE, null, true);
+			if(keyfile!=null) {
+				FileInputStream fis = new FileInputStream(keyfile);
+				symm=Symm.obtain(fis);
+				fis.close();
+			}
+		}
+		return (symm!=null && encrypted!=null && (anytext || encrypted.startsWith(Symm.ENC)))
+			? symm.depass(encrypted)
+			: encrypted;
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object[] elements) {
+		// TODO Auto-generated method stub
+		
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java
new file mode 100644
index 0000000..0b8bb8f
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/CadiFilter.java
@@ -0,0 +1,305 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CadiWrap;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.ServletContextAccess;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.Get;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+
+/**
+ * CadiFilter
+ * 
+ * This class implements Servlet Filter, and ties together CADI implementations
+ * 
+ * This class can be used in a standard J2EE Servlet manner.  Optimal usage is for POJO operations, where
+ * one can enforce this Filter being first and primary.  Depending on the Container, it 
+ * may be more effective, in some cases, to utilize features that allow earlier determination of 
+ * AUTHN (Authorization).  An example would be "Tomcat Valve".  These implementations, however, should
+ * be modeled after the "init" and "doFilter" functions, and be kept up to date as this class changes.
+ * 
+ * 
+ *
+ */
+public class CadiFilter implements Filter {
+	private static CadiHTTPManip httpChecker;
+	private static String[] pathExceptions;
+	private static List<Pair> mapPairs;
+	private Access access;
+	private Object[] additionalTafLurs;
+	private static int count=0;
+	
+	public Lur getLur() {
+		return httpChecker.getLur();
+	}
+	
+	/**
+	 * Construct a viable Filter
+	 * 
+	 * Due to the vagaries of many containers, there is a tendency to create Objects and call "Init" on 
+	 * them at a later time.  Therefore, this object creates with an object that denies all access
+	 * until appropriate Init happens, just in case the container lets something slip by in the meantime.
+	 * 
+	 */
+	public CadiFilter() {
+		additionalTafLurs = CadiHTTPManip.noAdditional;
+	}
+
+	/**
+	 * This constructor to be used when directly constructing and placing in HTTP Engine
+	 * 
+	 * @param access
+	 * @param moreTafLurs
+	 * @throws ServletException 
+	 */
+	public CadiFilter(Access access, Object ... moreTafLurs) throws ServletException {
+		additionalTafLurs = moreTafLurs;
+		init(new AccessGetter(this.access = access));
+	}
+
+
+	/**
+	 * Use this to pass in a PreContructed CADI Filter, but with initializing... let Servlet do it
+	 * @param init
+	 * @param access
+	 * @param moreTafLurs
+	 * @throws ServletException
+	 */
+	public CadiFilter(boolean init, PropAccess access, Object ... moreTafLurs) throws ServletException {
+		this.access = access;
+		if(init) {
+			init(new AccessGetter(access));
+		}
+		additionalTafLurs = moreTafLurs;
+	}
+
+	/**
+	 * Init
+	 * 
+	 * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a
+	 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
+	 * mechanism already.
+	 */
+	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM Init functions
+	public void init(FilterConfig filterConfig) throws ServletException {
+		// need the Context for Logging, instantiating ClassLoader, etc
+		ServletContextAccess sca=new ServletContextAccess(filterConfig); 
+		if(access==null) {
+			access = sca;
+		}
+		
+		// Set Protected getter with base Access, for internal class instantiations
+		init(new FCGet(access, sca.context(), filterConfig));
+	}
+	
+
+   private void init(Get getter) throws ServletException {
+        // Start with the assumption of "Don't trust anyone".
+	   TrustChecker tc = TrustChecker.NOTRUST; // default position
+	   try {
+		   @SuppressWarnings("unchecked")
+		   Class<TrustChecker> ctc = (Class<TrustChecker>) Class.forName("com.att.cadi.aaf.v2_0.AAFTrustChecker");
+		   if(ctc!=null) {
+			   Constructor<TrustChecker> contc = ctc.getConstructor(Access.class);
+			   if(contc!=null) {
+				   tc = contc.newInstance(access);
+			   }
+		   }
+	   } catch (Exception e) {
+		   access.log(Level.INIT, "AAFTrustChecker cannot be loaded",e.getMessage());
+	   }
+       
+        
+        // Synchronize, because some instantiations call init several times on the same object
+        // In this case, the epiTaf will be changed to a non-NullTaf, and thus not instantiate twice.
+		synchronized(CadiHTTPManip.noAdditional /*will always remain same Object*/) {
+			++count;
+			if(httpChecker == null) {
+				if(access==null) {
+					access = new PropAccess();
+				}
+				try {
+					httpChecker = new CadiHTTPManip(access,null /*reuseable Con*/,tc, additionalTafLurs);
+				} catch (CadiException e1) {
+					throw new ServletException(e1);
+				}
+			} else if(access==null) {
+				access= httpChecker.getAccess();
+			}
+
+			/*
+			 * Setup Authn Path Exceptions
+			 */
+			if(pathExceptions==null) {
+				String str = getter.get(Config.CADI_NOAUTHN, null, true);
+				if(str!=null) {
+					pathExceptions = str.split("\\s*:\\s*");
+				}
+			}
+	
+			/* 
+			 * SETUP Permission Converters... those that can take Strings from a Vendor Product, and convert to appropriate AAF Permissions
+			 */
+			if(mapPairs==null) {
+				String str = getter.get(Config.AAF_PERM_MAP, null, true);
+				if(str!=null) {
+					String mstr = getter.get(Config.AAF_PERM_MAP, null, true);
+					if(mstr!=null) {
+						String map[] = mstr.split("\\s*:\\s*");
+						if(map.length>0) {
+							MapPermConverter mpc=null;
+							int idx;
+							mapPairs = new ArrayList<Pair>();
+							for(String entry : map) {
+								if((idx=entry.indexOf('='))<0) { // it's a Path, so create a new converter
+									access.log(Level.INIT,"Loading Perm Conversions for:",entry);
+									mapPairs.add(new Pair(entry,mpc=new MapPermConverter()));
+								} else {
+									if(mpc!=null) {
+										mpc.map().put(entry.substring(0,idx),entry.substring(idx+1));
+									} else {
+										access.log(Level.ERROR,"cadi_perm_map is malformed; ",entry, "is skipped");
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+
+		// Remove Getter
+        getter = Get.NULL;
+	}
+
+	/**
+	 * Containers call "destroy" when time to cleanup 
+	 */
+	public void destroy() {
+		// Synchronize, in case multiCadiFilters are used.
+		synchronized(CadiHTTPManip.noAdditional) {
+			if(--count<=0 && httpChecker!=null) {
+				httpChecker.destroy();
+				httpChecker=null;
+				access=null;
+				pathExceptions=null;
+			}
+		}
+	}
+
+	/**
+	 * doFilter
+	 * 
+	 * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and
+	 * only call the next item in the filterChain if request is suitably Authenticated.
+	 */
+	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		try {
+			HttpServletRequest hreq = (HttpServletRequest)request;
+			if(noAuthn(hreq)) {
+				chain.doFilter(request, response);
+			} else {
+				HttpServletResponse hresp = (HttpServletResponse)response;
+				TafResp tresp = httpChecker.validate(hreq, hresp);
+				if(tresp.isAuthenticated()==RESP.IS_AUTHENTICATED) {
+						CadiWrap cw = new CadiWrap(hreq, tresp, httpChecker.getLur(),getConverter(hreq));
+						if(httpChecker.notCadi(cw, hresp)) {
+							chain.doFilter(cw,response);
+						}
+				}						
+			}
+		} catch (ClassCastException e) {
+			throw new ServletException("CadiFilter expects Servlet to be an HTTP Servlet",e);
+		}
+	}
+
+
+	/** 
+	 * If PathExceptions exist, report if these should not have Authn applied.
+	 * @param hreq
+	 * @return
+	 */
+	private boolean noAuthn(HttpServletRequest hreq) {
+		if(pathExceptions!=null) {
+			String pi = hreq.getPathInfo();
+			if(pi==null) return false; // JBoss sometimes leaves null
+			for(String pe : pathExceptions) {
+				if(pi.startsWith(pe))return true;
+			}
+		}
+		return false;
+	}
+	
+	/**
+	 * Get Converter by Path
+	 */
+	private PermConverter getConverter(HttpServletRequest hreq) {
+		if(mapPairs!=null) {
+			String pi = hreq.getPathInfo();
+			if(pi!=null) {
+			for(Pair p: mapPairs) {
+				if(pi.startsWith(p.name))return p.pc;
+			}
+			}
+		}
+		return NullPermConverter.singleton();
+	}
+	
+	/**
+	 * store PermConverters by Path prefix
+	 *
+	 */
+	private class Pair {
+		public Pair(String key, PermConverter pc) {
+			name = key;
+			this.pc = pc;
+		}
+		public String name;
+		public PermConverter pc;
+	}
+
+}
+
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java b/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java
new file mode 100644
index 0000000..a3df1c0
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/CadiHTTPManip.java
@@ -0,0 +1,227 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CadiWrap;
+import org.onap.aaf.cadi.Connector;
+import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Taf;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.lur.EpiLur;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.util.UserChainManip;
+
+/**
+ * Encapsulate common HTTP Manipulation Behavior.  It will appropriately set
+ * HTTPServletResponse for Redirect or Forbidden, as needed.
+ * 
+ * Further, this is useful, because it avoids multiple creates of Connections, where some Filters
+ * are created and destroyed regularly.
+ * 
+ *
+ *
+ */
+public class CadiHTTPManip {
+	private static final String ACCESS_CADI_CONTROL = ".access|cadi|control";
+	private static final String METH = "OPTIONS";
+	private static final String CADI = "/cadi/";
+	private static final String CADI_CACHE_PRINT = "/cadi/cache/print";
+	private static final String CADI_CACHE_CLEAR = "/cadi/cache/clear";
+	private static final String CADI_LOG_SET = "/cadi/log/set/";
+	private Access access;
+	private HttpTaf taf;
+	private CredVal up;
+	private Lur lur;
+	private String thisPerm,companyPerm,aaf_id;
+	
+	public static final Object[] noAdditional = new Object[0]; // CadiFilter can be created each call in some systems
+
+
+	public CadiHTTPManip(Access access, Connector con, TrustChecker tc, Object ... additionalTafLurs) throws CadiException {
+		synchronized(CADI) {
+			this.access = access;
+//			Get getter = new AccessGetter(access);
+			Config.setDefaultRealm(access);
+	
+			aaf_id = access.getProperty(Config.CADI_ALIAS,access.getProperty(Config.AAF_MECHID, null));
+			if(aaf_id==null) {
+				access.printf(Level.INIT, "%s is not set. %s can be used instead",Config.AAF_MECHID,Config.CADI_ALIAS);
+			} else {
+				access.printf(Level.INIT, "%s is set to %s",Config.AAF_MECHID,aaf_id);
+			}
+			String ns = aaf_id==null?null:UserChainManip.idToNS(aaf_id);
+			if(ns!=null) {
+				thisPerm = ns+ACCESS_CADI_CONTROL;
+				int dot = ns.indexOf('.');
+				if(dot>=0) {
+					int dot2=ns.indexOf('.',dot+1);
+					if(dot2<0) {
+						dot2=dot;
+					}
+					companyPerm = ns.substring(0, dot2)+ACCESS_CADI_CONTROL;
+				} else {
+					companyPerm = "com"+ACCESS_CADI_CONTROL;
+				}
+			} else {
+				thisPerm = companyPerm = "com"+ACCESS_CADI_CONTROL;
+			}
+			
+			if(con!=null) { // try to reutilize connector
+				List<Lur> ll = null;
+				for(Object tl : additionalTafLurs) {
+					if(tl instanceof Lur) {
+						if(ll==null) {
+							ll = new ArrayList<Lur>();
+							ll.add(con.newLur());
+						}
+						ll.add((Lur)tl);
+					}
+				}
+				if(ll==null) {
+					lur = con.newLur();
+				} else {
+					lur = new EpiLur((Lur[])ll.toArray());
+				}
+			} else {
+				lur = Config.configLur(access, additionalTafLurs);
+			}
+			tc.setLur(lur);
+			if(lur instanceof EpiLur) {
+				up = ((EpiLur)lur).getUserPassImpl();
+			} else if(lur instanceof CredVal) {
+				up = (CredVal)lur;
+			} else {
+				up = null;
+			}
+			taf = Config.configHttpTaf(access, tc, up, lur, additionalTafLurs);
+		}
+	}
+
+	public TafResp validate(HttpServletRequest hreq, HttpServletResponse hresp) throws IOException {
+		TafResp tresp = taf.validate(Taf.LifeForm.LFN, hreq, hresp);
+		switch(tresp.isAuthenticated()) {
+			case IS_AUTHENTICATED:
+				access.printf(Level.INFO,"Authenticated: %s from %s:%d"
+						, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+				break;
+			case TRY_AUTHENTICATING:
+				switch (tresp.authenticate()) {
+					case IS_AUTHENTICATED:
+						access.printf(Level.INFO,"Authenticated: %s from %s:%d"
+								, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+						break;
+					case HTTP_REDIRECT_INVOKED:
+						access.log(Level.INFO,"Authenticating via redirection: ", tresp.desc());
+						break;
+					case NO_FURTHER_PROCESSING:
+						access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d"
+								, tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+						hresp.sendError(403, tresp.desc()); // Forbidden
+						break;
+
+					default:
+						access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
+								, hreq.getRemoteAddr(), hreq.getRemotePort());
+						hresp.sendError(403, tresp.desc()); // Forbidden
+				}
+				break;
+			case NO_FURTHER_PROCESSING:
+				access.printf(Level.AUDIT,"Authentication Failure: %s from %s:%d", 
+						tresp.desc(), hreq.getRemoteAddr(), hreq.getRemotePort());
+				hresp.sendError(403, "Access Denied"); // FORBIDDEN
+				break;
+			default:
+				access.printf(Level.AUDIT,"No TAF will authorize for request from %s:%d"
+						, hreq.getRemoteAddr(), hreq.getRemotePort());
+				hresp.sendError(403, "Access Denied"); // FORBIDDEN
+		}
+		return tresp;
+	}
+	
+	public boolean notCadi(CadiWrap req, HttpServletResponse resp) {
+		
+		String pathInfo = req.getPathInfo();
+		if(METH.equalsIgnoreCase(req.getMethod()) && pathInfo!=null && pathInfo.contains(CADI)) {
+			if(req.getUser().equals(aaf_id) || req.isUserInRole(thisPerm) || req.isUserInRole(companyPerm)) {
+				try {
+					if(pathInfo.contains(CADI_CACHE_PRINT)) {
+						resp.getOutputStream().println(lur.toString());
+						resp.setStatus(200);
+						return false;
+					} else if(pathInfo.contains(CADI_CACHE_CLEAR)) {
+						StringBuilder report = new StringBuilder();
+						lur.clear(req.getUserPrincipal(), report);
+						resp.getOutputStream().println(report.toString());
+						resp.setStatus(200);
+						return false;
+					} else if(pathInfo.contains(CADI_LOG_SET))  {
+						Level l;
+						int slash = pathInfo.lastIndexOf('/');
+						String level = pathInfo.substring(slash+1);
+						try {
+							l = Level.valueOf(level);
+							access.printf(Level.AUDIT, "%s has set CADI Log Level to '%s'",req.getUser(),l.name());
+							access.setLogLevel(l);
+						} catch (IllegalArgumentException e) {
+							access.printf(Level.AUDIT, "'%s' is not a valid CADI Log Level",level);
+						}
+						return false;
+					}
+				} catch (IOException e) {
+					access.log(e);
+				}
+			}
+		}
+		return true;
+	}
+
+	public Lur getLur() {
+		return lur;
+	}
+	
+	public void destroy() {
+		access.log(Level.INFO,"CadiHttpChecker destroyed.");
+		if(lur!=null) {
+			lur.destroy();
+			lur=null;
+		}
+	}
+
+	public Access getAccess() {
+		return access;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java b/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java
new file mode 100644
index 0000000..e6912e7
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/FCGet.java
@@ -0,0 +1,77 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Get;
+
+/*
+ * A private method to query the Filter config and if not exists, return the default.  This
+ * cleans up the initialization code.
+ */
+class FCGet implements Get {
+	/**
+	 * 
+	 */
+	private final Access access;
+	private FilterConfig filterConfig;
+	private ServletContext context;
+
+	public FCGet(Access access, ServletContext context, FilterConfig filterConfig) {
+		this.access = access;
+		this.context = context;
+		this.filterConfig = filterConfig;
+	}
+
+	public String get(String name, String def, boolean print) {
+		String str = null;
+		// Try Server Context First
+		if(context!=null) {
+			str = context.getInitParameter(name);
+		}
+		
+		// Try Filter Context next
+		if(str==null && filterConfig != null) {
+			str = filterConfig.getInitParameter(name);
+		}
+		
+		if(str==null) {
+			str = access.getProperty(name, def);
+		}
+		// Take def if nothing else
+		if(str==null) {
+			str = def;
+			// don't log defaults
+		} else {
+			str = str.trim(); // this is vital in Property File based values, as spaces can hide easily
+			if(print) {
+				access.log(Level.INFO,"Setting", name, "to", str);
+			}
+		}
+		return str;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java b/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java
new file mode 100644
index 0000000..933e6f9
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/MapPermConverter.java
@@ -0,0 +1,55 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class MapPermConverter implements PermConverter {
+	private HashMap<String,String> map;
+
+	/**
+	 * Create with colon separated name value pairs
+	 *  i.e. teAdmin=com.att.myNS.myPerm|*|*:teUser=...
+	 *  
+	 * @param value
+	 */
+	public MapPermConverter() {
+		map = new HashMap<String,String>();
+	}
+
+	/**
+	 * use to instantiate entries 
+	 * 
+	 * @return
+	 */
+	public Map<String,String> map() {
+		return map;
+	}
+
+	public String convert(String minimal) {
+		String rv = map.get(minimal);
+		return rv==null?minimal:rv;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java b/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java
new file mode 100644
index 0000000..223e1a4
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/NullPermConverter.java
@@ -0,0 +1,43 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+
+/**
+ * A NullPermConverter 
+ * 
+ * Obey the PermConverter Interface, but passed in "minimal" String is not converted.
+ * 
+ *
+ */
+public class NullPermConverter implements PermConverter {
+
+	private NullPermConverter() {}
+	private static final NullPermConverter singleton = new NullPermConverter();
+	public static NullPermConverter singleton() {return singleton;}
+
+	public String convert(String minimal) {
+		return minimal;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java b/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java
new file mode 100644
index 0000000..87e3c78
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/PathFilter.java
@@ -0,0 +1,183 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+
+/**
+ * PathFilter
+ * 
+ * This class implements Servlet Filter, and uses AAF to validate access to a Path.
+ * 
+ * This class can be used in a standard J2EE Servlet manner.
+ *  
+ *
+ */
+public class PathFilter implements Filter {
+	private ServletContext context;
+	private String aaf_type;
+	private String not_authorized_msg;
+	private final Log log;
+
+	/**
+	 * Construct a viable Filter for installing in Container WEB.XML, etc.
+	 * 
+	 */
+	public PathFilter() {
+		log = new Log() {
+			public void info(String ... msg) {
+				context.log(build("INFO:",msg));
+			}
+			public void audit(String ... msg) {
+				context.log(build("AUDIT:",msg));
+			}
+			private String build(String type, String []msg) {
+				StringBuilder sb = new StringBuilder(type);
+				for(String s : msg) {
+					sb.append(' ');
+					sb.append(s);
+				}
+				return sb.toString();
+			}
+		
+		};
+	}
+	
+	/**
+	 * Filter that can be constructed within Java
+	 * @param access
+	 */
+	public PathFilter(final Access access) {
+		log = new Log() {
+			public void info(String ... msg) {
+				access.log(Level.INFO, (Object[])msg);
+			}
+			public void audit(String ... msg) {
+				access.log(Level.AUDIT, (Object[])msg);
+			}
+		};
+	}
+	
+	/**
+	 * Init
+	 * 
+	 * Standard Filter "init" call with FilterConfig to obtain properties.  POJOs can construct a
+	 * FilterConfig with the mechanism of their choice, and standard J2EE Servlet engines utilize this
+	 * mechanism already.
+	 */
+	public void init(FilterConfig filterConfig) throws ServletException {
+		// need the Context for Logging, instantiating ClassLoader, etc
+		context = filterConfig.getServletContext();
+		StringBuilder sb = new StringBuilder();
+		StringBuilder err = new StringBuilder(); 
+		Object attr = context.getAttribute(Config.PATHFILTER_NS);
+		if(attr==null) {
+			err.append("PathFilter - pathfilter_ns is not set");
+		} else {
+			sb.append(attr.toString()); 
+		}
+
+		attr = context.getAttribute(Config.PATHFILTER_STACK);
+		if(attr==null) {
+			log.info("PathFilter - No pathfilter_stack set, ignoring");
+		} else {
+			sb.append('.');
+			sb.append(attr.toString());
+		}
+
+		attr = context.getAttribute(Config.PATHFILTER_URLPATTERN);
+		if(attr==null) {
+			log.info("PathFilter - No pathfilter_urlpattern set, defaulting to 'urlpattern'");
+			sb.append(".urlpattern");
+		} else {
+			sb.append('.');
+			sb.append(attr.toString());
+		}
+
+		log.info("PathFilter - AAF Permission Type is",sb.toString());
+		
+		sb.append('|');
+		
+		aaf_type = sb.toString();
+
+		attr = context.getAttribute(Config.PATHFILTER_NOT_AUTHORIZED_MSG);
+		if(attr==null) {
+			not_authorized_msg = "Forbidden - Not Authorized to access this Path";
+		} else {
+			not_authorized_msg = attr.toString();
+		}
+
+		if(err.length()>0) {
+			throw new ServletException(err.toString());
+		}
+	}
+
+	private interface Log {
+		public void info(String ... msg);
+		public void audit(String ... msg);
+	}
+
+	/**
+	 * doFilter
+	 * 
+	 * This is the standard J2EE invocation.  Analyze the request, modify response as necessary, and
+	 * only call the next item in the filterChain if request is suitably Authenticated.
+	 */
+	//TODO Always validate changes against Tomcat AbsCadiValve and Jaspi CadiSAM functions
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+		HttpServletRequest hreq = (HttpServletRequest)request;
+		HttpServletResponse hresp = (HttpServletResponse)response;
+		String perm = aaf_type+hreq.getPathInfo()+'|'+hreq.getMethod();
+		if(hreq.isUserInRole(perm)) {
+			chain.doFilter(request, response);
+		} else {
+			log.audit("PathFilter has denied",hreq.getUserPrincipal().getName(),"access to",perm);
+			hresp.sendError(403,not_authorized_msg);
+		}
+	}
+
+	/**
+	 * Containers call "destroy" when time to cleanup 
+	 */
+	public void destroy() {
+		log.info("PathFilter destroyed.");
+	}
+
+
+
+}
+
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java b/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java
new file mode 100644
index 0000000..8f71e29
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/PermConverter.java
@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.filter;
+
+/**
+ * Convert a simplistic, single string Permission into an Enterprise Scoped Perm
+ * 
+ *
+ */
+public interface PermConverter {
+	public String convert(String minimal);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java b/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java
new file mode 100644
index 0000000..0a5873e
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/RolesAllowed.java
@@ -0,0 +1,55 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+/**
+ * RolesAllowed 
+ * 
+ * 
+ * Similar to Java EE's Spec from Annotations 1.1, 2.8
+ * 
+ * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined
+ * sense of permissions hierarchy.  The same mechanism, however, can easily be achieved on single Servlet/Handlers in
+ * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation
+ * 
+ */
+package org.onap.aaf.cadi.filter;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+/**
+ * JASPI Style Annotation of RolesAllowed when the coding style is desired but actually including all 
+ * JEE jars is not. If using actual JASPI, use official @interface classes, not this one...
+ * 
+ */
+@Target({TYPE})
+@Retention(RUNTIME)
+public @interface RolesAllowed {
+	/**
+	 * Security role of the implementation, which doesn't have to be an EJB or CORBA like object.  Can be just a
+	 * Handler
+	 * @return
+	 */
+	String[] value();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java b/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java
new file mode 100644
index 0000000..f581c5f
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/filter/ServletImpl.java
@@ -0,0 +1,55 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+/**
+ * RolesAllowed 
+ * 
+ * 
+ * Similar to Java EE's Spec from Annotations 1.1, 2.8
+ * 
+ * That Spec, however, was geared towards being able to route calls to Methods on Objects, and thus needed a more refined
+ * sense of permissions hierarchy.  The same mechanism, however, can easily be achieved on single Servlet/Handlers in
+ * POJOs like Jetty by simply adding the Roles Allowed in a similar Annotation
+ * 
+ */
+package org.onap.aaf.cadi.filter;
+import static java.lang.annotation.ElementType.TYPE;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import javax.servlet.Servlet;
+
+/**
+ * 
+ */
+@Target({TYPE})
+@Retention(RUNTIME)
+public @interface ServletImpl {
+	/**
+	 * Security role of the implementation, which doesn't have to be an EJB or CORBA like object.  Can be just a
+	 * Handler
+	 * @return
+	 */
+	Class<? extends Servlet> value();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java
new file mode 100644
index 0000000..32e4816
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/lur/ConfigPrincipal.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.GetCred;
+import org.onap.aaf.cadi.Symm;
+
+public class ConfigPrincipal implements Principal, GetCred {
+	private String name;
+	private byte[] cred;
+	private String content;
+
+	public ConfigPrincipal(String name, String passwd) {
+		this.name = name;
+		this.cred = passwd.getBytes();
+		content = null;
+	}
+
+	public ConfigPrincipal(String name, byte[] cred) {
+		this.name = name;
+		this.cred = cred;
+		content = null;
+	}
+
+	public String getName() {
+		return name;
+	}
+	
+	public byte[] getCred() {
+		return cred;
+	}
+
+	public String toString() {
+		return name;
+	}
+	
+	public String getAsBasicAuthHeader() throws IOException {
+		if(content ==null) {
+			String s = name + ':' + new String(cred);
+			content = "Basic " + Symm.base64.encode(s);  
+		} else if(!content.startsWith("Basic ")) { // content is the saved password from construction
+			String s = name + ':' + content;
+			content = "Basic " + Symm.base64.encode(s);  
+		}
+		return content;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java b/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java
new file mode 100644
index 0000000..0e612e9
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/lur/EpiLur.java
@@ -0,0 +1,167 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.onap.aaf.cadi.CachingLur;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+
+/**
+ * EpiLUR
+ * 
+ * Short for "Epic LUR". Be able to run through a series of LURs to obtain the validation needed.
+ * 
+ * The pun is better for the other pattern... "TAF" (aka EpiTaf), but it's still the larger picture of 
+ * LURs that will be accomplished.
+ * 
+ * FYI, the reason we separate LURs, rather than combine, is that Various User Repository Resources have
+ * different Caching requirements.  For instance, the Local User Repo (with stand alone names), never expire, but might be
+ * refreshed with a change in Configuration File, while the Remote Service based LURs will need to expire at prescribed intervals 
+ * 
+ *
+ */
+public final class EpiLur implements Lur {
+	private final Lur[] lurs;
+	
+	/**
+	 * EpiLur constructor
+	 * 
+	 * Construct the EpiLur from variable TAF parameters
+	 * @param lurs
+	 * @throws CadiException
+	 */
+	public EpiLur(Lur ... lurs) throws CadiException{
+		this.lurs = lurs;
+		if(lurs.length==0) throw new CadiException("Need at least one Lur implementation in constructor");
+	}
+
+	public boolean fish(Principal bait, Permission pond) {
+		if(pond==null) {
+			return false;
+		}
+		boolean rv = false;
+		Lur lur;
+		for(int i=0;!rv && i<lurs.length;++i) {
+			rv = (lur = lurs[i]).fish(bait, pond);
+			if(!rv && lur.handlesExclusively(pond)) break;
+		}
+		return rv;
+	}
+
+	public void fishAll(Principal bait, List<Permission> permissions) {
+		for(Lur lur : lurs) {
+			lur.fishAll(bait, permissions);
+		}
+	}
+
+	public void destroy() {
+		for(Lur lur : lurs) {
+			lur.destroy();
+		}
+	}
+
+	/**
+	 * Return the first Lur (if any) which also implements UserPass 
+	 * @return
+	 */
+	public CredVal getUserPassImpl() {
+		for(Lur lur : lurs) {
+			if(lur instanceof CredVal) {
+				return (CredVal)lur;
+			}
+		}
+		return null;
+	}
+
+	// Never needed... Only EpiLur uses...
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+	
+	/**
+	 * Get Lur for index.  Returns null if out of range
+	 * @param idx
+	 * @return
+	 */
+	public Lur get(int idx) {
+		if(idx>=0 && idx<lurs.length) {
+			return lurs[idx];
+		}
+		return null;
+	}
+
+	public boolean supports(String userName) {
+		for(Lur l : lurs) {
+			if(l.supports(userName))return true;
+		}
+		return false;
+	}
+
+	public void remove(String id) {
+		for(Lur l : lurs) {
+			if(l instanceof CachingLur) {
+				((CachingLur<?>)l).remove(id);
+			}
+		}
+	}
+	
+	public Lur subLur(Class<? extends Lur> cls ) {
+		for(Lur l : lurs) {
+			if(l.getClass().isAssignableFrom(cls)) {
+				return l;
+			}
+		}
+		return null;
+	}
+
+	@Override
+	public Permission createPerm(String p) {
+		return new LocalPermission(p);
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
+	 */
+	@Override
+	public void clear(Principal p, StringBuilder report) {
+		for(Lur lur : lurs) {
+			lur.clear(p, report);
+		}
+	}
+	
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		for(Lur lur : lurs) {
+			sb.append(lur.getClass().getSimpleName());
+			sb.append(": Report\n");
+			sb.append(lur.toString());
+			sb.append('\n');
+		}
+		return sb.toString();
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java b/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java
new file mode 100644
index 0000000..4086b51
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/lur/LocalLur.java
@@ -0,0 +1,201 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.onap.aaf.cadi.AbsUserCache;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.StrLur;
+import org.onap.aaf.cadi.User;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.config.Config;
+
+
+/**
+ * An in-memory Lur that can be configured locally with User info via properties, similar to Tomcat-users.xml mechanisms.
+ * 
+ *
+ */
+public final class LocalLur extends AbsUserCache<LocalPermission> implements StrLur, CredVal {
+	public static final String SEMI = "\\s*;\\s*";
+	public static final String COLON = "\\s*:\\s*";
+	public static final String COMMA = "\\s*,\\s*";
+	public static final String PERCENT = "\\s*%\\s*";
+	
+	// Use to quickly determine whether any given group is supported by this LUR
+	private final Set<String> supportingGroups;
+	private String supportedRealm; 
+	
+	/**
+	 * Construct by building structure, see "build"
+	 * 
+	 * Reconstruct with "build"
+	 * 
+	 * @param userProperty
+	 * @param groupProperty
+	 * @param decryptor
+	 * @throws IOException
+	 */
+	public LocalLur(Access access, String userProperty, String groupProperty) throws IOException {
+		super(access, 0, 0, Integer.MAX_VALUE);  // data doesn't expire
+		supportedRealm = access.getProperty(Config.BASIC_REALM, "localized");
+		supportingGroups = new TreeSet<String>();
+		
+		if(userProperty!=null) {
+			// For each User name...
+			for(String user : userProperty.trim().split(SEMI)) {
+				String[] us = user.split(COLON,2);
+				String[] userpass = us[0].split(PERCENT,2);
+				String u;
+				User<LocalPermission> usr;
+				if(userpass.length>1) {
+					if(userpass.length>0 && userpass[0].indexOf('@')<0) {
+						userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
+					}
+
+					u = userpass[0];
+					byte[] pass = access.decrypt(userpass[1], true).getBytes();
+					usr = new User<LocalPermission>(new ConfigPrincipal(u, pass));
+				} else {
+					u = us[0];
+					usr = new User<LocalPermission>(new ConfigPrincipal(u, (byte[])null));
+				}
+				addUser(usr);
+				access.log(Level.INIT, "Local User:",usr.principal);
+				
+				if(us.length>1) {
+					Map<String, Permission> newMap = usr.newMap();
+					for(String group : us[1].split(COMMA)) {
+						supportingGroups.add(group);
+						usr.add(newMap,new LocalPermission(group));
+					}
+					usr.setMap(newMap);
+				}
+			}
+		}
+		if(groupProperty!=null) {
+			// For each Group name...
+			for(String group : groupProperty.trim().split(SEMI)) {
+				String[] gs = group.split(COLON,2);
+				if(gs.length>1) {
+					supportingGroups.add(gs[0]);
+					LocalPermission p = new LocalPermission(gs[0]);
+					// Add all users (known by comma separators)	
+					
+					for(String grpMem : gs[1].split(COMMA)) {
+						// look for password, if so, put in passMap
+						String[] userpass = grpMem.split(PERCENT,2);
+						if(userpass.length>0 && userpass[0].indexOf('@')<0) {
+							userpass[0]=userpass[0] + '@' + access.getProperty(Config.AAF_DEFAULT_REALM,Config.getDefaultRealm());
+						}
+						User<LocalPermission> usr = getUser(userpass[0]);
+						if(userpass.length>1) {
+							byte[] pass = access.decrypt(userpass[1], true).getBytes();
+							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],pass)));
+							else usr.principal=new ConfigPrincipal(userpass[0],pass);
+						} else {
+							if(usr==null)addUser(usr=new User<LocalPermission>(new ConfigPrincipal(userpass[0],(byte[])null)));
+						}
+						usr.add(p);
+						access.log(Level.INIT, "Local User:",usr.principal);
+					}
+				}
+			}
+		}
+	}
+	
+	public boolean validate(String user, CredVal.Type type, byte[] cred) {
+		User<LocalPermission> usr = getUser(user);
+		switch(type) {
+			case PASSWORD:
+				// covers null as well as bad pass
+				if(usr!=null && cred!=null && usr.principal instanceof ConfigPrincipal) {
+					return Hash.isEqual(cred,((ConfigPrincipal)usr.principal).getCred());
+				}
+				break;
+		}
+		return false;
+	}
+
+	//	@Override
+	public boolean fish(Principal bait, Permission pond) {
+		if(supports(bait.getName()) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
+				User<LocalPermission> user = getUser(bait);
+				return user==null?false:user.contains((LocalPermission)pond);
+			}
+		return false;
+	}
+
+	public boolean fish(String bait, Permission pond) {
+		if(supports(bait) && pond instanceof LocalPermission) { // local Users only have LocalPermissions
+			User<LocalPermission> user = getUser(bait);
+			return user==null?false:user.contains((LocalPermission)pond);
+		}
+		return false;
+	}
+
+	// We do not want to expose the actual Group, so make a copy.
+	public void fishAll(Principal bait, List<Permission> perms) {
+		if(supports(bait.getName())) {
+			User<LocalPermission> user = getUser(bait);
+			if(user!=null) {
+				user.copyPermsTo(perms);
+			}
+		}
+	}
+
+	public void fishAll(String bait, List<Permission> perms) {
+		if(supports(bait)) {
+			User<LocalPermission> user = getUser(bait);
+			if(user!=null) {
+				user.copyPermsTo(perms);
+			}
+		}
+	}
+
+	public boolean supports(String userName) {
+		return userName!=null && userName.endsWith(supportedRealm);
+	}
+
+	public boolean handlesExclusively(Permission pond) {
+		return supportingGroups.contains(pond.getKey());
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
+	 */
+	@Override
+	public Permission createPerm(String p) {
+		return new LocalPermission(p);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java b/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java
new file mode 100644
index 0000000..cccb74c
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/lur/LocalPermission.java
@@ -0,0 +1,51 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur;
+
+import org.onap.aaf.cadi.Permission;
+
+public class LocalPermission implements Permission {
+	private String key;
+	
+	public LocalPermission(String role) {
+		this.key = role;
+	}
+	
+	public String getKey() {
+		return key;
+	}
+
+	public String toString() {
+		return key;
+	}
+
+	public boolean match(Permission p) {
+		return key.equals(p.getKey());
+	}
+
+	public String permType() {
+		return "LOCAL";
+	}
+	
+	
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java b/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java
new file mode 100644
index 0000000..94080df
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/lur/NullLur.java
@@ -0,0 +1,88 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur;
+
+import java.security.Principal;
+import java.util.List;
+
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+
+public class NullLur implements Lur {
+	private static final Permission NULL = new Permission() {
+		@Override
+		public String permType() {
+			return "";
+		}
+
+		@Override
+		public String getKey() {
+			return "";
+		}
+
+		@Override
+		public boolean match(Permission p) {
+			return false;
+		}};
+
+	public boolean fish(Principal bait, Permission pond) {
+		// Well, for Jenkins, this is ok... It finds out it can't do J2EE Security, and then looks at it's own
+//		System.err.println("CADI's LUR has not been configured, but is still being called.  Access is being denied");
+		return false;
+	}
+
+	public void fishAll(Principal bait,	List<Permission> permissions) {
+	}
+
+	public void destroy() {
+	}
+
+	public boolean handlesExclusively(Permission pond) {
+		return false;
+	}
+
+	public boolean supports(String userName) {
+		return false;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#createPerm(java.lang.String)
+	 */
+	@Override
+	public Permission createPerm(String p) {
+		return NULL;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.Lur#clear(java.security.Principal, java.lang.StringBuilder)
+	 */
+	@Override
+	public void clear(Principal p, StringBuilder report) {
+		report.append(NullLur.class.getSimpleName());
+		report.append('\n');
+	}
+	
+	public String toString() {
+		return NullLur.class.getSimpleName() + '\n';
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
new file mode 100644
index 0000000..e84caeb
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/BasicPrincipal.java
@@ -0,0 +1,117 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Date;
+
+import org.onap.aaf.cadi.BasicCred;
+import org.onap.aaf.cadi.GetCred;
+import org.onap.aaf.cadi.Symm;
+
+public class BasicPrincipal extends BearerPrincipal implements GetCred {
+	private static byte[] basic = "Basic ".getBytes();
+
+	private String name = null;
+	private String shortName = null;
+	private byte[] cred = null;
+	
+	private long created;
+
+	public BasicPrincipal(String content,String domain) throws IOException {
+		created = System.currentTimeMillis();
+		ByteArrayInputStream bis = new ByteArrayInputStream(content.getBytes());
+		// Read past "Basic ", ensuring it starts with it.
+		for(int i=0;i<basic.length;++i) {
+			if(bis.read()!=basic[i]) {
+				name=content;
+				cred = null;
+				return;
+			}
+		}
+		BasicOS bos = new BasicOS(content.length());
+		Symm.base64.decode(bis,bos); // note: writes directly to name until ':'
+		if(name==null) throw new IOException("Invalid Coding");
+		else cred = bos.toCred();
+		int at;
+		if((at=name.indexOf('@'))>0) {
+			domain=name.substring(at+1);
+			shortName=name.substring(0, at);
+		} else {
+			shortName = name;
+			name = name + '@' + domain;
+		}
+	}
+	
+	public BasicPrincipal(BasicCred bc, String domain) {
+		name = bc.getUser();
+		cred = bc.getCred();
+	}
+
+	private class BasicOS extends OutputStream {
+		private boolean first = true;
+		private ByteArrayOutputStream baos;
+		
+		public BasicOS(int size) {
+			baos = new ByteArrayOutputStream(size);
+		}
+
+		@Override
+		public void write(int b) throws IOException {
+			if(b==':' && first) {
+				first = false;
+				name = new String(baos.toByteArray());
+				baos.reset(); // 
+			} else {
+				baos.write(b);
+			}
+		}
+		
+		private byte[] toCred() {
+			return baos.toByteArray();
+		}
+	}
+	
+	public String getName() {
+		return name;
+	}
+	
+	public String getShortName() {
+		return shortName;
+	}
+	
+	public byte[] getCred() {
+		return cred;
+	}
+	
+	public long created() {
+		return created;
+	}
+
+	public String toString() {
+		return "Basic Authorization for " + name + " evaluated on " + new Date(created).toString();
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java
new file mode 100644
index 0000000..08793c5
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/BearerPrincipal.java
@@ -0,0 +1,36 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.security.Principal;
+
+public abstract class BearerPrincipal implements Principal {
+	private String bearer = null;
+	public BearerPrincipal setBearer(String bearer) {
+		this.bearer = bearer;
+		return this;
+	}
+	public String getBearer() {
+		return bearer;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java b/core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java
new file mode 100644
index 0000000..3694584
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/CSPPrincipal_T.java
@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.security.Principal;
+
+/**
+ * Indicate a CSP Principal that is trusted as a CSPPrincipal.  
+ *
+ */
+public interface CSPPrincipal_T extends Principal {
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java
new file mode 100644
index 0000000..9a33dc6
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/CachedBasicPrincipal.java
@@ -0,0 +1,65 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.io.IOException;
+
+import org.onap.aaf.cadi.BasicCred;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.taf.HttpTaf;
+
+/**
+ * Cached Principals need to be able to revalidate in the Background
+ * 
+ *
+ */
+public class CachedBasicPrincipal extends BasicPrincipal implements CachedPrincipal {
+	private final HttpTaf creator;
+	private long timeToLive;
+	private long expires;
+
+	public CachedBasicPrincipal(HttpTaf creator, BasicCred bc, String domain, long timeToLive) {
+		super(bc, domain);
+		this.creator = creator;
+		this.timeToLive = timeToLive;
+		expires = System.currentTimeMillis()+timeToLive;
+	}
+	
+	public CachedBasicPrincipal(HttpTaf creator, String content, String domain, long timeToLive) throws IOException {
+		super(content, domain);
+		this.creator = creator;
+		this.timeToLive = timeToLive;
+		expires = System.currentTimeMillis()+timeToLive;
+	}
+
+	public CachedPrincipal.Resp revalidate() {
+		Resp resp = creator.revalidate(this);
+		if(resp.equals(Resp.REVALIDATED))expires = System.currentTimeMillis()+timeToLive;
+		return resp;
+	}
+
+	public long expires() {
+		return expires;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java
new file mode 100644
index 0000000..b55f86a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal.java
@@ -0,0 +1,80 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+public class TGuardPrincipal extends BearerPrincipal {
+
+	private String name, tresp;
+
+	public TGuardPrincipal(String tresp) {
+		this.tresp=tresp;
+	}
+
+	/**
+	 * TODO Need to figure out what Organizations TGuard entities should be part of.  
+	 * 
+	 */
+	public String getName() {
+		if(name==null) {
+			String temp = get("iv-user");
+			if(temp==null)return null;
+			StringBuilder sb = new StringBuilder();
+			int at = temp.indexOf('@');
+			if(at<0) {
+				sb.append(temp);
+			} else {
+				sb.append(temp.substring(0, at));
+			}
+			if(temp.endsWith("@uverse.com"))sb.append("@uverse.tguard.att.com");
+			else if(temp.endsWith("@att.com"))sb.append("@com.tguard.att.com");
+			else if(temp.endsWith("@att.net"))sb.append("@net.tguard.att.com");
+			else sb.append("@tguard.att.com");
+			name = sb.toString();
+		}
+		return name;
+	}
+
+	/**
+	 * Get a value from a named TGuard Property
+	 * 
+	 * TGuard response info is very dynamic.  They can add new properties at any time, so we dare not code field names for these values.
+	 * @param key
+	 * @return
+	 */
+	public String get(String key) {
+		if(key==null)return null;
+		int idx=0,equal=0,amp=0;
+		while(idx>=0 && (equal = tresp.indexOf('=',idx))>=0) {
+			amp = tresp.indexOf('&',equal);
+			if(key.regionMatches(0, tresp, idx, equal-idx)) {
+				return amp>=0?tresp.substring(equal+1, amp):tresp.substring(equal+1); 
+			}
+			idx=amp+(amp>0?1:0);
+		}
+		return null;
+	}
+
+	public String info() {
+		return tresp;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java b/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java
new file mode 100644
index 0000000..235c74c
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/TGuardPrincipal_T.java
@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.security.Principal;
+
+/**
+ * Indicate a TGuard Principal that is trusted as a TGuardPrincipal.  
+ *
+ */
+public interface TGuardPrincipal_T extends Principal {
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java b/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java
new file mode 100644
index 0000000..4add242
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/TrustPrincipal.java
@@ -0,0 +1,67 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.security.Principal;
+
+import org.onap.aaf.cadi.UserChain;
+
+public class TrustPrincipal extends BearerPrincipal implements UserChain {
+	private final String name;
+	private final Principal original;
+	private String userChain;
+	
+	public TrustPrincipal(final Principal actual, final String asName) {
+		this.original = actual;
+		name = asName.trim();
+		if(actual instanceof UserChain) {
+			UserChain uc = (UserChain)actual;
+			userChain = uc.userChain();
+		} else if(actual instanceof X509Principal) {
+			userChain="x509";
+		} else if(actual instanceof BasicPrincipal) {
+			userChain="BAth";
+		} else {
+			userChain = actual.getClass().getSimpleName();
+		}
+	}
+	
+	@Override
+	public String getName() {
+		return name;
+	}
+	
+	public String getOrigName() {
+		return original.getName() + '[' + userChain + ']';
+	}
+
+	@Override
+	public String userChain() {
+		return userChain;
+	}
+	
+	public Principal original() {
+		return original;
+	}
+	
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java b/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
new file mode 100644
index 0000000..2f3fd28
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/principal/X509Principal.java
@@ -0,0 +1,92 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.principal;
+
+import java.io.IOException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.regex.Pattern;
+
+import org.onap.aaf.cadi.GetCred;
+
+public class X509Principal extends BearerPrincipal implements GetCred {
+	private static final Pattern pattern = Pattern.compile("[a-zA-Z0-9]*\\@[a-zA-Z0-9.]*");
+	private byte[] content;  
+	private X509Certificate cert;
+	private String name;
+
+	public X509Principal(String identity, X509Certificate cert, byte[] content) {
+		name = identity;
+		this.content = content;
+		this.cert = cert;
+	}
+	
+	public X509Principal(X509Certificate cert, byte[] content) throws IOException {
+		this.content=content;
+		this.cert = cert;
+		String subj = cert.getSubjectDN().getName();
+		int cn = subj.indexOf("OU=");
+		if(cn>=0) {
+			cn+=3;
+			int space = subj.indexOf(',',cn);
+			if(space>=0) {
+				String id = subj.substring(cn, space);
+				if(pattern.matcher(id).matches()) {
+					name = id;
+				}
+			}
+		}
+		if(name==null)
+			throw new IOException("X509 does not have Identity as CN");
+		
+	}
+	
+	
+	public String getAsHeader() throws IOException {
+		try {
+			if(content==null) 
+				content=cert.getEncoded();
+		} catch (CertificateEncodingException e) {
+			throw new IOException(e);
+		}
+		return "X509 " + content;
+	}
+	
+	public String toString() {
+		return "X509 Authentication for " + name;
+	}
+
+
+	public byte[] getCred() {
+		try {
+			return content==null?(content=cert.getEncoded()):content;
+		} catch (CertificateEncodingException e) {
+			return null;
+		}
+	}
+
+
+	public String getName() {
+		return name;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java
new file mode 100644
index 0000000..6a7f15e
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/AbsTafResp.java
@@ -0,0 +1,116 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+
+/**
+ * AbsTafResp
+ * 
+ * Base class for TafResp (TAF Response Objects)
+ *
+ */
+public abstract class AbsTafResp implements TafResp {
+
+	protected final String desc;
+	protected final Principal principal;
+	protected final Access access;
+
+	/**
+	 * AbsTafResp
+	 * 
+	 * Set and hold
+	 * Description (for logging)
+	 * Principal (as created by derived class)
+	 * Access (for access to underlying container, i.e. for Logging, auditing, ClassLoaders, etc)
+	 *  
+	 * @param access
+	 * @param principal
+	 * @param description
+	 */
+	public AbsTafResp(Access access, Principal principal, String description) {
+		this.access = access;
+		this.principal = principal;
+		this.desc = description;
+	}
+
+	/**
+	 * isValid()
+	 * 
+	 * Respond in the affirmative if the TAF was able to Authenticate
+	 */
+	public boolean isValid() {
+		return principal!=null;
+	}
+
+	/**
+	 * desc()
+	 * 
+	 * Respond with description of response as given by the TAF  
+	 */
+	public String desc() {
+		return desc;
+	}
+
+	/**
+	 * isAuthenticated()
+	 * 
+	 * Respond with the TAF's code of whether Authenticated, or suggested next steps
+	 * default is either IS_AUTHENTICATED, or TRY_ANOTHER_TAF.  The TAF can overload
+	 * and suggest others, such as "NO_FURTHER_PROCESSING", if it can detect that this
+	 * is some sort of security breach (i.e. Denial of Service)  
+	 */
+	public RESP isAuthenticated() {
+		return principal==null?RESP.TRY_ANOTHER_TAF:RESP.IS_AUTHENTICATED;
+	}
+
+	/**
+	 * getPrincipal()
+	 * 
+	 * Return the principal created by the TAF based on Authentication. 
+	 * 
+	 * Returns "null" if Authentication failed (no principal)
+	 */
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+	/**
+	 * getAccess()
+	 * 
+	 * Get the Access object from the TAF, so that appropriate Logging, etc can be coordinated.
+	 */
+	public Access getAccess() {
+		return access;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.taf.TafResp#isFailedAttempt()
+	 */
+	public boolean isFailedAttempt() {
+		return false;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java
new file mode 100644
index 0000000..7cb40ed
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/EpiTaf.java
@@ -0,0 +1,84 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Taf;
+
+/**
+ * EpiTAF
+ * 
+ * Short for "Epic TAF". Be able to run through a series of TAFs to obtain the validation needed.
+ * 
+ * OK, the name could probably be better as "Tafs", like it was originally, but the pun was too
+ * irresistible for this author to pass up.
+ * 
+ *
+ */
+public class EpiTaf implements Taf {
+	private Taf[] tafs;
+	
+	/**
+	 * EpiTaf constructor
+	 * 
+	 * Construct the EpiTaf from variable TAF parameters
+	 * @param tafs
+	 * @throws CadiException
+	 */
+	public EpiTaf(Taf ... tafs) throws CadiException{
+		this.tafs = tafs;
+		if(tafs.length==0) throw new CadiException("Need at least one Taf implementation in constructor");
+	}
+
+	/**
+	 * validate
+	 * 
+	 * Respond with the first TAF to authenticate user based on variable info and "LifeForm" (is it 
+	 * a human behind an interface, or a server behind a protocol).
+	 * 
+	 * If there is no TAF that can authenticate, respond with the first TAF that suggests it can
+	 * establish an Authentication conversation (TRY_AUTHENTICATING).
+	 * 
+	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
+	 */
+	public TafResp validate(LifeForm reading, String... info) {
+		TafResp tresp,firstTryAuth=null;
+		for(Taf taf : tafs) {
+			tresp = taf.validate(reading, info);
+			switch(tresp.isAuthenticated()) {
+				case TRY_ANOTHER_TAF:
+					break;
+				case TRY_AUTHENTICATING:
+					if(firstTryAuth==null)firstTryAuth=tresp;
+					break;
+				default:
+					return tresp;
+			}
+		}
+
+		// No TAFs configured, at this point.  It is safer at this point to be "not validated", 
+		// rather than "let it go"
+		return firstTryAuth == null?NullTafResp.singleton():firstTryAuth;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java
new file mode 100644
index 0000000..05832f7
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/HttpEpiTaf.java
@@ -0,0 +1,185 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.net.URI;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.TrustChecker;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.Taf.LifeForm;
+
+/**
+ * HttpEpiTaf
+ * 
+ * An extension of the basic "EpiTAF" concept, check known HTTP Related TAFs for valid credentials
+ * 
+ *
+ */
+public class HttpEpiTaf implements HttpTaf {
+	private HttpTaf[] tafs;
+	private Access access;
+	private Locator<URI> locator;
+	private TrustChecker trustChecker;
+	
+	/**
+	 * HttpEpiTaf constructor
+	 * 
+	 * Construct the HttpEpiTaf from variable Http specific TAF parameters
+
+	 * @param tafs
+	 * @throws CadiException
+	 */
+	public HttpEpiTaf(Access access, Locator<URI> locator, TrustChecker tc, HttpTaf ... tafs) throws CadiException{
+		this.tafs = tafs;
+		this.access = access;
+		this.locator = locator;
+		this.trustChecker = tc;
+		// Establish what Header Property to look for UserChain/Trust Props 
+//		trustChainProp = access.getProperty(Config.CADI_TRUST_PROP, Config.CADI_TRUST_PROP_DEFAULT);
+
+		if(tafs.length==0) throw new CadiException("Need at least one HttpTaf implementation in constructor");
+	}
+
+	/**
+	 * validate
+	 * 
+	 * Respond with the first Http specific TAF to authenticate user based on variable info 
+	 * and "LifeForm" (is it a human behind a browser, or a server utilizing HTTP Protocol).
+	 * 
+	 * If there is no HttpTAF that can authenticate, respond with the first TAF that suggests it can
+	 * establish an Authentication conversation (TRY_AUTHENTICATING) (Examples include a redirect to CSP
+	 * Servers for CSP Cookie, or BasicAuth 401 response, suggesting User/Password for given Realm 
+	 * submission
+	 * 
+	 * If no TAF declares either, respond with NullTafResp (which denies all questions)
+	 */
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		// Given a LifeForm Neutral, for HTTP, we need to discover true Life-Form Readings
+		if(reading==LifeForm.LFN) {
+			reading = tricorderScan(req);
+		}
+		TafResp tresp=null, firstTry = null;
+		List<Redirectable> redirectables = null;
+		
+		for(HttpTaf taf : tafs) {
+			tresp = taf.validate(reading, req, resp);
+			switch(tresp.isAuthenticated()) {
+				case TRY_ANOTHER_TAF:
+					break; // and loop
+				case TRY_AUTHENTICATING:
+					if(tresp instanceof Redirectable) {
+						if(redirectables==null) {
+							redirectables = new ArrayList<Redirectable>();
+						}
+						redirectables.add((Redirectable)tresp);
+					} else if(firstTry==null) {
+						firstTry = tresp;
+					}
+					break; 
+				case IS_AUTHENTICATED:
+					tresp = trustChecker.mayTrust(tresp, req);
+					return tresp;
+				default:
+					return tresp;
+			}
+		}
+		
+		// If No TAFs configured, at this point.  It is safer at this point to be "not validated", 
+		// rather than "let it go"
+		// Note: if exists, there will always be more than 0 entries, according to above code
+		if(redirectables==null) {
+			return firstTry!=null?firstTry:NullTafResp.singleton();
+		}
+		
+		// If there is one Tryable entry then return it
+		if(redirectables.size()>1) {
+			return LoginPageTafResp.create(access,locator,resp,redirectables);
+		} else {
+			return redirectables.get(0);
+		}
+	}
+	
+	public boolean revalidate(Principal prin) throws Exception {
+		return false;
+	}
+
+	/*
+	 * Since this is internal, we use a little Star Trek humor to indicate looking in the HTTP Request to see if we can determine what kind
+	 * of "LifeForm" reading we can determine, i.e. is there a Human (CarbonBasedLifeForm) behind a browser, or is it mechanical 
+	 * id (SiliconBasedLifeForm)?  This makes a difference in some Authentication, i.e CSP, which doesn't work well for SBLFs
+	 */
+	private LifeForm tricorderScan(HttpServletRequest req) {
+		// For simplicity's sake, we'll say Humans use FQDNs, not IPs.
+		
+		String auth = req.getParameter("Authentication");
+		if(auth!=null) {
+			if("BasicAuth".equals(auth)) {
+				return LifeForm.SBLF;
+			}
+		}
+		// Current guess that only Browsers bother to set "Agent" codes that identify the kind of browser they are.
+		// If mechanical frameworks are found that populate this, then more advanced analysis may be required
+		//  1/22/2013
+		String agent = req.getHeader("User-Agent");
+		if(agent!=null && agent.startsWith("Mozilla")) // covers I.E./Firefox/Safari/probably any other "advanced" Browser see http://en.wikipedia.org/wiki/User_agent
+			return LifeForm.CBLF;                      
+		return LifeForm.SBLF;							// notably skips "curl","wget", (which is desired behavior.  We don't want to try CSP, etc on these)
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		Resp resp;
+		for(HttpTaf taf : tafs) {
+			resp = taf.revalidate(prin);
+			switch(resp) {
+				case NOT_MINE:
+					break;
+				default:
+					return resp;
+			}
+		}
+		return Resp.NOT_MINE;
+	}
+
+	/**
+	 * List HttpTafs with their "toString" representations... primarily useful for Debugging in an IDE
+	 * like Eclipse.
+	 */
+	public String toString() {
+		StringBuilder sb = new StringBuilder();
+		for(HttpTaf ht : tafs) {
+			sb.append(ht.toString());
+			sb.append(". ");
+		}
+		return sb.toString();
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java
new file mode 100644
index 0000000..325de6a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/HttpTaf.java
@@ -0,0 +1,60 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.Taf.LifeForm;
+
+/**
+ * A TAF which is in a specific HTTP environment in which the engine implements 
+ * javax Servlet.
+ * 
+ * Using the Http Request and Response interfaces takes the effort out of implementing in almost any kind of
+ * HTTP Container or Engine.
+ *  
+ *
+ */
+public interface HttpTaf {
+	/**
+	 * validate
+	 * 
+	 * Validate the Request, and respond with created TafResp object.
+	 * 
+	 * @param reading
+	 * @param req
+	 * @param resp
+	 * @return
+	 */
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp);
+	
+	/**
+	 * Re-Validate Credential
+	 * 
+	 * @param prin
+	 * @return
+	 */
+	public CachedPrincipal.Resp revalidate(CachedPrincipal prin);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java
new file mode 100644
index 0000000..b6bb385
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/LoginPageTafResp.java
@@ -0,0 +1,87 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Locator;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.Locator.Item;
+
+public class LoginPageTafResp extends AbsTafResp {
+	private final HttpServletResponse httpResp;
+	private final String loginPageURL;
+
+	private LoginPageTafResp(Access access, final HttpServletResponse resp, String loginPageURL) {
+		super(access, null, "Multiple Possible HTTP Logins available.  Redirecting to Login Choice Page");
+		httpResp = resp;
+		this.loginPageURL = loginPageURL;
+	}
+
+	@Override
+	public RESP authenticate() throws IOException {
+		httpResp.sendRedirect(loginPageURL);
+		return RESP.HTTP_REDIRECT_INVOKED;
+	}
+	
+	@Override
+	public RESP isAuthenticated() {
+		return RESP.TRY_AUTHENTICATING;
+	}
+	
+	public static TafResp create(Access access, Locator<URI> locator, final HttpServletResponse resp, List<Redirectable> redir) {
+		if(locator!=null) {
+			try {
+				Item item = locator.best();
+				URI uri = locator.get(item);
+				if(uri!=null) {
+					StringBuilder sb = new StringBuilder(uri.toString());
+					String query = uri.getQuery();
+					boolean first = query==null || query.length()==0;
+					int count=0;
+					for(Redirectable t : redir) {
+						if(first) {
+							sb.append('?');
+							first=false;
+						}
+						else sb.append('&');
+						sb.append(t.get());
+						++count;
+					}
+					if(count>0)return new LoginPageTafResp(access, resp, sb.toString());
+				}
+			} catch (Exception e) {
+				access.log(e, "Error deriving Login Page location");
+			}
+		} else if(!redir.isEmpty()) { 
+			access.log(Level.DEBUG,"LoginPage Locator is not configured. Taking first Redirectable Taf");
+			return redir.get(0);
+		}
+		return NullTafResp.singleton();
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java
new file mode 100644
index 0000000..fb1b930
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/NullTaf.java
@@ -0,0 +1,64 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.Taf;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+
+
+/**
+ * This TAF is set at the very beginning of Filters and Valves so that if any configuration issues hit while
+ * starting, the default behavior is to shut down traffic rather than leaving an open hole
+ * 
+ *
+ */
+public class NullTaf implements Taf, HttpTaf {
+	// Singleton Pattern
+	public NullTaf() {}
+
+	/**
+	 * validate 
+	 * 
+	 * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
+	 */
+	public TafResp validate(LifeForm reading, String... info) {
+		return NullTafResp.singleton();
+	}
+
+	/**
+	 * validate 
+	 * 
+	 * Always Respond with a NullTafResp, which declares it is unauthenticated, and unauthorized
+	 */
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		return NullTafResp.singleton();
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		return Resp.NOT_MINE;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java
new file mode 100644
index 0000000..97e49e0
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/NullTafResp.java
@@ -0,0 +1,73 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+
+/**
+ * A Null Pattern for setting responses to "Deny" before configuration is setup.
+ *
+ */
+class NullTafResp implements TafResp {
+	private NullTafResp(){}
+	
+	private static TafResp singleton = new NullTafResp();
+	
+	public static TafResp singleton() {
+		return singleton;
+	}
+	
+	public boolean isValid() {
+		return false;
+	}
+	
+	public RESP isAuthenticated() {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+	
+	public String desc() {
+		return "All Authentication denied";
+	}
+	
+	public RESP authenticate() throws IOException {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+
+	public Principal getPrincipal() {
+		return null;
+	}
+
+	public Access getAccess() {
+		return Access.NULL;
+	}
+
+	/* (non-Javadoc)
+	 * @see com.att.cadi.taf.TafResp#isFailedAttempt()
+	 */
+	public boolean isFailedAttempt() {
+		return true;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java
new file mode 100644
index 0000000..10c401a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/PuntTafResp.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+
+/**
+ * A Punt Resp to make it fast and easy for a Taf to respond that it cannot handle a particular kind of
+ * request.  It is always the same object, so there is no cost for memory, etc.
+ *
+ */
+public class PuntTafResp implements TafResp {
+	private PuntTafResp(){}
+	
+	private static TafResp singleton = new PuntTafResp();
+	
+	public static TafResp singleton() {
+		return singleton;
+	}
+	
+	public boolean isValid() {
+		return false;
+	}
+	
+	public RESP isAuthenticated() {
+		return RESP.TRY_ANOTHER_TAF;
+	}
+	
+	public String desc() {
+		return "This Taf can or will not handle this authentication";
+	}
+	
+	public RESP authenticate() throws IOException {
+		return RESP.TRY_ANOTHER_TAF;
+	}
+
+	public Principal getPrincipal() {
+		return null;
+	}
+
+	public Access getAccess() {
+		return NullTafResp.singleton().getAccess();
+	}
+
+	public boolean isFailedAttempt() {
+		return false;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java b/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java
new file mode 100644
index 0000000..6e20bab
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/Redirectable.java
@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+public interface Redirectable extends TafResp {
+	/**
+	 * Create a Redirectable URL entry prefaced by a URLEncoder.String for a Menu
+	 * example:
+	 * "Global Login=https://xxxx....."
+	 */
+	public String get();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java
new file mode 100644
index 0000000..cb0915a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/TafResp.java
@@ -0,0 +1,94 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CadiException;
+
+/**
+ * Response from Taf objects, which inform users what has happened and/or what should be done
+ * 
+ *
+ */
+public interface TafResp {
+	public static enum RESP {
+		IS_AUTHENTICATED, 
+		NO_FURTHER_PROCESSING, 
+		TRY_AUTHENTICATING, 
+		TRY_ANOTHER_TAF,
+		FAIL, 
+		// A note was made to avoid the response REDIRECT.  However, I have deemed that it is 
+		// unavoidable when the underlying TAF did do a REDIRECT, because it requires a HTTP
+		// Service code to exit without modifying the Response any further.
+		// Therefore, I have changed this to indicate what HAS happened, with should accommodate 
+		// both positions.  JG 10/18/2012
+//		public static final int HTTP_REDIRECT_INVOKED = 11;
+		HTTP_REDIRECT_INVOKED,
+		HAS_PROCESSED};
+	
+	/**
+	 * Basic success check
+	 * @return
+	 */
+	public boolean isValid();
+	
+	/**
+	 *  String description of what has occurred (for logging/exceptions)
+	 * @return
+	 */
+	public String desc();
+	
+	/**
+	 * Check Response
+	 * @return
+	 */
+	public RESP isAuthenticated();
+
+	/**
+	 * Authenticate, returning FAIL or Other Valid indication
+	 * 
+	 * HTTP implementations should watch for "HTTP_REDIRECT_INVOKED", and end the HTTP call appropriately.
+	 * @return
+	 * @throws CadiException 
+	 */
+	public RESP authenticate() throws IOException;
+
+	/**
+	 * Once authenticated, this object should hold a Principal created from the authorization
+	 * @return
+	 */
+	public Principal getPrincipal();
+
+	/**
+	 * get the Access object which created this object, allowing the responder to appropriate Log, etc
+	 */
+	public Access getAccess();
+	
+	/**
+	 * Be able to check if part of a Failed attempt
+	 */
+	public boolean isFailedAttempt();
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java
new file mode 100644
index 0000000..2ab4a62
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/TrustNotTafResp.java
@@ -0,0 +1,77 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+
+public class TrustNotTafResp implements TafResp {
+	private final TafResp delegate;
+	private final String desc;
+	
+	public TrustNotTafResp(final TafResp delegate, final String desc) {
+		this.delegate = delegate;
+		this.desc = desc;
+	}
+	
+	@Override
+	public boolean isValid() {
+		return false;
+	}
+
+	@Override
+	public String desc() {
+		return desc;
+	}
+
+	@Override
+	public RESP isAuthenticated() {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+
+	@Override
+	public RESP authenticate() throws IOException {
+		return RESP.NO_FURTHER_PROCESSING;
+	}
+
+	@Override
+	public Principal getPrincipal() {
+		return delegate.getPrincipal();
+	}
+
+	@Override
+	public Access getAccess() {
+		return delegate.getAccess();
+	}
+
+	@Override
+	public boolean isFailedAttempt() {
+		return true;
+	}
+	
+	public String toString() {
+		return desc();
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java
new file mode 100644
index 0000000..cd4c92f
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/TrustTafResp.java
@@ -0,0 +1,79 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+
+public class TrustTafResp implements TafResp {
+	private final TafResp delegate;
+	private final Principal principal;
+	private final String desc;
+	
+	public TrustTafResp(final TafResp delegate, final Principal principal, final String desc) {
+		this.delegate = delegate;
+		this.principal = principal;
+		this.desc = desc + ' ' + delegate.desc();
+	}
+	
+	@Override
+	public boolean isValid() {
+		return delegate.isValid();
+	}
+
+	@Override
+	public String desc() {
+		return desc;
+	}
+
+	@Override
+	public RESP isAuthenticated() {
+		return delegate.isAuthenticated();
+	}
+
+	@Override
+	public RESP authenticate() throws IOException {
+		return delegate.authenticate();
+	}
+
+	@Override
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+	@Override
+	public Access getAccess() {
+		return delegate.getAccess();
+	}
+
+	@Override
+	public boolean isFailedAttempt() {
+		return delegate.isFailedAttempt();
+	}
+	
+	public String toString() {
+		return principal.getName() + " by trust of " + desc();
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
new file mode 100644
index 0000000..f6cc3a7
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTaf.java
@@ -0,0 +1,159 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.basic;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.BasicCred;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CredVal;
+import org.onap.aaf.cadi.Taf;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.principal.BasicPrincipal;
+import org.onap.aaf.cadi.principal.CachedBasicPrincipal;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.taf.dos.DenialOfServiceTaf;
+
+/**
+ * BasicHttpTaf
+ * 
+ * This TAF implements the "Basic Auth" protocol.  
+ * 
+ * WARNING! It is true for any implementation of "Basic Auth" that the password is passed unencrypted.  
+ * This is because the expectation, when designed years ago, was that it would only be used in 
+ * conjunction with SSL (https).  It is common, however, for users to ignore this on the assumption that
+ * their internal network is secure, or just ignorance.  Therefore, a WARNING will be printed
+ * when the HTTP Channel is not encrypted (unless explicitly turned off).
+ * 
+ *
+ */
+public class BasicHttpTaf implements HttpTaf {
+	private Access access;
+	private String realm;
+	private CredVal rbac;
+	private boolean warn;
+	private long timeToLive;
+	
+	public BasicHttpTaf(Access access, CredVal rbac, String realm, long timeToLive, boolean turnOnWarning) {
+		this.access = access;
+		this.realm = realm;
+		this.rbac = rbac;
+		this.warn = turnOnWarning;
+		this.timeToLive = timeToLive;
+	}
+
+	/**
+	 * Note: BasicHttp works for either Carbon Based (Humans) or Silicon Based (machine) Lifeforms.  
+	 * @see Taf
+	 */
+	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		// See if Request implements BasicCred (aka CadiWrap or other), and if User/Pass has already been set separately
+		if(req instanceof BasicCred) {
+			BasicCred bc = (BasicCred)req;
+			if(bc.getUser()!=null) { // CadiWrap, if set, makes sure User & Password are both valid, or both null
+				if(DenialOfServiceTaf.isDeniedID(bc.getUser())!=null) {
+					return DenialOfServiceTaf.respDenyID(access,bc.getUser());
+				}
+				CachedBasicPrincipal bp = new CachedBasicPrincipal(this,bc,realm,timeToLive);
+				// ONLY FOR Last Ditch DEBUGGING... 
+				// access.log(Level.WARN,bp.getName() + ":" + new String(bp.getCred()));
+				if(rbac.validate(bp.getName(),Type.PASSWORD,bp.getCred())) {
+					return new BasicHttpTafResp(access,bp,bp.getName()+" authenticated by password",RESP.IS_AUTHENTICATED,resp,realm,false);
+				} else {
+					//TODO may need timed retries in a given time period
+					return new BasicHttpTafResp(access,null,buildMsg(bp,req,"User/Pass combo invalid for ",bc.getUser()), 
+							RESP.TRY_AUTHENTICATING,resp,realm,true);
+				}
+			}
+		}
+		// Get User/Password from Authorization Header value
+		String authz = req.getHeader("Authorization");
+		if(authz != null && authz.startsWith("Basic ")) {
+			if(warn&&!req.isSecure()) {
+				access.log(Level.WARN,"WARNING! BasicAuth has been used over an insecure channel");
+			}
+			try {
+				CachedBasicPrincipal ba = new CachedBasicPrincipal(this,authz,realm,timeToLive);
+				if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
+					return DenialOfServiceTaf.respDenyID(access,ba.getName());
+				}
+
+				// ONLY FOR Last Ditch DEBUGGING... 
+				// access.log(Level.WARN,ba.getName() + ":" + new String(ba.getCred()));
+				if(rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())) {
+					return new BasicHttpTafResp(access,ba, ba.getName()+" authenticated by BasicAuth password",RESP.IS_AUTHENTICATED,resp,realm,false);
+				} else {
+					//TODO may need timed retries in a given time period
+					return new BasicHttpTafResp(access,null,buildMsg(ba,req,"User/Pass combo invalid"), 
+							RESP.TRY_AUTHENTICATING,resp,realm,true);
+				}
+			} catch (IOException e) {
+				String msg = buildMsg(null,req,"Failed HTTP Basic Authorization (", e.getMessage(), ')');
+				access.log(Level.INFO,msg);
+				return new BasicHttpTafResp(access,null,msg, RESP.TRY_AUTHENTICATING, resp, realm,true);
+			}
+		}
+		return new BasicHttpTafResp(access,null,"Requesting HTTP Basic Authorization",RESP.TRY_AUTHENTICATING,resp,realm,false);
+	}
+	
+	protected String buildMsg(Principal pr, HttpServletRequest req, Object ... msg) {
+		StringBuilder sb = new StringBuilder();
+		for(Object s : msg) {
+			sb.append(s.toString());
+		}
+		if(pr!=null) {
+			sb.append(" for ");
+			sb.append(pr.getName());
+		}
+		sb.append(" from ");
+		sb.append(req.getRemoteAddr());
+		sb.append(':');
+		sb.append(req.getRemotePort());
+		return sb.toString();
+	}
+
+	@Override
+	public Resp revalidate(CachedPrincipal prin) {
+		if(prin instanceof BasicPrincipal) {
+			BasicPrincipal ba = (BasicPrincipal)prin;
+			if(DenialOfServiceTaf.isDeniedID(ba.getName())!=null) {
+				return Resp.UNVALIDATED;
+			}
+			return rbac.validate(ba.getName(), Type.PASSWORD, ba.getCred())?Resp.REVALIDATED:Resp.UNVALIDATED;
+		}
+		return Resp.NOT_MINE;
+	}
+	
+	public String toString() {
+		return "Basic Auth enabled on realm: " + realm;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java
new file mode 100644
index 0000000..45eab48
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/basic/BasicHttpTafResp.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.basic;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.taf.AbsTafResp;
+import org.onap.aaf.cadi.taf.TafResp;
+
+public class BasicHttpTafResp extends AbsTafResp implements TafResp {
+	private HttpServletResponse httpResp;
+	private String realm;
+	private RESP status;
+	private final boolean wasFailed;
+	
+	public BasicHttpTafResp(Access access, Principal principal, String description, RESP status, HttpServletResponse resp, String realm, boolean wasFailed) {
+		super(access,principal, description);
+		httpResp = resp;
+		this.realm = realm;
+		this.status = status;
+		this.wasFailed = wasFailed;
+	}
+
+	public RESP authenticate() throws IOException {
+		httpResp.setStatus(401); // Unauthorized	
+		httpResp.setHeader("WWW-Authenticate", "Basic realm=\""+realm+'"');
+		return RESP.HTTP_REDIRECT_INVOKED;
+	}
+
+	public RESP isAuthenticated() {
+		return status;
+	}
+
+	public boolean isFailedAttempt() {
+		return wasFailed;
+	}
+
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java
new file mode 100644
index 0000000..1d84d67
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/cert/CertIdentity.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.cert;
+
+import java.security.Principal;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface CertIdentity {
+	/**
+	 * identity from X509Certificate Object and/or certBytes
+	 * 
+	 * If you have both, include them.  If you only have one, leave the other null, and it will be generated if needed
+	 * 
+	 * The Request is there to obtain Header or Attribute info of ultimate user
+	 * 
+	 * @param req
+	 * @param cert
+	 * @param certBytes
+	 * @return
+	 * @throws CertificateException 
+	 */
+	public Principal identity(HttpServletRequest req, X509Certificate cert, byte[] certBytes) throws CertificateException;
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java
new file mode 100644
index 0000000..f301fc2
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509HttpTafResp.java
@@ -0,0 +1,52 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.cert;
+
+import java.io.IOException;
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.taf.AbsTafResp;
+import org.onap.aaf.cadi.taf.TafResp;
+
+public class X509HttpTafResp extends AbsTafResp implements TafResp {
+	private RESP status;
+	
+	public X509HttpTafResp(Access access, Principal principal, String description, RESP status) {
+		super(access, principal, description);
+ 		this.status = status;
+	}
+
+	public RESP authenticate() throws IOException {
+		return RESP.TRY_ANOTHER_TAF;
+	}
+
+	public RESP isAuthenticated() {
+		return status;
+	}
+
+	public String toString() {
+		return status.name();
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
new file mode 100644
index 0000000..36217cc
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
@@ -0,0 +1,257 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.Signature;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+
+import javax.net.ssl.TrustManagerFactory;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.Taf.LifeForm;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.config.SecurityInfo;
+import org.onap.aaf.cadi.config.SecurityInfoC;
+import org.onap.aaf.cadi.lur.LocalPermission;
+import org.onap.aaf.cadi.principal.TGuardPrincipal;
+import org.onap.aaf.cadi.principal.X509Principal;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+import org.onap.aaf.cadi.util.Split;
+
+public class X509Taf implements HttpTaf {
+	
+	public static final CertificateFactory certFactory;
+	public static final MessageDigest messageDigest;
+	public static final TrustManagerFactory tmf;
+	private Access access;
+	private CertIdentity[] certIdents;
+	private Lur lur;
+	private ArrayList<String> cadiIssuers;
+	private String env;
+	private SecurityInfo si;
+
+	static {
+		try {
+			certFactory = CertificateFactory.getInstance("X.509");
+			messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone
+			tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm);
+		} catch (Exception e) {
+			throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e);
+		}
+	}
+	
+	public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException {
+		this.access = access;
+		env = access.getProperty(Config.AAF_ENV,null);
+		if(env==null) {
+			throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set.");
+		}
+		this.lur = lur;
+		this.cadiIssuers = new ArrayList<String>();
+		for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "CN=ATT CADI Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT CADI Issuing CA 02, OU=CSO, O=ATT, C=US").split(":")) {
+			cadiIssuers.add(ci);
+		}
+		try {
+			Class<?> dci = access.classLoader().loadClass("com.att.authz.cadi.DirectCertIdentity");
+			CertIdentity temp[] = new CertIdentity[cis.length+1];
+			System.arraycopy(cis, 0, temp, 1, cis.length);
+			temp[0] = (CertIdentity) dci.newInstance();
+			certIdents=temp;
+		} catch (Exception e) {
+			certIdents = cis;
+		}
+		
+		try {
+			si = new SecurityInfo(access);
+		} catch (GeneralSecurityException | IOException e1) {
+			throw new CadiException(e1);
+		}
+	}
+
+	public static final X509Certificate getCert(byte[] certBytes) throws CertificateException {
+		ByteArrayInputStream bais = new ByteArrayInputStream(certBytes);
+		return (X509Certificate)certFactory.generateCertificate(bais);
+	}
+
+	public static final byte[] getFingerPrint(byte[] ba) {
+		MessageDigest md;
+		try {
+			md = (MessageDigest)messageDigest.clone();
+		} catch (CloneNotSupportedException e) {
+			// should never get here
+			return new byte[0];
+		}
+		md.update(ba);
+		return md.digest();
+	}
+
+	public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		// Check for Mutual SSL
+		try {
+			X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
+			if(certarr!=null && certarr.length>0) {
+				si.checkClientTrusted(certarr);
+				// Note: If the Issuer is not in the TrustStore, it's not added to the Cert list
+				if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) {
+					String x500 = certarr[0].getSubjectDN().getName();
+					int ou=x500.indexOf("OU=");
+					if(ou>0) {
+						ou+=3;
+						int comma = x500.indexOf(',',ou);
+						if(comma>0) {
+							String id= x500.substring(ou,comma);
+							String idenv[] = id.split(":");
+							if(idenv.length==1 || (idenv.length>1 && env.equals(idenv[1]))) {
+								return new X509HttpTafResp(access, 
+									new X509Principal(idenv[0], certarr[0],null), 
+										id + " validated by CADI x509", RESP.IS_AUTHENTICATED);
+							}
+						}
+					}
+				}
+			}
+
+			byte[] array = null;
+			byte[] certBytes = null;
+			X509Certificate cert=null;
+			String responseText=null;
+			String authHeader = req.getHeader("Authorization");
+
+			if(certarr!=null) {  // If cert !=null, Cert is Tested by Mutual Protocol.
+				if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity
+					return new X509HttpTafResp(access, null, "Certificate verified, but another Identity is presented", RESP.TRY_ANOTHER_TAF);
+				}
+				cert = certarr[0];
+				responseText = ", validated by Mutual SSL Protocol";
+			} else {		 // If cert == null, Get Declared Cert (in header), but validate by having them sign something
+				if(authHeader != null && authHeader.startsWith("x509 ")) {
+					ByteArrayOutputStream baos = new ByteArrayOutputStream(authHeader.length());
+					try {
+						array = authHeader.getBytes();
+						ByteArrayInputStream bais = new ByteArrayInputStream(array);
+						Symm.base64noSplit.decode(bais, baos, 5);
+						certBytes = baos.toByteArray();
+						cert = getCert(certBytes);
+						
+						/** 
+						 * Identity from CERT if well know CA and specific encoded information
+						 */
+						// If found Identity doesn't work, try SignedStuff Protocol
+//									cert.checkValidity();
+//									cert.--- GET FINGERPRINT?
+						String stuff = req.getHeader("Signature");
+						if(stuff==null) 
+							return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF);
+						String data = req.getHeader("Data"); 
+//									if(data==null) 
+//										return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF);
+
+						// Note: Data Pos shows is "<signatureType> <data>"
+//									int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm
+						// Get Signature 
+						bais = new ByteArrayInputStream(stuff.getBytes());
+						baos = new ByteArrayOutputStream(stuff.length());
+						Symm.base64noSplit.decode(bais, baos);
+						array = baos.toByteArray();
+//									Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature
+						
+						Signature sig = Signature.getInstance(cert.getSigAlgName()); 
+						sig.initVerify(cert.getPublicKey());
+						sig.update(data.getBytes());
+						if(!sig.verify(array)) {
+							access.log(Level.ERROR, "Signature doesn't Match");
+							return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
+						}
+						responseText = ", validated by Signed Data";
+					} catch (Exception e) {
+						access.log(e, "Exception while validating Cert");
+						return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
+					}
+					
+				} else {
+					return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF);
+				}
+			}
+
+			// A cert has been found, match Identify
+			Principal prin=null;
+			
+			for(int i=0;prin==null && i<certIdents.length;++i) {
+				if((prin=certIdents[i].identity(req, cert, certBytes))!=null) {
+					responseText = prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText;
+//					xresp = new X509HttpTafResp(
+//								access,
+//								prin,
+//								prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText,
+//								RESP.IS_AUTHENTICATED);
+					
+				}
+			}
+
+			// if Principal is found, check for "AS_USER" and whether this entity is trusted to declare
+			if(prin!=null) {
+				String as_user=req.getHeader(Config.CADI_USER_CHAIN);
+				if(as_user!=null) {
+					if(as_user.startsWith("TGUARD ") && lur.fish(prin, new LocalPermission("com.att.aaf.trust|"+prin.getName()+"|tguard"))) {
+						prin = new TGuardPrincipal(as_user.substring(7));
+						responseText=prin.getName() + " set via trust of " + responseText;
+					}
+				}
+				return new X509HttpTafResp(
+					access,
+					prin,
+					responseText,
+					RESP.IS_AUTHENTICATED);
+			}
+		} catch(Exception e) {
+			return new X509HttpTafResp(access, null, e.getMessage(), RESP.TRY_ANOTHER_TAF);	
+		}
+	
+		return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		return null;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java
new file mode 100644
index 0000000..c55b7eb
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTaf.java
@@ -0,0 +1,370 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.dos;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.Taf.LifeForm;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.PuntTafResp;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+
+public class DenialOfServiceTaf implements HttpTaf {
+	private static Map<String, Counter> deniedIP=null, deniedID=null;
+	private Access access;
+	private static File dosIP, dosID;
+	
+	/**
+	 * 
+	 * @param hostname
+	 * @param prod
+	 * @throws CadiException
+	 */
+	public DenialOfServiceTaf(Access access) throws CadiException {
+		this.access = access;
+		if(dosIP==null || dosID == null) {
+			String dirStr;
+			if((dirStr = access.getProperty("aaf_data_dir", null))!=null) {
+				dosIP = new File(dirStr+"/dosIP");
+				readIP();
+				dosID = new File(dirStr+"/dosID");
+				readID();
+			}
+		}
+	}
+
+	public TafResp validate(LifeForm reading, HttpServletRequest req, final HttpServletResponse resp) {
+		// Performance, when not needed
+		if(deniedIP != null) {
+			String ip;
+			Counter c = deniedIP.get(ip=req.getRemoteAddr());
+			if(c!=null) {
+				c.inc();
+				return respDenyIP(access,ip);
+			}
+		}
+		
+		// Note:  Can't process Principal, because this is the first TAF, and no Principal is created.
+		// Other TAFs use "isDenied()" on this Object to validate.
+		return PuntTafResp.singleton();
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		// We always return NOT MINE, because DOS Taf does not ever validate
+		return Resp.NOT_MINE;
+	}
+
+	/*
+	 *  for use in Other TAFs, before they attempt backend validation of 
+	 */
+	public static Counter isDeniedID(String identity) {
+		if(deniedID!=null) {
+			return deniedID.get(identity);
+		}
+		return null;
+	}
+	
+	/**
+	 *  
+	 */
+	public static Counter isDeniedIP(String ipvX) {
+		if(deniedID!=null) {
+			return deniedID.get(ipvX);
+		}
+		return null;
+	}
+
+	/**
+	 * Return of "True" means IP has been added.
+	 * Return of "False" means IP already added.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean denyIP(String ip) {
+		boolean rv = false;
+		if(deniedIP==null) {
+			deniedIP = new HashMap<String,Counter>();
+			deniedIP.put(ip, new Counter(ip)); // Noted duplicated for minimum time spent
+			rv= true;
+		} else if(deniedIP.get(ip)==null) {
+			deniedIP.put(ip, new Counter(ip));
+			rv = true;
+		}
+		if(rv) {
+			writeIP();
+		}
+		return rv;
+	}
+	
+	private static void writeIP() {
+		if(dosIP!=null && deniedIP!=null) {
+			if(deniedIP.isEmpty()) {
+				if(dosIP.exists()) {
+					dosIP.delete();
+				}
+			} else {
+				PrintStream fos;
+				try {
+					fos = new PrintStream(new FileOutputStream(dosIP,false));
+					try {
+						for(String ip: deniedIP.keySet()) {
+							fos.println(ip);
+						}
+					} finally {
+						fos.close();
+					}
+				} catch (IOException e) {
+					e.printStackTrace(System.err);
+				}
+			}
+		}
+	}
+	
+	private static void readIP() {
+		if(dosIP!=null && dosIP.exists()) {
+			BufferedReader br;
+			try {
+				br = new BufferedReader(new FileReader(dosIP));
+				if(deniedIP==null) {
+					deniedIP=new HashMap<String,Counter>();
+				}
+
+				try {
+					String line;
+					while((line=br.readLine())!=null) {
+						deniedIP.put(line, new Counter(line));
+					}
+				} finally {
+					br.close();
+				}
+			} catch (IOException e) {
+				e.printStackTrace(System.err);
+			}
+		}
+	}
+
+
+	/**
+	 * Return of "True" means IP has was removed.
+	 * Return of "False" means IP wasn't being denied.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean removeDenyIP(String ip) {
+		if(deniedIP!=null && deniedIP.remove(ip)!=null) {
+			writeIP();
+			if(deniedIP.isEmpty()) {
+				deniedIP=null;
+			}
+			return true;
+		}
+		return false;
+	}
+
+	/**
+	 * Return of "True" means ID has been added.
+	 * Return of "False" means ID already added.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean denyID(String id) {
+		boolean rv = false;
+		if(deniedID==null) {
+			deniedID = new HashMap<String,Counter>();
+			deniedID.put(id, new Counter(id)); // Noted duplicated for minimum time spent
+			rv = true;
+		} else if(deniedID.get(id)==null) {
+			deniedID.put(id, new Counter(id));
+			rv = true;
+		}
+		if(rv) {
+			writeID();
+		}
+		return rv;
+
+	}
+
+	private static void writeID() {
+		if(dosID!=null && deniedID!=null) {
+			if(deniedID.isEmpty()) {
+				if(dosID.exists()) {
+					dosID.delete();
+				}
+			} else {
+				PrintStream fos;
+				try {
+					fos = new PrintStream(new FileOutputStream(dosID,false));
+					try {
+						for(String ip: deniedID.keySet()) {
+							fos.println(ip);
+						}
+					} finally {
+						fos.close();
+					}
+				} catch (IOException e) {
+					e.printStackTrace(System.err);
+				}
+			}
+		}
+	}
+
+	private static void readID() {
+		if(dosID!=null && dosID.exists()) {
+			BufferedReader br;
+			try {
+				br = new BufferedReader(new FileReader(dosID));
+				if(deniedID==null) {
+					deniedID=new HashMap<String,Counter>();
+				}
+				try {
+					String line;
+					while((line=br.readLine())!=null) {
+						deniedID.put(line, new Counter(line));
+					}
+				} finally {
+					br.close();
+				}
+			} catch (IOException e) {
+				e.printStackTrace(System.err);
+			}
+		}
+	}
+
+	/**
+	 * Return of "True" means ID has was removed.
+	 * Return of "False" means ID wasn't being denied.
+	 * 
+	 * @param ip
+	 * @return
+	 */
+	public static synchronized boolean removeDenyID(String id) {
+		if(deniedID!=null && deniedID.remove(id)!=null) { 
+			writeID();
+			if(deniedID.isEmpty()) {
+				deniedID=null;
+			}
+
+			return true;
+		}
+		return false;
+	}
+	
+	public List<String> report() {
+		int initSize = 0;
+		if(deniedIP!=null)initSize+=deniedIP.size();
+		if(deniedID!=null)initSize+=deniedID.size();
+		ArrayList<String> al = new ArrayList<String>(initSize);
+		if(deniedID!=null) {
+			for(Counter c : deniedID.values()) {
+				al.add(c.toString());
+			}
+		}
+		if(deniedIP!=null) {
+			for(Counter c : deniedIP.values()) {
+				al.add(c.toString());
+			}
+		}
+		return al;
+	}
+	
+	public static class Counter {
+		private final String name; 
+		private int count = 0;
+		private Date first;
+		private long last; // note, we use "last" as long, to avoid popping useless dates on Heap.
+		
+		public Counter(String name) {
+			this.name = name;
+			first = null;
+			last = 0L;
+			count = 0;
+		}
+		
+		public String getName() {
+			return name;
+		}
+		
+		public int getCount() {
+			return count;
+		}
+
+		public long getLast() {
+			return last;
+		}
+		
+		/*
+		 * Only allow Denial of ServiceTaf to increment
+		 */
+		private synchronized void inc() {
+			++count;
+			last = System.currentTimeMillis();
+			if(first==null) {
+				first = new Date(last);
+			}
+		}
+		
+		public String toString() {
+			if(count==0) 
+				return name + " is on the denied list, but has not attempted Access"; 
+			else 
+				return 
+					name +
+					" has been denied " +
+					count +
+					" times since " +
+					first +
+					".  Last denial was " +
+					new Date(last);
+		}
+	}
+
+	public static TafResp respDenyID(Access access, String identity) {
+		return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, identity + " is on the Identity Denial list");
+	}
+	
+	public static TafResp respDenyIP(Access access, String ip) {
+		return new DenialOfServiceTafResp(access, RESP.NO_FURTHER_PROCESSING, ip + " is on the IP Denial list");
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java
new file mode 100644
index 0000000..ac6c01a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/dos/DenialOfServiceTafResp.java
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.dos;
+
+import java.io.IOException;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.taf.AbsTafResp;
+
+public class DenialOfServiceTafResp extends AbsTafResp  {
+	private RESP ect;  // Homage to Arethra Franklin
+
+	public DenialOfServiceTafResp(Access access, RESP resp, String description ) {
+		super(access, null, description);
+		ect = resp;
+	}
+
+	// Override base behavior of checking Principal and trying another TAF
+	@Override
+	public RESP isAuthenticated() {
+		return ect;
+	}
+	
+
+	public RESP authenticate() throws IOException {
+		return ect;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java
new file mode 100644
index 0000000..af9554f
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTaf.java
@@ -0,0 +1,130 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.localhost;
+
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.SocketException;
+import java.net.UnknownHostException;
+import java.util.Enumeration;
+import java.util.TreeSet;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.CachedPrincipal;
+import org.onap.aaf.cadi.Taf;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CachedPrincipal.Resp;
+import org.onap.aaf.cadi.taf.HttpTaf;
+import org.onap.aaf.cadi.taf.TafResp;
+import org.onap.aaf.cadi.taf.TafResp.RESP;
+
+/**
+ * Implement the ability to utilize LocalHost as a TAF.
+ * 
+ * Configure with two properties, 
+ * 	localhost.deny
+ *  localhost.accept
+ *  
+ * 1) If localhost.deny==true, then no localhost requests are allowed
+ * 2) If localhost.deny==false, but accept==false, return "Try Another TAF" (i.e. allow further checking of the
+ *   chain, but don't treat localhost as an acceptable credential)
+ * 3) If localhost.deny=false and accept=true, then the processes coming from the same machine, given logins are needed, 
+ * to run, are treated as validated.  This is primarily for Developer purposes.
+ *   
+ * 
+ *
+ */
+public class LocalhostTaf implements HttpTaf {
+	private TafResp isLocalHost,isNotLocalHost;
+	private static final TreeSet<String> addrSet;
+	
+	static {
+		addrSet = new TreeSet<String>();
+		try {
+			for(Enumeration<NetworkInterface> en = NetworkInterface.getNetworkInterfaces();en.hasMoreElements();) {
+				NetworkInterface ni = en.nextElement();
+				for(Enumeration<InetAddress> eia = ni.getInetAddresses();eia.hasMoreElements();) {
+					InetAddress ia = eia.nextElement();
+					addrSet.add(ia.getHostAddress());
+				}
+			}
+		} catch (SocketException e) {
+		}
+		
+	}
+
+	public LocalhostTaf(Access access, boolean accept, boolean isDenied) {
+		String hostname = access.getProperty("hostname",null);
+		if(hostname !=null) {
+			try {
+				addrSet.add(InetAddress.getByName(hostname).getHostAddress());
+			} catch (UnknownHostException e) {
+				access.log(e,"Unknown Host");
+			}
+		}
+		
+		if(isDenied) {
+			access.log(Level.INFO,"LocalhostTaf will deny all localhost traffic");
+		} else {
+			access.log(Level.INFO,"LocalhostTaf will not deny localhost requests, ",
+					(accept?"and will treat them as authenticated":"but will require other authentication"));
+		}
+		// Set the appropriate behavior for when ID coming in is from localhost
+		isLocalHost = isDenied?	
+			new LocalhostTafResp(access, RESP.NO_FURTHER_PROCESSING,"Localhost is denied"):
+			accept?
+				new LocalhostTafResp(access, RESP.IS_AUTHENTICATED,"Localhost is allowed"):
+				new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Localhost is allowed");
+		isNotLocalHost = new LocalhostTafResp(access, RESP.TRY_ANOTHER_TAF,"Address is not Localhost");
+	}
+
+//	@Override
+	public TafResp validate(Taf.LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
+		String remote = req.getRemoteAddr();
+		return addrSet.contains(remote)
+			?isLocalHost
+			:isNotLocalHost;
+	}
+
+	/** 
+	 * This function used for other TAFs (i.e. CSP, which can't work on localhost address)
+	 * 
+	 * @param address
+	 * @return
+	 */
+	public static boolean isLocalAddress(String address) {
+		return addrSet.contains(address);
+	}
+	
+	public String toString() {
+		return "Localhost TAF activated: " + isLocalHost.desc();
+	}
+
+	public Resp revalidate(CachedPrincipal prin) {
+		// shouldn't get here, since there's no need to Cache, but if so, LocalHost is always valid...
+		return Resp.REVALIDATED;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java
new file mode 100644
index 0000000..bda5484
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/taf/localhost/LocalhostTafResp.java
@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.taf.localhost;
+
+import java.security.Principal;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.taf.TafResp;
+
+public class LocalhostTafResp implements TafResp {
+	private RESP action;
+	private String description;
+	private final static Principal principal = new Principal() {
+		private String name = System.getProperty("user.name")+"@localhost";
+//		@Override
+		public String getName() {
+			return name;
+		}
+	};
+
+	private Access access;
+	
+	public LocalhostTafResp(Access access, RESP state, String desc) {
+		action = state;
+		description = desc;
+		this.access = access;
+	}
+	
+//	@Override
+	public boolean isValid() {
+		return action == RESP.IS_AUTHENTICATED;
+	}
+
+//	@Override
+	public String desc() {
+		return description;
+	}
+
+//	@Override
+	public RESP authenticate() {
+		return action;
+	}
+	
+	public RESP isAuthenticated() {
+		return action;
+	}
+
+//	@Override
+	public Principal getPrincipal() {
+		return principal;
+	}
+
+	public Access getAccess() {
+		return access;
+	}
+
+	public boolean isFailedAttempt() {
+		return false;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java b/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java
new file mode 100644
index 0000000..f999a11
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/Chmod.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+import java.io.File;
+import java.io.IOException;
+
+public interface Chmod {
+	public void chmod(File f) throws IOException;
+	
+	public static final Chmod to755 = new Chmod() {
+		public void chmod(File f) throws IOException {
+			f.setExecutable(true, false);
+			f.setExecutable(true, true);
+			f.setReadable(true, false);
+			f.setReadable(true, true);
+			f.setWritable(false, false);
+			f.setWritable(true, true);
+		}
+	};
+
+	public static final Chmod to644 = new Chmod() {
+		public void chmod(File f) throws IOException {
+			f.setExecutable(false, false);
+			f.setExecutable(false, true);
+			f.setReadable(true, false);
+			f.setReadable(true, true);
+			f.setWritable(false, false);
+			f.setWritable(true, true);
+		}
+	};
+
+	public static final Chmod to400 = new Chmod() {
+		public void chmod(File f) throws IOException {
+			f.setExecutable(false, false);
+			f.setExecutable(false, true);
+			f.setReadable(false, false);
+			f.setReadable(true, true);
+			f.setWritable(false, false);
+			f.setWritable(false, true);
+		}
+	};
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java b/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java
new file mode 100644
index 0000000..546292e
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/JsonOutputStream.java
@@ -0,0 +1,90 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+public class JsonOutputStream extends OutputStream {
+	private static final byte[] TWO_SPACE = "  ".getBytes();
+	private OutputStream os;
+	private boolean closeable;
+	private int indent = 0;
+	private int prev,ret=0;
+
+	public JsonOutputStream(OutputStream os) {
+		// Don't close these, or dire consequences.
+		closeable = !os.equals(System.out) && !os.equals(System.err);
+		this.os = os;
+	}
+
+	@Override
+	public void write(int b) throws IOException {
+		if(ret=='\n') {
+			ret = 0;
+			if(prev!=',' || (b!='{' && b!='[')) {
+				os.write('\n');
+				for(int i=0;i<indent;++i) {
+					os.write(TWO_SPACE);
+				}
+			}
+		}
+		switch(b) {
+			case '{':
+			case '[':	
+					ret = '\n';
+					++indent;
+					break;
+			case '}':
+			case ']': 
+					--indent;
+					os.write('\n');
+					for(int i=0;i<indent;++i) {
+						os.write(TWO_SPACE);
+					}
+					break;
+			case ',':
+					ret = '\n';
+					break;
+					
+		}
+		os.write(b);
+		prev = b;
+	}
+	public void resetIndent() {
+		indent = 1;
+	}
+
+	@Override
+	public void flush() throws IOException {
+		os.flush();
+	}
+
+	@Override
+	public void close() throws IOException {
+		if(closeable) {
+			os.close();
+		}
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/MaskFormatException.java b/core/src/main/java/org/onap/aaf/cadi/util/MaskFormatException.java
new file mode 100644
index 0000000..551eae9
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/MaskFormatException.java
@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+@SuppressWarnings("serial")
+public class MaskFormatException extends Exception {
+
+	public MaskFormatException(String string) {
+			super(string);
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/MyConsole.java b/core/src/main/java/org/onap/aaf/cadi/util/MyConsole.java
new file mode 100644
index 0000000..de1c882
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/MyConsole.java
@@ -0,0 +1,29 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+public interface MyConsole {
+	public String readLine(String fmt, Object ... args);
+	public char[] readPassword(String fmt, Object ... args);
+	public void printf(String fmt, Object ...args);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/NetMask.java b/core/src/main/java/org/onap/aaf/cadi/util/NetMask.java
new file mode 100644
index 0000000..b19f150
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/NetMask.java
@@ -0,0 +1,100 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+/* 
+ * NetMask - a class to quickly validate whether a given IP is part of a mask, as defined by bytes or standard String format.
+ * 
+ * Needs the IPV6 Mask Builder. 
+ */
+public class NetMask {
+	private long mask;
+
+	public NetMask(byte[] inBytes) {
+		mask = derive(inBytes);
+	}
+	
+	public NetMask(String string) throws MaskFormatException {
+		mask = derive(string,true);
+	}
+	
+	public boolean isInNet(byte[] inBytes) {
+		long addr = derive(inBytes);
+		return (mask & addr) == addr;
+	}
+	
+	public boolean isInNet(String str) {
+		long addr;
+		try {
+			addr = derive(str,false);
+			return (mask & addr) == addr;
+		} catch (MaskFormatException e) {
+			// will not hit this code;
+			return false;
+		}
+	}
+
+	public static long derive(byte[] inBytes) {
+		long addr = 0L;
+		int offset = inBytes.length*8;
+		for(int i=0;i<inBytes.length;++i) {
+			addr&=(inBytes[i]<<offset);
+			offset-=8;
+		}
+		return addr;
+	}
+
+	public static long derive(String str, boolean check) throws MaskFormatException {
+		long rv=0L;
+		int idx=str.indexOf(':');
+		int slash = str.indexOf('/');
+
+		if(idx<0) { // Not IPV6, so it's IPV4... Is there a mask of 123/254?
+			idx=str.indexOf('.');
+			int offset = 24;
+			int end = slash>=0?slash:str.length();
+			int bits = slash>=0?Integer.parseInt(str.substring(slash+1)):32;
+			if(check && bits>32) {
+				throw new MaskFormatException("Invalid Mask Offset in IPV4 Address");
+			}
+			int prev = 0;
+			long lbyte;
+			while(prev<end) {
+				if(idx<0) {
+					idx = end;
+				}
+				lbyte = Long.parseLong(str.substring(prev, idx));
+				if(check && (lbyte>255 || lbyte<0)) {
+					throw new MaskFormatException("Invalid Byte in IPV4 Address");
+				}
+				rv|=lbyte<<offset;
+				prev = ++idx;
+				idx=str.indexOf('.',prev);
+				offset-=8;
+			}
+			rv|=0x00000000FFFFFFFFL>>bits;
+		}
+		return rv;
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/Split.java b/core/src/main/java/org/onap/aaf/cadi/util/Split.java
new file mode 100644
index 0000000..c3b37dc
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/Split.java
@@ -0,0 +1,91 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+/**
+ * Split by Char, optional Trim
+ *
+ * Note: Copied from Inno to avoid linking issues.
+ * Note: I read the String split and Pattern split code, and we can do this more efficiently for a single Character
+ * 
+ * 8/20/2015
+ */
+
+public class Split {
+	  public static String[] split(char c, String value) {
+		  // Count items to preallocate Array (memory alloc is more expensive than counting twice)
+		  int count,idx;
+		  for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);
+		  String[] rv = new String[count];
+		  if(count==1) {
+			  rv[0]=value;
+		  } else {
+			  int last=0;
+			  count=-1;
+			  for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) {
+				  rv[++count]=value.substring(last,idx);
+				  last = ++idx;
+			  }
+			  rv[++count]=value.substring(last);
+		  }
+		  return rv;
+	  }
+
+	  public static String[] splitTrim(char c, String value) {
+		  // Count items to preallocate Array (memory alloc is more expensive than counting twice)
+		  int count,idx;
+		  for(count=1,idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,++idx),++count);
+		  String[] rv = new String[count];
+		  if(count==1) {
+			  rv[0]=value.trim();
+		  } else {
+			  int last=0;
+			  count=-1;
+			  for(idx=value.indexOf(c);idx>=0;idx=value.indexOf(c,idx)) {
+				  rv[++count]=value.substring(last,idx).trim();
+				  last = ++idx;
+			  }
+			  rv[++count]=value.substring(last).trim();
+		  }
+		  return rv;
+	  }
+
+	  public static String[] splitTrim(char c, String value, int size) {
+		  int idx;
+		  String[] rv = new String[size];
+		  if(size==1) {
+			  rv[0]=value.trim();
+		  } else {
+			  int last=0;
+			  int count=-1;
+			  size-=2;
+			  for(idx=value.indexOf(c);idx>=0 && count<size;idx=value.indexOf(c,idx)) {
+				  rv[++count]=value.substring(last,idx).trim();
+				  last = ++idx;
+			  }
+			  rv[++count]=value.substring(last).trim();
+		  }
+		  return rv;
+	  }
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java b/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java
new file mode 100644
index 0000000..b2a29e6
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/SubStandardConsole.java
@@ -0,0 +1,63 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+// Substandard, because System.in doesn't do Passwords..
+public class SubStandardConsole implements MyConsole {
+	BufferedReader br = new BufferedReader(new InputStreamReader(System.in));
+	@Override
+	public String readLine(String fmt, Object... args) {
+		String rv;
+		try {
+			System.out.printf(fmt,args);
+			rv = br.readLine();
+			if(args.length==1 && rv.length()==0) {
+				rv = args[0].toString();
+			}
+		} catch (IOException e) {
+			System.err.println("uh oh...");
+			rv = "";
+		}
+		return rv;
+	}
+
+	@Override
+	public char[] readPassword(String fmt, Object... args) {
+		try {
+			System.out.printf(fmt,args);
+			return br.readLine().toCharArray();
+		} catch (IOException e) {
+			System.err.println("uh oh...");
+			return new char[0];
+		}
+	}
+
+	@Override
+	public void printf(String fmt, Object... args) {
+		System.out.printf(fmt, args);
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java b/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java
new file mode 100644
index 0000000..3a6b291
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/TheConsole.java
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+public class TheConsole implements MyConsole {
+	@Override
+	public String readLine(String fmt, Object... args) {
+		String rv = System.console().readLine(fmt, args);
+		if(args.length>0 && args[0]!=null && rv.length()==0) {
+			rv = args[0].toString();
+		}
+		return rv;
+	}
+
+	@Override
+	public char[] readPassword(String fmt, Object... args) {
+		return System.console().readPassword(fmt, args);
+	}
+	
+	public static boolean implemented() {
+		return System.console()!=null;
+	}
+
+	@Override
+	public void printf(String fmt, Object... args) {
+		System.console().printf(fmt, args);
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java b/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java
new file mode 100644
index 0000000..5f945f3
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/UserChainManip.java
@@ -0,0 +1,78 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+import org.onap.aaf.cadi.UserChain;
+
+public class UserChainManip {
+	/** 
+	    Build an element in the correct format for UserChain.
+		Format:<APP>:<ID>:<protocol>[:AS][,<APP>:<ID>:<protocol>]*
+		@see UserChain
+	*/ 
+	public static StringBuilder build(StringBuilder sb, String app, String id, UserChain.Protocol proto, boolean as) {
+		boolean mayAs;
+		if(!(mayAs=sb.length()==0)) {
+			sb.append(',');
+		}
+		sb.append(app);
+		sb.append(':');
+		sb.append(id);
+		sb.append(':');
+		sb.append(proto.name());
+		if(as && mayAs) {
+			sb.append(":AS");
+		}
+		return sb;
+	}
+	
+	public static String idToNS(String id) {
+		if(id==null) {
+			return "";
+		} else {
+			StringBuilder sb = new StringBuilder();
+			char c;
+			int end;
+			boolean first = true;
+			for(int idx = end = id.length()-1;idx>=0;--idx) {
+				if((c = id.charAt(idx))=='@' || c=='.')  {
+					if(idx<end) {
+						if(first) {
+							first = false;
+						} else {
+							sb.append('.');
+						}
+						for(int i=idx+1;i<=end;++i) {
+							sb.append(id.charAt(i));
+						}
+					}
+					end=idx-1;
+					if(c=='@') {
+						break;
+					}
+				}
+			}
+			return sb.toString();
+		}
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/util/Vars.java b/core/src/main/java/org/onap/aaf/cadi/util/Vars.java
new file mode 100644
index 0000000..af8cf86
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/util/Vars.java
@@ -0,0 +1,121 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.util;
+
+import java.util.List;
+
+public class Vars {
+	/**
+	 * Simplified Conversion based on typical use of getting AT&T style RESTful Error Messages
+	 * @param text
+	 * @param vars
+	 * @return
+	 */
+	public static String convert(final String text, final List<String> vars) {
+		String[] array = new String[vars.size()];
+		StringBuilder sb = new StringBuilder();
+		convert(sb,text,vars.toArray(array));
+		return sb.toString();
+	}
+	/**
+	 * Convert a format string with "%s" into AT&T RESTful Error %1 %2 (number) format
+	 * If "holder" is passed in, it is built with full Message extracted (typically for Logging)
+	 * @param holder
+	 * @param text
+	 * @param vars
+	 * @return
+	 */
+	public static String convert(final StringBuilder holder, final String text, final String ... vars) {
+		StringBuilder sb = null;
+		int idx,index=0,prev = 0;
+		
+		if(text.contains("%s")) {
+			sb = new StringBuilder();
+		}
+		
+		StringBuilder[] sbs = new StringBuilder[] {sb,holder};
+		boolean replace, clearIndex = false;
+		int c;
+		while((idx=text.indexOf('%',prev))>=0) {
+			replace = false;
+			if(clearIndex) {
+				index=0;
+			}
+			if(sb!=null) {
+				sb.append(text,prev,idx);
+			}
+			if(holder!=null) {
+				holder.append(text,prev,idx);
+			}
+			
+			boolean go = true;
+			while(go) {
+				if(text.length()>++idx) {
+					switch(c=text.charAt(idx)) {
+						case '0': case '1': case '2': case '3': case '4': 
+						case '5': case '6': case '7': case '8': case '9':
+							index *=10;
+							index +=(c-'0');
+							clearIndex=replace=true;
+							continue;
+						case 's':
+							++index;
+							replace = true;
+							continue;
+						default:
+							break;
+					}
+				}
+				prev = idx;
+				go=false;
+				if(replace) {
+					if(sb!=null) {
+						sb.append('%');
+						sb.append(index);
+					}
+					if(index<=vars.length) {
+						if(holder!=null) {
+							holder.append(vars[index-1]);
+						}
+					}
+				} else {
+					for(StringBuilder s : sbs) {
+						if(s!=null) {
+							s.append("%");
+						}
+					}
+				}
+			}
+		}
+		
+		if(sb!=null) {
+			sb.append(text,prev,text.length());
+		}
+		if(holder!=null) {
+			holder.append(text,prev,text.length());
+		}
+
+		return sb==null?text:sb.toString();
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java b/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java
new file mode 100644
index 0000000..e95337f
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/wsse/Action.java
@@ -0,0 +1,37 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse;
+
+/**
+ * Interface to specify an action deep within a parsing tree on a local object
+ * 
+ * We use a Generic so as to be flexible on create what that object actually is.  This is passed in at the
+ * root "parse" call of Match.  Similar to a "Visitor" Pattern, this object is passed upon reaching the right
+ * point in a parse tree.
+ * 
+ *
+ * @param <OUTPUT>
+ */
+interface Action<OUTPUT> {
+	public boolean content(OUTPUT output, String text);
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java b/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java
new file mode 100644
index 0000000..bffe447
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/wsse/Match.java
@@ -0,0 +1,130 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Match Class allows you to build an automatic Tree of StAX (or StAX like) 
+ * Objects for frequent use.
+ * 
+ * OBJECT is a type which you which to do some end Actions on, similar to a Visitor pattern, see Action
+ * 
+ * Note: We have implemented with XReader and XEvent, rather than StAX for performance reasons.
+ * 
+ * @see Action
+ * @see Match
+ * @see XEvent
+ * @see XReader
+ * 
+ *
+ * @param <OUTPUT>
+ */
+//@SuppressWarnings("restriction")
+public class Match<OUTPUT> {
+	private QName qname;
+	private Match<OUTPUT>[] next;
+	private Match<OUTPUT> prev;
+	private Action<OUTPUT> action = null;
+	private boolean stopAfter;
+	private boolean exclusive;
+	
+
+	@SafeVarargs
+	public Match(String ns, String name, Match<OUTPUT> ... next) {
+		this.qname = new QName(ns,name);
+		this.next = next;
+		stopAfter = exclusive = false;
+		for(Match<OUTPUT> m : next) { // add the possible tags to look for
+			if(!m.stopAfter)m.prev = this;
+		}
+	}
+	
+	public Match<OUTPUT> onMatch(OUTPUT output, XReader reader) throws XMLStreamException {
+		while(reader.hasNext()) {
+			XEvent event = reader.nextEvent();
+			switch(event.getEventType()) {
+				case XMLEvent.START_ELEMENT:
+					QName e_qname = event.asStartElement().getName();
+					//System.out.println("Start - " + e_qname);
+					boolean match = false;
+					for(Match<OUTPUT> m : next) {
+						if(e_qname.equals(m.qname)) {
+							match=true;
+							if(m.onMatch(output, reader)==null) {
+								return null; // short circuit Parsing
+							}
+							break;
+						}
+					}
+					if(exclusive && !match) // When Tag MUST be present, i.e. the Root Tag, versus info we're not interested in
+						return null;
+					break;
+				case XMLEvent.CHARACTERS:
+					//System.out.println("Data - " +event.asCharacters().getData());
+					if(action!=null) {
+						if(!action.content(output,event.asCharacters().getData())) {
+							return null;
+						}
+					}
+					break;
+				case XMLEvent.END_ELEMENT:
+					//System.out.println("End - " + event.asEndElement().getName());
+					if(event.asEndElement().getName().equals(qname)) {
+						return prev;
+					}
+					break;
+				case XMLEvent.END_DOCUMENT:
+					return null; // Exit Chain
+			}
+		}
+		return this;
+	}
+
+	/**
+	 * When this Matched Tag has completed, Stop parsing and end
+	 * @return
+	 */
+	public Match<OUTPUT> stopAfter() {
+		stopAfter = true;
+		return this;
+	}
+	
+	/**
+	 * Mark that this Object MUST be matched at this level or stop parsing and end
+	 * 
+	 * @param action
+	 * @return
+	 */
+	public Match<OUTPUT> exclusive() {
+		exclusive = true;
+		return this;
+	}
+
+	public Match<OUTPUT> set(Action<OUTPUT> action) {
+		this.action = action;
+		return this;
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java b/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java
new file mode 100644
index 0000000..760020a
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/wsse/WSSEParser.java
@@ -0,0 +1,86 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.xml.stream.XMLStreamException;
+
+import org.onap.aaf.cadi.BasicCred;
+
+
+/**
+ * WSSE Parser
+ * 
+ * Read the User and Password from WSSE Formatted SOAP Messages 
+ * 
+ * This class uses StAX so that processing is stopped as soon as the Security User/Password are read into BasicCred, or the Header Ends
+ * 
+ * This class is intended to be created once (or very few times) and reused as much as possible.
+ * 
+ * It is as thread safe as StAX parsing is.
+ * 
+ */
+public class WSSEParser {
+	private static final String SOAP_NS = "http://schemas.xmlsoap.org/soap/envelope/";
+	private static final String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+	private Match<BasicCred> parseTree;
+	//private XMLInputFactory inputFactory;
+
+	public WSSEParser() {
+		// soap:Envelope/soap:Header/wsse:Security/wsse:UsernameToken/[wsse:Password&wsse:Username]
+		parseTree = new Match<BasicCred>(SOAP_NS,"root", // need a root level to start from... Doesn't matter what the tag is
+			new Match<BasicCred>(SOAP_NS,"Envelope",
+				new Match<BasicCred>(SOAP_NS,"Header",
+					new Match<BasicCred>(WSSE_NS,"Security",
+						new Match<BasicCred>(WSSE_NS,"UsernameToken",
+							new Match<BasicCred>(WSSE_NS,"Password").set(new Action<BasicCred>() {
+								public boolean content(BasicCred bc,String text) {
+									bc.setCred(text.getBytes());
+									return true;
+								}
+							}),
+							new Match<BasicCred>(WSSE_NS,"Username").set(new Action<BasicCred>() {
+								public boolean content(BasicCred bc,String text) {
+									bc.setUser(text);
+									return true;
+								}
+							})
+						).stopAfter() // if found, end when UsernameToken ends (no further processing needed)
+					)
+				).stopAfter() // Stop Processing when Header Ends
+			).exclusive()// Envelope must match Header, and no other.  FYI, Body comes after Header short circuits (see above), so it's ok
+		).exclusive(); // root must be Envelope
+		//inputFactory = XMLInputFactory.newInstance();
+	}
+	
+	public XMLStreamException parse(BasicCred bc, InputStream is) throws IOException {
+		try {
+			parseTree.onMatch(bc, new XReader(is));
+			return null;
+		} catch (XMLStreamException e) {
+			return e;
+		}
+	}
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java b/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java
new file mode 100644
index 0000000..e5af256
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/wsse/XEvent.java
@@ -0,0 +1,135 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * XEvent
+ * 
+ * This mechanism mimics a minimal portion of StAX "XMLEvent", enough to work with minimal XReader.
+ * 
+ * We implement the same interface, as much as minimally necessary, as XMLEvent for these small usages so as to
+ * be interchangeable in the future, if so desired
+ * 
+ *
+ */
+// @SuppressWarnings("restriction")
+public abstract class XEvent {
+
+	public abstract int getEventType();
+
+	public StartElement asStartElement() {
+		return (StartElement)this;
+	}
+
+	public Characters asCharacters() {
+		return (Characters)this;
+	}
+
+	public EndElement asEndElement() {
+		return (EndElement)this;
+	}
+
+    public static abstract class NamedXEvent extends XEvent {
+    	private QName qname;
+
+    	public NamedXEvent(QName qname) {
+    		this.qname = qname;
+    	}
+    	
+		public QName getName() {
+    		return qname;
+    	}
+    }
+	public static class StartElement extends NamedXEvent {
+
+		public StartElement(String ns, String tag) {
+			super(new QName(ns,tag));
+		}
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.START_ELEMENT;
+		}
+	}
+
+	public static class EndElement extends NamedXEvent {
+		public EndElement(String ns, String tag) {
+			super(new QName(ns,tag));
+		}
+		
+		@Override
+		public int getEventType() {
+			return XMLEvent.END_ELEMENT;
+		}
+	}
+
+	public static class Characters extends XEvent {
+		private String data;
+
+		public Characters(String data) {
+			this.data = data;
+		}
+		@Override
+		public int getEventType() {
+			return XMLEvent.CHARACTERS;
+		}
+
+		public String getData() {
+			return data;
+		}
+	}
+	
+	public static class StartDocument extends XEvent {
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.START_DOCUMENT;
+		}
+		
+	}
+
+	public static class EndDocument extends XEvent {
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.END_DOCUMENT;
+		}
+		
+	}
+	public static class Comment extends XEvent {
+		public final String value;
+		public Comment(String value) {
+			this.value = value;
+		}
+
+		@Override
+		public int getEventType() {
+			return XMLEvent.COMMENT;
+		}
+	
+	}
+
+}
diff --git a/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java b/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java
new file mode 100644
index 0000000..8fa8113
--- /dev/null
+++ b/core/src/main/java/org/onap/aaf/cadi/wsse/XReader.java
@@ -0,0 +1,416 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Stack;
+
+import javax.xml.stream.XMLStreamException;
+
+/**
+ * XReader
+ * This class works similarly as StAX, except StAX has more behavior than is needed.  That would be ok, but 
+ * StAX also was Buffering in their code in such as way as to read most if not all the incoming stream into memory,
+ * defeating the purpose of pre-reading only the Header
+ * 
+ * This Reader does no back-tracking, but is able to create events based on syntax and given state only, leaving the
+ * Read-ahead mode of the InputStream up to the other classes.
+ * 
+ * At this time, we only implement the important events, though if this is good enough, it could be expanded, perhaps to 
+ * replace the original XMLReader from StAX.
+ * 
+ *
+ */
+// @SuppressWarnings("restriction")
+public class XReader {
+	private XEvent curr,another;
+	private InputStream is;
+	private ByteArrayOutputStream baos;
+	private int state, count, last;
+	
+	private Stack<Map<String,String>> nsses;
+	
+	public XReader(InputStream is) {
+		this.is = is;
+		curr = another = null;
+		baos = new ByteArrayOutputStream();
+		state = BEGIN_DOC; 
+		count = 0;
+		nsses = new Stack<Map<String,String>>();
+	}
+	
+	public boolean hasNext() throws XMLStreamException {
+		if(curr==null) {
+			curr = parse();
+		}
+		return curr!=null;
+	}
+
+	public XEvent nextEvent() {
+		XEvent xe = curr;
+		curr = null;
+		return xe;
+	}
+
+	// 
+	// State Flags
+	//
+	// Note: The State of parsing XML can be complicated.  There are too many to cleanly keep in "booleans".  Additionally,
+	// there are certain checks that can be better made with Bitwise operations within switches
+	// Keeping track of state this way also helps us to accomplish logic without storing any back characters except one
+	private final static int BEGIN_DOC=  0x000001;
+	private final static int DOC_TYPE=   0x000002;
+	private final static int QUESTION_F= 0x000004;
+	private final static int QUESTION =  0x000008;
+	private final static int START_TAG = 0x000010;
+	private final static int END_TAG = 	 0x000020;
+	private final static int VALUE=		 0x000040;
+	private final static int COMMENT =   0x001000;
+	private final static int COMMENT_E = 0x002000;
+	private final static int COMMENT_D1 =0x010000;
+	private final static int COMMENT_D2 =0x020000;
+	private final static int COMMENT_D3 =0x040000;
+	private final static int COMMENT_D4 =0x080000;
+	// useful combined Comment states
+	private final static int IN_COMMENT=COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2;
+	private final static int COMPLETE_COMMENT = COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3|COMMENT_D4;
+	
+	
+	private XEvent parse() throws XMLStreamException {
+		Map<String,String> nss = nsses.isEmpty()?null:nsses.peek();
+
+		XEvent rv;
+		if((rv=another)!=null) { // "another" is a tag that may have needed to be created, but not 
+								 // immediately returned.  Save for next parse.  If necessary, this could be turned into
+								 // a FIFO storage, but a single reference is enough for now.
+			another = null;      // "rv" is now set for the Event, and will be returned.  Set to Null.
+		} else {
+			boolean go = true;
+			int c=0;
+			
+			try {
+				while(go && (c=is.read())>=0) {
+					++count;
+					switch(c) {
+						case '<': // Tag is opening
+							state|=~BEGIN_DOC; // remove BEGIN_DOC flag, this is possibly an XML Doc
+							XEvent cxe = null;
+							if(baos.size()>0) { // If there are any characters between tags, we send as Character Event
+								String chars = baos.toString().trim();  // Trim out WhiteSpace before and after
+								if(chars.length()>0) { // don't send if Characters were only whitespace
+									cxe = new XEvent.Characters(chars);
+									baos.reset();
+									go = false;
+								}
+							}
+							last = c;  // make sure "last" character is set for use in "ParseTag"
+							Tag t = parseTag(); // call subroutine to process the tag as a unit
+							String ns;
+							switch(t.state&(START_TAG|END_TAG)) {
+								case START_TAG:
+										nss = getNss(nss,t); 			// Only Start Tags might have NS Attributes   
+																		// Get any NameSpace elements from tag.  If there are, nss will become 
+																		// a new Map with all the previous NSs plus the new.  This provides 
+																		// scoping behavior when used with the Stack
+									// drop through on purpose
+								case END_TAG:
+									ns = t.prefix==null?"":nss.get(t.prefix); // Get the namespace from prefix (if exists)
+									break;
+								default:
+									ns = "";
+							}
+							if(ns==null)
+								throw new XMLStreamException("Invalid Namespace Prefix at " + count);
+							go = false;
+							switch(t.state) { // based on 
+							  case DOC_TYPE: 
+								  rv = new XEvent.StartDocument();
+								  break;
+							  case COMMENT:
+								  rv = new XEvent.Comment(t.value);
+								  break;
+							  case START_TAG:
+								  rv = new XEvent.StartElement(ns,t.name);
+								  nsses.push(nss);				// Change potential scope for Namespace
+								  break;
+							  case END_TAG:
+								  rv = new XEvent.EndElement(ns,t.name);
+								  nss = nsses.pop();			// End potential scope for Namespace
+								  break;
+							  case START_TAG|END_TAG:			// This tag is both start/end  aka <myTag/>
+								  rv = new XEvent.StartElement(ns,t.name);
+								  if(last=='/')another = new XEvent.EndElement(ns,t.name);
+							}
+							if(cxe!=null) {     // if there is a Character Event, it actually should go first.  ow.
+								another = rv;   // Make current Event the "another" or next event, and 
+								rv = cxe;		// send Character Event now
+							}
+							break;
+						case ' ':
+						case '\t':
+						case '\n':
+							if((state&BEGIN_DOC)==BEGIN_DOC) { // if Whitespace before doc, just ignore 
+								break;
+							}
+							// fallthrough on purpose
+						default:
+							if((state&BEGIN_DOC)==BEGIN_DOC) { // if there is any data at the start other than XML Tag, it's not XML
+								throw new XMLStreamException("Parse Error: This is not an XML Doc");
+							}
+							baos.write(c); // save off Characters
+					}
+					last = c; // Some processing needs to know what the last character was, aka Escaped characters... ex \"
+				}
+			} catch (IOException e) {
+				throw new XMLStreamException(e); // all errors parsing will be treated as XMLStreamErrors (like StAX)
+			}
+			if(c==-1 && (state&BEGIN_DOC)==BEGIN_DOC) { 			   // Normally, end of stream is ok, however, we need to know if the 
+				throw new XMLStreamException("Premature End of File"); // document isn't an XML document, so we throw exception if it 
+			}														   // hasn't yet been determined to be an XML Doc
+		}
+		return rv;
+	}
+	
+	/**
+	 * parseTag
+	 * 
+	 * Parsing a Tag is somewhat complicated, so it's helpful to separate this process from the 
+	 * higher level Parsing effort
+	 * @return
+	 * @throws IOException
+	 * @throws XMLStreamException
+	 */
+	private Tag parseTag() throws IOException, XMLStreamException {
+		Tag tag = null;
+		boolean go = true;
+		state = 0;
+		int c, quote=0; // If "quote" is 0, then we're not in a quote.  We set ' (in pretag) or " in attribs accordingly to denote quoted
+		String prefix=null,name=null,value=null;
+		baos.reset();
+		
+		while(go && (c=is.read())>=0) {
+			++count;
+			if(quote!=0) { // If we're in a quote, we only end if we hit another quote of the same time, not preceded by \
+				if(c==quote && last!='\\') {
+					quote=0;
+				} else {
+					baos.write(c);
+				}
+			} else if((state&COMMENT)==COMMENT) { // similar to Quote is being in a comment
+				switch(c) {
+					case '-':
+						switch(state) { // XML has a complicated Quote set... <!-- --> ... we keep track if each has been met with flags. 
+							case COMMENT|COMMENT_E:
+								state|=COMMENT_D1;
+								break;
+							case COMMENT|COMMENT_E|COMMENT_D1:
+								state|=COMMENT_D2;
+								baos.reset();				// clear out "!--", it's a Comment
+								break;
+							case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2:
+								state|=COMMENT_D3;
+								baos.write(c);
+								break;
+							case COMMENT|COMMENT_E|COMMENT_D1|COMMENT_D2|COMMENT_D3:
+								state|=COMMENT_D4;
+								baos.write(c);
+								break;
+						}
+						break;
+					case '>': // Tag indicator has been found, do we have all the comment characters in line?
+						if((state&COMPLETE_COMMENT)==COMPLETE_COMMENT) {
+							byte ba[] = baos.toByteArray();
+							tag = new Tag(null,null, new String(ba,0,ba.length-2));
+							baos.reset();
+							go = false;
+							break;
+						}
+						// fall through on purpose
+					default:
+						state&=~(COMMENT_D3|COMMENT_D4);
+						if((state&IN_COMMENT)!=IN_COMMENT) state&=~IN_COMMENT; // false alarm, it's not actually a comment
+						baos.write(c);
+				}
+			} else { // Normal Tag Processing loop
+				switch(c) {
+					case '?': 
+						switch(state & (QUESTION_F|QUESTION)) {  // Validate the state of Doc tag... <?xml ... ?>
+							case QUESTION_F:
+								state |= DOC_TYPE;
+								state &= ~QUESTION_F;
+								break;
+							case 0:
+								state |=QUESTION_F;
+								break;
+							default:
+								throw new IOException("Bad character [?] at " + count);
+						}
+						break;
+					case '!':
+						if(last=='<') { 
+							state|=COMMENT|COMMENT_E; // likely a comment, continue processing in Comment Loop
+						}
+						baos.write(c);
+						break;
+					case '/':
+						state|=(last=='<'?END_TAG:(END_TAG|START_TAG));  // end tag indicator </xxx>, ,or both <xxx/>
+						break;
+					case ':':
+						prefix=baos.toString(); // prefix indicator
+						baos.reset();
+						break;
+					case '=':					// used in Attributes
+						name=baos.toString();
+						baos.reset();
+						state|=VALUE;
+						break;
+					case '>': // end the tag, which causes end of this subprocess as well as formulation of the found data
+						go = false;
+						// passthrough on purpose
+					case ' ':
+					case '\t':
+					case '\n': // white space indicates change in internal tag state, ex between name and between attributes
+						if((state&VALUE)==VALUE) {
+							value = baos.toString();	// we're in VALUE state, add characters to Value
+						} else if(name==null) {
+							name = baos.toString();		// we're in Name state (default) add characters to Name
+						}
+						baos.reset();					// we've assigned chars, reset buffer
+						if(name!=null) {				// Name is not null, there's a tag in the offing here...
+							Tag t = new Tag(prefix,name,value);
+							if(tag==null) {				// Set as the tag to return, if not exists
+								tag = t;
+							} else {					// if we already have a Tag, then we'll treat this one as an attribute
+								tag.add(t);
+							}
+						}
+						prefix=name=value=null;			// reset these values in case we loop for attributes.
+						break;
+					case '\'':							// is the character one of two kinds of quote?
+					case '"':
+						if(last!='\\') {
+							quote=c;
+							break;
+						}
+						// Fallthrough ok
+					default:
+						baos.write(c);					// write any unprocessed bytes into buffer
+						
+				}
+			}
+			last = c;
+		}
+		int type = state&(DOC_TYPE|COMMENT|END_TAG|START_TAG); // get just the Tag states and turn into Type for Tag
+		if(type==0) {
+			type=START_TAG;
+		}
+		tag.state|=type;	// add the appropriate Tag States
+		return tag;
+	}
+
+	/**
+	 * getNSS
+	 * 
+	 * If the tag contains some Namespace attributes, create a new nss from the passed in one, copy all into it, then add
+	 * This provides Scoping behavior
+	 * 
+	 * if Nss is null in the first place, create an new nss, so we don't have to deal with null Maps.
+	 * 
+	 * @param nss
+	 * @param t
+	 * @return
+	 */
+	private Map<String, String> getNss(Map<String, String> nss, Tag t) {
+		Map<String,String> newnss = null;
+		if(t.attribs!=null) {
+			for(Tag tag : t.attribs) {
+				if("xmlns".equals(tag.prefix)) {
+					if(newnss==null) {
+						newnss = new HashMap<String,String>();
+						if(nss!=null)newnss.putAll(nss);
+					}
+					newnss.put(tag.name, tag.value);
+				}
+			}
+		}
+		return newnss==null?(nss==null?new HashMap<String,String>():nss):newnss;
+	}
+
+	/**
+	 * The result of the parseTag method
+	 * 
+	 * Data is split up into prefix, name and value portions. "Tags" with Values that are inside a Tag are known in XLM
+	 * as Attributes.  
+	 * 
+	 *
+	 */
+	public class Tag {
+		public int state;
+		public String prefix,name,value;
+		public List<Tag> attribs;
+
+		public Tag(String prefix, String name, String value) {
+			this.prefix = prefix;
+			this.name = name;
+			this.value = value;
+			attribs = null;  
+		}
+
+		/**
+		 * add an attribute
+		 * Not all tags need attributes... lazy instantiate to save time and memory
+		 * @param tag
+		 */
+		public void add(Tag attrib) {
+			if(attribs == null) {
+				attribs = new ArrayList<Tag>();
+			}
+			attribs.add(attrib);
+		}
+		
+		public String toString() {
+			StringBuffer sb = new StringBuffer();
+			if(prefix!=null) {
+				sb.append(prefix);
+				sb.append(':');
+			}
+			sb.append(name==null?"!!ERROR!!":name);
+
+			char quote = ((state&DOC_TYPE)==DOC_TYPE)?'\'':'"';
+			if(value!=null) {
+				sb.append('=');
+				sb.append(quote);
+				sb.append(value);
+				sb.append(quote);
+			}
+			return sb.toString();
+		}
+	}
+
+}
diff --git a/core/src/test/java/com/att/cadi/JU_AES.java b/core/src/test/java/com/att/cadi/JU_AES.java
deleted file mode 100644
index fb2482a..0000000
--- a/core/src/test/java/com/att/cadi/JU_AES.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-
-import javax.crypto.CipherInputStream;
-import javax.crypto.CipherOutputStream;
-
-import org.junit.Test;
-
-import junit.framework.Assert;
-
-public class JU_AES {
-
-	@Test
-	public void test() throws Exception {
-		AES aes = new AES();
-		String orig = "I'm a password, really";
-		byte[] passin = orig.getBytes();
-		byte[] encrypted = aes.encrypt(passin);
-		byte[] b64enc = Symm.base64.encode(encrypted);
-		System.out.println(new String(b64enc));
-		
-		encrypted = Symm.base64.decode(b64enc);
-		passin = aes.decrypt(encrypted);
-		Assert.assertEquals(orig, new String(passin));
-	}
-
-	@Test
-	public void testInputStream() throws Exception {
-		AES aes = new AES();
-		String orig = "I'm a password, really";
-		ByteArrayInputStream bais = new ByteArrayInputStream(orig.getBytes());
-		CipherInputStream cis = aes.inputStream(bais, true);
-		ByteArrayOutputStream baos = new ByteArrayOutputStream();
-		Symm.base64.encode(cis, baos);
-		cis.close();
-
-		byte[] b64encrypted;
-		System.out.println(new String(b64encrypted=baos.toByteArray()));
-		
-		
-		baos.reset();
-		CipherOutputStream cos = aes.outputStream(baos, false);
-		Symm.base64.decode(new ByteArrayInputStream(b64encrypted),cos);
-		cos.close();
-		Assert.assertEquals(orig, new String(baos.toByteArray()));
-	}
-
-	@Test
-	public void testObtain() throws Exception {
-		byte[] keygen = Symm.baseCrypt().keygen();
-		
-		Symm symm = Symm.obtain(new ByteArrayInputStream(keygen));
-		
-		String orig ="Another Password, please";
-		String encrypted = symm.enpass(orig);
-		System.out.println(encrypted);
-		String decrypted = symm.depass(encrypted);
-		System.out.println(decrypted);
-		Assert.assertEquals(orig, decrypted);
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java b/core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java
deleted file mode 100644
index f11c74d..0000000
--- a/core/src/test/java/com/att/cadi/lur/test/JU_LocalLur.java
+++ /dev/null
@@ -1,101 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur.test;
-
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.junit.Test;
-
-import com.att.cadi.CredVal.Type;
-import com.att.cadi.Lur;
-import com.att.cadi.Permission;
-import com.att.cadi.PropAccess;
-import com.att.cadi.Symm;
-import com.att.cadi.config.UsersDump;
-import com.att.cadi.lur.LocalLur;
-import com.att.cadi.lur.LocalPermission;
-
-public class JU_LocalLur {
-
-	@Test
-	public void test() throws IOException {
-		Symm symmetric = Symm.baseCrypt().obtain();
-		LocalLur up;
-		ByteArrayOutputStream baos = new ByteArrayOutputStream();
-		baos.write(Symm.ENC.getBytes());
-		symmetric.enpass("<pass>", baos);
-		PropAccess ta = new PropAccess();
-		Lur ml = up = new LocalLur(ta,"myname:groupA,groupB","admin:myname,yourname;suser:hisname,hername,m1234%"+baos.toString());
-		
-		Permission admin = new LocalPermission("admin");
-		Permission suser = new LocalPermission("suser");
-		
-		// Check User fish
-		assertTrue(ml.fish(new JUPrincipal("myname"),admin));
-		assertTrue(ml.fish(new JUPrincipal("hisname"),admin));
-		assertFalse(ml.fish(new JUPrincipal("noname"),admin));
-		assertTrue(ml.fish(new JUPrincipal("itsname"),suser));
-		assertTrue(ml.fish(new JUPrincipal("hername"),suser));
-		assertFalse(ml.fish(new JUPrincipal("myname"),suser));
-		
-		
-		// Check validate password
-		assertTrue(up.validate("m1234",Type.PASSWORD, "<pass>".getBytes()));
-		assertFalse(up.validate("m1234",Type.PASSWORD, "badPass".getBytes()));
-		
-		// Check fishAll
-		Set<String> set = new TreeSet<String>();
-		List<Permission> perms = new ArrayList<Permission>();
-		ml.fishAll(new JUPrincipal("myname"), perms);
-		for(Permission p : perms) {
-			set.add(p.getKey());
-		}
-		assertEquals("[admin, groupA, groupB]",set.toString());
-		UsersDump.write(System.out, up);
-		System.out.flush();
-		
-	}
-	
-	// Simplistic Principal for testing purposes
-	private static class JUPrincipal implements Principal {
-		private String name;
-		public JUPrincipal(String name) {
-			this.name = name;
-		}
-//		@Override
-		public String getName() {
-			return name;
-		}
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/lur/test/TestAccess.java b/core/src/test/java/com/att/cadi/lur/test/TestAccess.java
deleted file mode 100644
index 81d5092..0000000
--- a/core/src/test/java/com/att/cadi/lur/test/TestAccess.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.lur.test;
-
-import java.io.IOException;
-import java.io.InputStream;
-
-import com.att.cadi.Access;
-import com.att.cadi.Symm;
-
-public class TestAccess implements Access {
-	private Symm symm;
-
-	public TestAccess() {
-		symm = Symm.obtain(this);
-	}
-	
-	public TestAccess(Symm symmetric) {
-		symm = symmetric;
-	}
-
-	public void log(Level level, Object... elements) {
-		boolean first = true;
-		for(int i=0;i<elements.length;++i) {
-			if(first)first = false;
-			else System.out.print(' ');
-			System.out.print(elements[i].toString());
-		}
-		System.out.println();
-	}
-
-	public void log(Exception e, Object... elements) {
-		e.printStackTrace();
-		log(Level.ERROR,elements);
-	}
-
-	public void setLogLevel(Level level) {
-		
-	}
-
-	public ClassLoader classLoader() {
-		return ClassLoader.getSystemClassLoader();
-	}
-
-	public String getProperty(String string, String def) {
-		String rv = System.getProperty(string);
-		return rv==null?def:rv;
-	}
-
-	public void load(InputStream is) throws IOException {
-		
-	}
-
-	public String decrypt(String encrypted, boolean anytext) throws IOException {
-		return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC)))
-			? symm.depass(encrypted)
-			: encrypted;
-	}
-
-	@Override
-	public boolean willLog(Level level) {
-		return true;
-	}
-
-	@Override
-	public void printf(Level level, String fmt, Object[] elements) {
-		// TODO Auto-generated method stub
-		
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Base64.java b/core/src/test/java/com/att/cadi/test/JU_Base64.java
deleted file mode 100644
index 1a82298..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_Base64.java
+++ /dev/null
@@ -1,157 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotSame;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.SecureRandom;
-import org.junit.Test;
-
-import com.att.cadi.Symm;
-import com.att.cadi.config.Config;
-
-
-public class JU_Base64 {
-	private static final String encoding = "Man is distinguished, not only by his reason, but by this singular " +
-			"passion from other animals, which is a lust of the mind, that by a " + 
-			"perseverance of delight in the continued and indefatigable generation of " + 
-			"knowledge, exceeds the short vehemence of any carnal pleasure.";
-		 
-	private static final String expected = 
-			"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz\n" + 
-			"IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg\n" + 
-			"dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu\n" +
-			"dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo\n" +
-			"ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=";
-
-
-	@Test
-	public void test() throws Exception {
-		// Test with different Padding
-		encode("leas",    "bGVhcw==");
-		encode("leasu",   "bGVhc3U=");
-		encode("leasur",  "bGVhc3Vy");
-		encode("leasure", "bGVhc3VyZQ==");
-		encode("leasure.","bGVhc3VyZS4=");
-
-		// Test with line ends
-		encode(encoding, expected);
-		
-		int ITER = 2000;
-		System.out.println("Priming by Encoding Base64 " + ITER + " times");
-		long start = System.nanoTime();
-		for(int i=0;i<ITER;++i) {
-			Symm.base64.encode(encoding);
-		}
-		Float ms = (System.nanoTime()-start)/1000000F;
-		System.out.println("Total: " + ms + "ms");
-		System.out.println("Avg:   " + ms/ITER + "ms");
-		
-		System.out.println("Priming by Decoding Base64 " + ITER + " times");
-		start = System.nanoTime();
-		for(int i=0;i<ITER;++i) {
-			Symm.base64.decode(expected);
-		}
-		ms = (System.nanoTime()-start)/1000000F;
-		System.out.println("Total: " + ms + "ms");
-		System.out.println("Avg:   " + ms/ITER + "ms");
-
-		
-		ITER=30000;
-		System.out.println("Encoding Base64 " + ITER + " times");
-		start = System.nanoTime();
-		for(int i=0;i<ITER;++i) {
-			Symm.base64.encode(encoding);
-		}
-		ms = (System.nanoTime()-start)/1000000F;
-		System.out.println("Total: " + ms + "ms");
-		System.out.println("Avg:   " + ms/ITER + "ms");
-		
-		System.out.println("Decoding Base64 " + ITER + " times");
-		start = System.nanoTime();
-		for(int i=0;i<ITER;++i) {
-			Symm.base64.decode(expected);
-		}
-		ms = (System.nanoTime()-start)/1000000F;
-		System.out.println("Total: " + ms + "ms");
-		System.out.println("Avg:   " + ms/ITER + "ms");
-	}
-	
-	@Test
-	public void symmetric() throws IOException {
-		System.out.println("Validating Generated Key mechanisms works");
-		String symmetric = new String(Symm.base64.keygen());
-		System.out.println(symmetric);
-		Symm bsym = Symm.obtain(symmetric);
-		String result = bsym.encode(encoding);
-		System.out.println("\nResult:");
-		System.out.println(result);
-		assertEquals(encoding, bsym.decode(result));
-		
-		int ITER = 20000;
-		System.out.println("Generating keys " + ITER + " times");
-		long start = System.nanoTime();
-		for(int i=0;i<ITER;++i) {
-			Symm.base64.keygen();
-		}
-		Float ms = (System.nanoTime()-start)/1000000F;
-		System.out.println("Total: " + ms + "ms");
-		System.out.println("Avg:   " + ms/ITER + "ms");
-
-		char[] manipulate = symmetric.toCharArray();
-		int spot = new SecureRandom().nextInt(manipulate.length);
-		manipulate[spot]|=0xFF;
-		String newsymmetric = new String(manipulate);
-		assertNotSame(newsymmetric, symmetric);
-		try {
-			bsym = Symm.obtain(newsymmetric);
-			result = bsym.decode(result);
-			assertEquals(encoding, result);
-		} catch (IOException e) {
-			// this is what we want to see if key wrong
-			System.out.println(e.getMessage() + " (as expected)");
-		}
-	}
-
-	private void encode(String toEncode, String expected) throws IOException {
-		System.out.println("-------------------------------------------------");
-		System.out.println(toEncode);
-		System.out.println();
-		System.out.println(expected);
-		System.out.println();
-		String result = Symm.base64.encode(toEncode);
-		System.out.println(result);
-		assertEquals(expected,result);
-		
-		ByteArrayOutputStream baos = new ByteArrayOutputStream();
-		Symm.base64.decode(new ByteArrayInputStream(result.getBytes()), baos);
-		result = baos.toString(Config.UTF_8);
-		System.out.println(result);
-		assertEquals(toEncode,result);
-		
-	}
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java b/core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java
deleted file mode 100644
index 5f299bb..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_BufferedServletInputStream.java
+++ /dev/null
@@ -1,191 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import static junit.framework.Assert.assertEquals;
-
-import java.io.ByteArrayInputStream;
-import java.io.FileInputStream;
-import java.io.IOException;
-
-import org.junit.Test;
-
-import com.att.cadi.BufferedServletInputStream;
-
-public class JU_BufferedServletInputStream {
-
-	@Test
-	public void testByteRead() throws Exception {
-		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
-		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
-			try {
-			bsis.mark(0);
-			int c;
-			byte aa[] = new byte[260];
-			for(int i=0;i<aa.length;++i) {
-				c = bsis.read();
-				if(c>=0) {
-					aa[i]=(byte)c;
-				}
-			}
-			System.out.println(new String(aa));
-			
-			bsis.reset();
-
-			byte bb[] = new byte[400];
-			for(int i=0;i<bb.length;++i) {
-				c = bsis.read();
-				if(c>=0) {
-					bb[i]=(byte)c;
-				}
-			}
-			System.out.println(new String(bb));
-
-		} finally {
-			bsis.close();
-			fis.close();
-		}
-	}
-	
-	@Test
-	public void testByteArray() throws Exception {
-		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
-		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
-		try {
-			bsis.mark(0);
-			byte aa[] = new byte[260];
-			bsis.read(aa);
-			System.out.println(new String(aa));
-			
-			bsis.reset();
-
-			byte bb[] = new byte[400];
-			bsis.read(bb);
-			System.out.println(new String(bb));
-
-		} finally {
-			bsis.close();
-			fis.close();
-		}
-	}
-
-	@Test
-	public void testDoubleRead() throws Exception {
-		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
-		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
-		try {
-			bsis.mark(0);
-			byte aa[] = new byte[260];
-			bsis.read(aa);
-			System.out.println(new String(aa));
-			
-			bsis.reset();
-
-			byte bb[] = new byte[400];
-			bsis.read(bb);
-			System.out.println(new String(bb));
-
-		} finally {
-			bsis.close();
-			fis.close();
-		}
-	}
-
-	@Test
-	public void testByteArray2() throws Exception {
-		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
-		try {
-			BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
-			byte[] content = null;
-			byte aa[] = new byte[500];
-			for(int i=0;i<2000;++i) {
-				bsis.mark(0);
-				bsis.read(aa,0,260);
-				if(i==0)System.out.println(new String(aa));
-				
-				bsis.reset();
-	
-				bsis.read(aa,0,aa.length);
-				if(i==0) {
-					System.out.println(new String(aa));
-					content = aa;
-					aa = new byte[400];
-				}
-				bsis = new BufferedServletInputStream(new ByteArrayInputStream(content));
-				
-			}
-			
-			System.out.println(new String(aa));
-
-		} finally {
-			fis.close();
-		}
-	}
-
-	// "Bug" 4/22/2013 
-	// Some XML code expects Buffered InputStream can never return 0...  This isn't actually true, but we'll accommodate as far
-	// as we can. 
-	// Here, we make sure we set and read the Buffered data, making sure the buffer is empty on the last test...
-	@Test
-	public void issue04_22_2013() throws IOException {
-		String testString = "We want to read in and get out with a Buffered Stream seamlessly.";
-		ByteArrayInputStream bais = new ByteArrayInputStream(testString.getBytes());
-		BufferedServletInputStream bsis = new BufferedServletInputStream(bais);
-			try {
-			bsis.mark(0);
-			byte aa[] = new byte[testString.length()];  // 65 count... important for our test (divisible by 5);
-
-			int read;
-			for(int i=0;i<aa.length;i+=5) {
-				read = bsis.read(aa, i, 5);
-				assertEquals(5,read);
-			}
-			System.out.println(new String(aa));
-			
-			bsis.reset();
-
-			byte bb[] = new byte[aa.length];
-			read = 0;
-			for(int i=0;read>=0;i+=read) {
-				read = bsis.read(bb,i,5);
-				switch(i) {
-					case 65:
-						assertEquals(read,-1);
-						break;
-					default:
-						assertEquals(read,5);
-				}
-			}
-			System.out.println(new String(bb));
-			assertEquals(testString,new String(aa));
-			assertEquals(testString,new String(bb));
-
-		} finally {
-			bsis.close();
-			bais.close();
-		}
-		
-	}
-	
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Capacitor.java b/core/src/test/java/com/att/cadi/test/JU_Capacitor.java
deleted file mode 100644
index 5584911..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_Capacitor.java
+++ /dev/null
@@ -1,144 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import static junit.framework.Assert.assertEquals;
-
-import org.junit.Test;
-
-import com.att.cadi.Capacitor;
-
-public class JU_Capacitor {
-	@Test
-	public void testA() {
-		Capacitor cap = new Capacitor();
-		
-		for(int iter=0;iter<200;++iter) {
-			for(int i=0;i<20;++i) {
-				cap.put((byte)('a'+i));
-			}
-			cap.setForRead();
-			byte[] array = new byte[20];
-			for(int i=0;i<20;++i) {
-				array[i]=(byte)cap.read();
-			}
-			assertEquals("abcdefghijklmnopqrst",new String(array));
-			assertEquals(-1,cap.read());
-			cap.done();
-		}
-	}
-
-	public final static String TEST_DATA = 
-			"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +
-			"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" +
-			"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc" +
-			"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd" +
-			"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" +
-			"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff";
-	@Test
-	public void testB() {
-		Capacitor cap = new Capacitor();
-		byte[] arrayA = TEST_DATA.getBytes();
-		System.out.println(arrayA.length);
-		for(int iter=0;iter<200;++iter) {
-			for(int i=0;i<arrayA.length;++i) {
-				cap.put(arrayA[i]);
-			}
-			cap.setForRead();
-			assertEquals(TEST_DATA.length(),cap.available());
-			byte[] arrayB = new byte[arrayA.length];
-			for(int i=0;i<arrayB.length;++i) {
-				arrayB[i]=(byte)cap.read();
-			}
-			assertEquals(TEST_DATA,new String(arrayB));
-			assertEquals(-1,cap.read());
-			cap.done();
-		}
-	}
-
-	@Test
-	public void testC() {
-		Capacitor cap = new Capacitor();
-		byte[] arrayA = TEST_DATA.getBytes();
-		System.out.println(arrayA.length);
-		for(int iter=0;iter<200;++iter) {
-			cap.put(arrayA,0,arrayA.length);
-			cap.setForRead();
-			assertEquals(TEST_DATA.length(),cap.available());
-			byte[] arrayB = new byte[arrayA.length];
-			assertEquals(arrayA.length,cap.read(arrayB,0,arrayB.length));
-			assertEquals(TEST_DATA,new String(arrayB));
-			assertEquals(-1,cap.read());
-			cap.done();
-		}
-	}
-
-	
-	@Test
-	public void testD() {
-		StringBuffer sb = new StringBuffer();
-		for(int i=0;i<300;++i) {
-			sb.append(TEST_DATA);
-			sb.append("###FILLER##");
-		}
-		String td = sb.toString();
-		Capacitor cap = new Capacitor();
-		byte[] arrayA = td.getBytes();
-		System.out.println(arrayA.length);
-		for(int iter=0;iter<200;++iter) {
-			cap.put(arrayA,0,arrayA.length);
-			cap.setForRead();
-			assertEquals(td.length(),cap.available());
-			byte[] arrayB = new byte[arrayA.length];
-			assertEquals(arrayA.length,cap.read(arrayB,0,arrayB.length));
-			assertEquals(td,new String(arrayB));
-			assertEquals(-1,cap.read());
-			cap.done();
-		}
-	}
-
-	@Test
-	public void testE() {
-		Capacitor cap = new Capacitor();
-		
-		String b = "This is some content that we want to read";
-		byte[] a = b.getBytes();
-		byte[] c = new byte[b.length()]; // we want to use this to test reading offsets, etc
-
-		for(int i=0;i<a.length;i+=11) {
-			cap.put(a, i, Math.min(11,a.length-i));
-		}
-		cap.reset();
-		int read;
-		for(int i=0;i<c.length;i+=read) {
-			read = cap.read(c, i, Math.min(3,c.length-i));
-			if(read<0) break;
-		}
-		
-		assertEquals(b, new String(c));
-		
-		
-	}
-	
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Hash.java b/core/src/test/java/com/att/cadi/test/JU_Hash.java
deleted file mode 100644
index e5d2d6b..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_Hash.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import org.junit.Test;
-
-import com.att.cadi.CadiException;
-import com.att.cadi.Hash;
-
-import junit.framework.Assert;
-
-public class JU_Hash {
-
-	@Test
-	public void test() throws CadiException {
-		String init = "m82347@csp.att.com:kumquat8rie@#Tomatos3";
-		String hashed = Hash.toHex(init.getBytes());
-		System.out.println(hashed);
-		byte[] ba = Hash.fromHex(hashed);
-		String recon = new String(ba);
-		System.out.println(recon);
-		Assert.assertEquals(init, recon);
-		
-		init =hashed.substring(1);
-		try {
-			hashed = Hash.fromHex(init).toString();
-			Assert.fail("Should have thrown Exception");
-		} catch (CadiException e) {
-			
-		}
-		
-		init = hashed.replace('1', '~');
-		try {
-			hashed = Hash.fromHex(init).toString();
-			Assert.fail("Should have thrown Exception");
-		} catch (CadiException e) {
-			
-		}
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Passcode.java b/core/src/test/java/com/att/cadi/test/JU_Passcode.java
deleted file mode 100644
index 122ecf7..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_Passcode.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
-
-import org.junit.Test;
-
-import com.att.cadi.CmdLine;
-import com.att.cadi.Symm;
-
-import junit.framework.Assert;
-
-public class JU_Passcode {
-	@Test
-	public void test() throws Exception {
-		int iterations = 0;
-		long start = System.nanoTime();
-		int gens= 800, en_de=2000;
-		for(int j=0;j<gens;++j) {
-			CmdLine.main(new String[] {"keygen","tempkey"});
-			
-			Symm symm;
-			File fi = new File("tempkey");
-			Assert.assertEquals(2074, fi.length());
-			FileInputStream fis = new FileInputStream(fi);
-			
-			try {
-				symm = Symm.obtain(fis);
-			} finally {
-				fis.close();
-			}
-			String samples[] = {"activevos","ThisIsATestPassword","I have spaces","I have 's, /s and &s and _s"};
-			ByteArrayOutputStream baos;
-			for(int i=0;i<en_de;++i) {
-				String password = samples[i%samples.length];
-				baos = new ByteArrayOutputStream();
-				symm.enpass(password, baos);
-				String pass = baos.toString();
-				byte[] array = baos.toByteArray();
-				for(int k=0;k<array.length;++k) {
-					byte ch = array[k];
-//				for(int k=0;k<pass.length();++k) {
-//					char ch = pass.charAt(k);
-					if(!(Character.isLetter(ch) || Character.isDigit(ch) || ch=='-' || ch=='_' || ch=='=')) {
-						throw new Exception("Yikes, have a bad character..." + ch + '(' + (int)ch + ')');
-					}
-				}
-				baos = new ByteArrayOutputStream();
-				symm.depass(pass, baos);
-				Assert.assertEquals(password,baos.toString());
-				Assert.assertEquals(password,symm.depass(pass));
-				++iterations;
-			}
-			symm.enpass("activevos", System.out);
-			System.out.println();
-		}
-		float ms = (System.nanoTime()-start)/1000000F;
-		System.out.println("Ran " + iterations + " Encrypt/Decrypt cycles + " + gens + " keygens");
-
-		System.out.println("Total: " + ms + "ms");
-		System.out.println("Avg:   " + ms/iterations + "ms");
-		System.out.println("Avg Gen + " + en_de + " Encrypt/Decrypt cycles:  " + ms/gens + "ms");
-
-
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_UserChainManip.java b/core/src/test/java/com/att/cadi/test/JU_UserChainManip.java
deleted file mode 100644
index 65f5ebd..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_UserChainManip.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import static org.junit.Assert.*;
-
-import org.junit.Test;
-
-import com.att.cadi.util.UserChainManip;
-
-public class JU_UserChainManip {
-
-	@Test
-	public void test() {
-		assertEquals("",UserChainManip.idToNS(null));
-		assertEquals("",UserChainManip.idToNS(""));
-		assertEquals("",UserChainManip.idToNS("something"));
-		assertEquals("",UserChainManip.idToNS("something@@"));
-		assertEquals("",UserChainManip.idToNS("something@@."));
-		assertEquals("com",UserChainManip.idToNS("something@com"));
-		assertEquals("com.random",UserChainManip.idToNS("something@random.com"));
-		assertEquals("com.random",UserChainManip.idToNS("@random.com"));
-		assertEquals("com.random",UserChainManip.idToNS("something@random.com."));
-		assertEquals("com.random",UserChainManip.idToNS("something@..random...com..."));
-		assertEquals("com.random.this",UserChainManip.idToNS("something@this.random.com"));
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/JU_Vars.java b/core/src/test/java/com/att/cadi/test/JU_Vars.java
deleted file mode 100644
index e681622..0000000
--- a/core/src/test/java/com/att/cadi/test/JU_Vars.java
+++ /dev/null
@@ -1,126 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-
-import static org.junit.Assert.assertEquals;
-
-import org.junit.AfterClass;
-import org.junit.Test;
-
-import com.att.cadi.util.Vars;
-
-public class JU_Vars {
-
-	@AfterClass
-	public static void tearDownAfterClass() throws Exception {
-	}
-
-	@Test
-	public void test() {
-		StringBuilder holder = new StringBuilder();
-		String str,bstr;
-		assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "a","b"));
-		assertEquals("set a to b",holder.toString());
-		assertEquals(str,Vars.convert(null,str, "a","b"));
-		holder.setLength(0);
-		assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "a","b"));
-		assertEquals("set a to b",holder.toString());
-		assertEquals(str,Vars.convert(null,bstr, "a","b"));
-		
-		holder.setLength(0);
-		assertEquals(str = "%1=%2",Vars.convert(holder,str, "a","b"));
-		assertEquals("a=b",holder.toString());
-		assertEquals(str,Vars.convert(null,str, "a","b"));
-		holder.setLength(0);
-		assertEquals(str,Vars.convert(holder,bstr="%s=%s", "a","b"));
-		assertEquals("a=b",holder.toString());
-		assertEquals(str,Vars.convert(null,bstr, "a","b"));
-		
-		holder.setLength(0);
-		assertEquals(str = "%1%2",Vars.convert(holder,str, "a","b"));
-		assertEquals("ab",holder.toString());
-		assertEquals(str ,Vars.convert(null,str, "a","b"));
-		holder.setLength(0);
-		assertEquals(str,Vars.convert(holder,bstr="%s%s", "a","b"));
-		assertEquals("ab",holder.toString());
-		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
-
-
-		holder.setLength(0);
-		assertEquals(str = " %1=%2 ",Vars.convert(holder,str, "a","b"));
-		assertEquals(" a=b ",holder.toString());
-		assertEquals(str ,Vars.convert(null,str, "a","b"));
-		holder.setLength(0);
-		assertEquals(str,Vars.convert(holder,bstr = " %s=%s ", "a","b"));
-		assertEquals(" a=b ",holder.toString());
-		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
-
-		holder.setLength(0);
-		assertEquals(str = " %1%2%10 ",Vars.convert(holder,str, "a","b","c","d","e","f","g","h","i","j"));
-		assertEquals(" abj ",holder.toString());
-		assertEquals(str,Vars.convert(null,str, "a","b","c","d","e","f","g","h","i","j"));
-		holder.setLength(0);
-		assertEquals(str=" %1%2%3 ",Vars.convert(holder,bstr = " %s%s%s ", "a","b","c","d","e","f","g","h","i","j"));
-		assertEquals(" abc ",holder.toString());
-		assertEquals(str,Vars.convert(null,bstr, "a","b","c","d","e","f","g","h","i","j"));
-		
-
-		holder.setLength(0);
-		assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "Something much","larger"));
-		assertEquals("set Something much to larger",holder.toString());
-		assertEquals(str,Vars.convert(null,str,"Something much","larger"));
-		holder.setLength(0);
-		assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "Something much","larger"));
-		assertEquals("set Something much to larger",holder.toString());
-		assertEquals(str,Vars.convert(null,bstr, "Something much","larger"));
-
-		holder.setLength(0);
-		assertEquals(str = "Text without Vars",Vars.convert(holder,str));
-		assertEquals(str,holder.toString());
-		assertEquals(str = "Text without Vars",Vars.convert(null,str));
-	
-		
-		holder.setLength(0);
-		assertEquals(str = "Not %1 Enough %2 Vars %3",Vars.convert(holder,str, "a","b"));
-		assertEquals("Not a Enough b Vars ",holder.toString());
-		assertEquals(str ,Vars.convert(null,str, "a","b"));
-		holder.setLength(0);
-		assertEquals(str,Vars.convert(holder,bstr="Not %s Enough %s Vars %s", "a","b"));
-		assertEquals("Not a Enough b Vars ",holder.toString());
-		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
-
-		holder.setLength(0);
-		assertEquals(str = "!@#$%^*()-+?/,:;.",Vars.convert(holder,str, "a","b"));
-		assertEquals(str,holder.toString());
-		assertEquals(str ,Vars.convert(null,str, "a","b"));
-
-		holder.setLength(0);
-		bstr = "%s !@#$%^*()-+?/,:;.";
-		str = "%1 !@#$%^*()-+?/,:;.";
-		assertEquals(str,Vars.convert(holder,bstr, "Not Acceptable"));
-		assertEquals("Not Acceptable !@#$%^*()-+?/,:;.",holder.toString());
-		assertEquals(str ,Vars.convert(null,bstr, "Not Acceptable"));
-
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/test/Test.java b/core/src/test/java/com/att/cadi/test/Test.java
deleted file mode 100644
index 4fe9111..0000000
--- a/core/src/test/java/com/att/cadi/test/Test.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.test;
-import java.net.InetAddress;
-import java.net.UnknownHostException;
-
-/**
- * A Class to run on command line to determine suitability of environment for certain TAFs.
- * 
- * For instance, CSP supports services only in certain domains, and while dynamic host
- * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and
- * invalid) for CSP because of multiple NetworkInterfaces, etc
- * 
- *
- */
-public class Test {
-
-	/**
-	 * @param args
-	 */
-	public static void main(String[] args) {
-		try {
-			System.out.println("CADI/TAF test");
-			
-			String hostName = InetAddress.getLocalHost().getCanonicalHostName();
-			
-			System.out.println("  Your automatic hostname is reported as \"" + hostName + "\"\n");
-			String[] two;
-
-			for(String str : args) {
-				two = str.split("=");
-				if(two.length==2) {
-					if("hostname".equals(two[0])) {
-						hostName = two[1];
-						System.out.println("  You have overlaid the automatic hostname with \"" + hostName + "\"\n");
-					}
-				}
-			}
-			if(hostName.endsWith("vpn.cingular.net"))
-				System.out.println("  This service appears to be an AT&T VPN address. These VPNs are typically\n" +
-						"    (and appropriately) firewalled against incoming traffic, and likely cannot be accessed.\n" +
-						"    For best results, choose a machine that is not firewalled on the ports you choose.\n");
-			
-		} catch (UnknownHostException e) {
-			e.printStackTrace();
-		}
-
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java b/core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java
deleted file mode 100644
index 65338ae..0000000
--- a/core/src/test/java/com/att/cadi/wsse/test/JU_WSSE_Read.java
+++ /dev/null
@@ -1,191 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse.test;
-
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertNotNull;
-import static junit.framework.Assert.assertNull;
-
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.FileInputStream;
-
-import javax.xml.stream.XMLStreamException;
-
-import org.junit.Test;
-
-import com.att.cadi.BasicCred;
-import com.att.cadi.BufferedServletInputStream;
-import com.att.cadi.wsse.WSSEParser;
-
-public class JU_WSSE_Read {
-
-	@Test
-	public void test() {
-		try {
-			final BasicCred bc = new BasicCred() {
-
-				private String user;
-				private byte[] password;
-
-				public void setUser(String user) {
-					this.user = user;
-				}
-
-				public void setCred(byte[] passwd) {
-					this.password = passwd;
-				}
-
-				public String getUser() {
-					return user;
-				}
-
-				public byte[] getCred() {
-					return password;
-				}
-			};
-
-			WSSEParser wp = new WSSEParser();
-
-			FileInputStream fis;
-			fis = new FileInputStream("test/example.xml");
-			BufferedServletInputStream is = new BufferedServletInputStream(fis);
-			try {
-				is.mark(1536);
-				try {
-					assertNull(wp.parse(bc, is));
-				} finally {
-					is.reset();
-					assertEquals(814,is.buffered());
-				}
-				String password = new String(bc.getCred());
-				System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password);
-				assertEquals("some_user", bc.getUser());
-				assertEquals("some_password", password);
-				
-			} finally {
-				fis.close();
-			}
-
-			// CBUS (larger)
-			fis = new FileInputStream("test/CBUSevent.xml");
-			is = new BufferedServletInputStream(fis);
-			try {
-				is.mark(1536);
-				try {
-					assertNull(wp.parse(bc, is));
-				} finally {
-					is.reset();
-					assertEquals(667,is.buffered());
-				}
-				String password = new String(bc.getCred());
-				System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password);
-				assertEquals("none", bc.getUser());
-				assertEquals("none", password);
-				
-			} finally {
-				fis.close();
-			}
-
-			// Closed Stream
-			fis = new FileInputStream("test/example.xml");
-			fis.close();
-			bc.setCred(null);
-			bc.setUser(null);
-			XMLStreamException ex = wp.parse(bc, fis);
-			assertNotNull(ex);
-			assertNull(bc.getUser());
-			assertNull(bc.getCred());
-
-
-			fis = new FileInputStream("test/exampleNoSecurity.xml");
-			try {
-				bc.setCred(null);
-				bc.setUser(null);
-				assertNull(wp.parse(bc, fis));
-				assertNull(bc.getUser());
-				assertNull(bc.getCred());
-			} finally {
-				fis.close();
-			}
-
-			fis = new FileInputStream("test/exampleBad1.xml");
-			try {
-				bc.setCred(null);
-				bc.setUser(null);
-				assertNull(wp.parse(bc, fis));
-				assertNull(bc.getUser());
-				assertNull(bc.getCred());
-			} finally {
-				fis.close();
-			}
-
-			XMLStreamException e = wp.parse(bc, new ByteArrayInputStream("Not XML".getBytes())); // empty
-			assertNotNull(e);
-
-			e = wp.parse(bc, new ByteArrayInputStream("".getBytes())); // empty
-			assertNotNull(e);
-			
-			
-			long start, count = 0L;
-			int iter = 30000;
-			File f = new File("test/CBUSevent.xml");
-			fis = new FileInputStream(f);
-			is = new BufferedServletInputStream(fis);
-			is.mark(0);
-			try {
-				while(is.read()>=0);
-			} finally {
-				fis.close();
-			}
-
-			for(int i=0;i<iter;++i) {
-				start = System.nanoTime();
-				is.reset();
-				try {
-					assertNull(wp.parse(bc, is));
-				} finally {
-					count += System.nanoTime()-start;
-				}
-			}
-			float ms = count/1000000f;
-			System.out.println("Executed " + iter + " WSSE reads from Memory Stream in " + ms + "ms.  " + ms/iter + "ms per trans");
-			
-			// SPECIFIC ISSUES
-			
-			fis = new FileInputStream("test/error2013_04_23.xml");
-			try {
-				bc.setCred(null);
-				bc.setUser(null);
-				assertNull(wp.parse(bc, fis));
-				assertNull(bc.getUser());
-				assertNull(bc.getCred());
-			} finally {
-				fis.close();
-			}
-		} catch(Exception e) {
-			e.printStackTrace(System.err);
-		}
-	}
-
-}
diff --git a/core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java b/core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java
deleted file mode 100644
index ee69561..0000000
--- a/core/src/test/java/com/att/cadi/wsse/test/JU_XReader.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * * 
- *  *      http://www.apache.org/licenses/LICENSE-2.0
- * * 
- *  * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package com.att.cadi.wsse.test;
-
-import java.io.FileInputStream;
-
-import javax.xml.stream.events.XMLEvent;
-
-import org.junit.Test;
-
-import com.att.cadi.wsse.XEvent;
-import com.att.cadi.wsse.XReader;
-
-public class JU_XReader {
-	@Test
-	public void test() throws Exception {
-		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
-		try {
-			XReader xr = new XReader(fis);
-			while(xr.hasNext()) {
-				XEvent xe = xr.nextEvent();
-				switch(xe.getEventType()) {
-					case XMLEvent.START_DOCUMENT:
-						System.out.println("Start Document");
-						break;
-					case XMLEvent.START_ELEMENT:
-						System.out.println("Start Event: " + xe.asStartElement().getName());
-						break;
-					case XMLEvent.END_ELEMENT:
-						System.out.println("End Event: " + xe.asEndElement().getName());
-						break;
-					case XMLEvent.CHARACTERS:
-						System.out.println("Characters: " + xe.asCharacters().getData());
-						break;
-					case XMLEvent.COMMENT:
-						System.out.println("Comment: " + ((XEvent.Comment)xe).value);
-						break;
-				}
-			}
-		} finally {
-			fis.close();
-		}
-		
-	}
-
-}
diff --git a/core/src/test/java/org/onap/aaf/cadi/JU_AES.java b/core/src/test/java/org/onap/aaf/cadi/JU_AES.java
new file mode 100644
index 0000000..11e40a6
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/JU_AES.java
@@ -0,0 +1,88 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.AES;
+import org.onap.aaf.cadi.Symm;
+
+import junit.framework.Assert;
+
+public class JU_AES {
+
+	@Test
+	public void test() throws Exception {
+		AES aes = new AES();
+		String orig = "I'm a password, really";
+		byte[] passin = orig.getBytes();
+		byte[] encrypted = aes.encrypt(passin);
+		byte[] b64enc = Symm.base64.encode(encrypted);
+		System.out.println(new String(b64enc));
+		
+		encrypted = Symm.base64.decode(b64enc);
+		passin = aes.decrypt(encrypted);
+		Assert.assertEquals(orig, new String(passin));
+	}
+
+	@Test
+	public void testInputStream() throws Exception {
+		AES aes = new AES();
+		String orig = "I'm a password, really";
+		ByteArrayInputStream bais = new ByteArrayInputStream(orig.getBytes());
+		CipherInputStream cis = aes.inputStream(bais, true);
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		Symm.base64.encode(cis, baos);
+		cis.close();
+
+		byte[] b64encrypted;
+		System.out.println(new String(b64encrypted=baos.toByteArray()));
+		
+		
+		baos.reset();
+		CipherOutputStream cos = aes.outputStream(baos, false);
+		Symm.base64.decode(new ByteArrayInputStream(b64encrypted),cos);
+		cos.close();
+		Assert.assertEquals(orig, new String(baos.toByteArray()));
+	}
+
+	@Test
+	public void testObtain() throws Exception {
+		byte[] keygen = Symm.baseCrypt().keygen();
+		
+		Symm symm = Symm.obtain(new ByteArrayInputStream(keygen));
+		
+		String orig ="Another Password, please";
+		String encrypted = symm.enpass(orig);
+		System.out.println(encrypted);
+		String decrypted = symm.depass(encrypted);
+		System.out.println(decrypted);
+		Assert.assertEquals(orig, decrypted);
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java b/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java
new file mode 100644
index 0000000..f050a6b
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/lur/test/JU_LocalLur.java
@@ -0,0 +1,100 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.Lur;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.CredVal.Type;
+import org.onap.aaf.cadi.config.UsersDump;
+import org.onap.aaf.cadi.lur.LocalLur;
+import org.onap.aaf.cadi.lur.LocalPermission;
+
+public class JU_LocalLur {
+
+	@Test
+	public void test() throws IOException {
+		Symm symmetric = Symm.baseCrypt().obtain();
+		LocalLur up;
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		baos.write(Symm.ENC.getBytes());
+		symmetric.enpass("<pass>", baos);
+		PropAccess ta = new PropAccess();
+		Lur ml = up = new LocalLur(ta,"myname:groupA,groupB","admin:myname,yourname;suser:hisname,hername,m1234%"+baos.toString());
+		
+		Permission admin = new LocalPermission("admin");
+		Permission suser = new LocalPermission("suser");
+		
+		// Check User fish
+		assertTrue(ml.fish(new JUPrincipal("myname"),admin));
+		assertTrue(ml.fish(new JUPrincipal("hisname"),admin));
+		assertFalse(ml.fish(new JUPrincipal("noname"),admin));
+		assertTrue(ml.fish(new JUPrincipal("itsname"),suser));
+		assertTrue(ml.fish(new JUPrincipal("hername"),suser));
+		assertFalse(ml.fish(new JUPrincipal("myname"),suser));
+		
+		
+		// Check validate password
+		assertTrue(up.validate("m1234",Type.PASSWORD, "<pass>".getBytes()));
+		assertFalse(up.validate("m1234",Type.PASSWORD, "badPass".getBytes()));
+		
+		// Check fishAll
+		Set<String> set = new TreeSet<String>();
+		List<Permission> perms = new ArrayList<Permission>();
+		ml.fishAll(new JUPrincipal("myname"), perms);
+		for(Permission p : perms) {
+			set.add(p.getKey());
+		}
+		assertEquals("[admin, groupA, groupB]",set.toString());
+		UsersDump.write(System.out, up);
+		System.out.flush();
+		
+	}
+	
+	// Simplistic Principal for testing purposes
+	private static class JUPrincipal implements Principal {
+		private String name;
+		public JUPrincipal(String name) {
+			this.name = name;
+		}
+//		@Override
+		public String getName() {
+			return name;
+		}
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/lur/test/TestAccess.java b/core/src/test/java/org/onap/aaf/cadi/lur/test/TestAccess.java
new file mode 100644
index 0000000..8b1bab6
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/lur/test/TestAccess.java
@@ -0,0 +1,91 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.lur.test;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Symm;
+
+public class TestAccess implements Access {
+	private Symm symm;
+
+	public TestAccess() {
+		symm = Symm.obtain(this);
+	}
+	
+	public TestAccess(Symm symmetric) {
+		symm = symmetric;
+	}
+
+	public void log(Level level, Object... elements) {
+		boolean first = true;
+		for(int i=0;i<elements.length;++i) {
+			if(first)first = false;
+			else System.out.print(' ');
+			System.out.print(elements[i].toString());
+		}
+		System.out.println();
+	}
+
+	public void log(Exception e, Object... elements) {
+		e.printStackTrace();
+		log(Level.ERROR,elements);
+	}
+
+	public void setLogLevel(Level level) {
+		
+	}
+
+	public ClassLoader classLoader() {
+		return ClassLoader.getSystemClassLoader();
+	}
+
+	public String getProperty(String string, String def) {
+		String rv = System.getProperty(string);
+		return rv==null?def:rv;
+	}
+
+	public void load(InputStream is) throws IOException {
+		
+	}
+
+	public String decrypt(String encrypted, boolean anytext) throws IOException {
+		return (encrypted!=null && (anytext==true || encrypted.startsWith(Symm.ENC)))
+			? symm.depass(encrypted)
+			: encrypted;
+	}
+
+	@Override
+	public boolean willLog(Level level) {
+		return true;
+	}
+
+	@Override
+	public void printf(Level level, String fmt, Object[] elements) {
+		// TODO Auto-generated method stub
+		
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java
new file mode 100644
index 0000000..4d49c92
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_Base64.java
@@ -0,0 +1,156 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotSame;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.SecureRandom;
+import org.junit.Test;
+import org.onap.aaf.cadi.Symm;
+import org.onap.aaf.cadi.config.Config;
+
+
+public class JU_Base64 {
+	private static final String encoding = "Man is distinguished, not only by his reason, but by this singular " +
+			"passion from other animals, which is a lust of the mind, that by a " + 
+			"perseverance of delight in the continued and indefatigable generation of " + 
+			"knowledge, exceeds the short vehemence of any carnal pleasure.";
+		 
+	private static final String expected = 
+			"TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz\n" + 
+			"IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg\n" + 
+			"dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu\n" +
+			"dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo\n" +
+			"ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=";
+
+
+	@Test
+	public void test() throws Exception {
+		// Test with different Padding
+		encode("leas",    "bGVhcw==");
+		encode("leasu",   "bGVhc3U=");
+		encode("leasur",  "bGVhc3Vy");
+		encode("leasure", "bGVhc3VyZQ==");
+		encode("leasure.","bGVhc3VyZS4=");
+
+		// Test with line ends
+		encode(encoding, expected);
+		
+		int ITER = 2000;
+		System.out.println("Priming by Encoding Base64 " + ITER + " times");
+		long start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.encode(encoding);
+		}
+		Float ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+		
+		System.out.println("Priming by Decoding Base64 " + ITER + " times");
+		start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.decode(expected);
+		}
+		ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+
+		
+		ITER=30000;
+		System.out.println("Encoding Base64 " + ITER + " times");
+		start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.encode(encoding);
+		}
+		ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+		
+		System.out.println("Decoding Base64 " + ITER + " times");
+		start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.decode(expected);
+		}
+		ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+	}
+	
+	@Test
+	public void symmetric() throws IOException {
+		System.out.println("Validating Generated Key mechanisms works");
+		String symmetric = new String(Symm.base64.keygen());
+		System.out.println(symmetric);
+		Symm bsym = Symm.obtain(symmetric);
+		String result = bsym.encode(encoding);
+		System.out.println("\nResult:");
+		System.out.println(result);
+		assertEquals(encoding, bsym.decode(result));
+		
+		int ITER = 20000;
+		System.out.println("Generating keys " + ITER + " times");
+		long start = System.nanoTime();
+		for(int i=0;i<ITER;++i) {
+			Symm.base64.keygen();
+		}
+		Float ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/ITER + "ms");
+
+		char[] manipulate = symmetric.toCharArray();
+		int spot = new SecureRandom().nextInt(manipulate.length);
+		manipulate[spot]|=0xFF;
+		String newsymmetric = new String(manipulate);
+		assertNotSame(newsymmetric, symmetric);
+		try {
+			bsym = Symm.obtain(newsymmetric);
+			result = bsym.decode(result);
+			assertEquals(encoding, result);
+		} catch (IOException e) {
+			// this is what we want to see if key wrong
+			System.out.println(e.getMessage() + " (as expected)");
+		}
+	}
+
+	private void encode(String toEncode, String expected) throws IOException {
+		System.out.println("-------------------------------------------------");
+		System.out.println(toEncode);
+		System.out.println();
+		System.out.println(expected);
+		System.out.println();
+		String result = Symm.base64.encode(toEncode);
+		System.out.println(result);
+		assertEquals(expected,result);
+		
+		ByteArrayOutputStream baos = new ByteArrayOutputStream();
+		Symm.base64.decode(new ByteArrayInputStream(result.getBytes()), baos);
+		result = baos.toString(Config.UTF_8);
+		System.out.println(result);
+		assertEquals(toEncode,result);
+		
+	}
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java
new file mode 100644
index 0000000..e496076
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_BufferedServletInputStream.java
@@ -0,0 +1,190 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.io.ByteArrayInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.BufferedServletInputStream;
+
+public class JU_BufferedServletInputStream {
+
+	@Test
+	public void testByteRead() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+			try {
+			bsis.mark(0);
+			int c;
+			byte aa[] = new byte[260];
+			for(int i=0;i<aa.length;++i) {
+				c = bsis.read();
+				if(c>=0) {
+					aa[i]=(byte)c;
+				}
+			}
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[400];
+			for(int i=0;i<bb.length;++i) {
+				c = bsis.read();
+				if(c>=0) {
+					bb[i]=(byte)c;
+				}
+			}
+			System.out.println(new String(bb));
+
+		} finally {
+			bsis.close();
+			fis.close();
+		}
+	}
+	
+	@Test
+	public void testByteArray() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+		try {
+			bsis.mark(0);
+			byte aa[] = new byte[260];
+			bsis.read(aa);
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[400];
+			bsis.read(bb);
+			System.out.println(new String(bb));
+
+		} finally {
+			bsis.close();
+			fis.close();
+		}
+	}
+
+	@Test
+	public void testDoubleRead() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+		try {
+			bsis.mark(0);
+			byte aa[] = new byte[260];
+			bsis.read(aa);
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[400];
+			bsis.read(bb);
+			System.out.println(new String(bb));
+
+		} finally {
+			bsis.close();
+			fis.close();
+		}
+	}
+
+	@Test
+	public void testByteArray2() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		try {
+			BufferedServletInputStream bsis = new BufferedServletInputStream(fis);
+			byte[] content = null;
+			byte aa[] = new byte[500];
+			for(int i=0;i<2000;++i) {
+				bsis.mark(0);
+				bsis.read(aa,0,260);
+				if(i==0)System.out.println(new String(aa));
+				
+				bsis.reset();
+	
+				bsis.read(aa,0,aa.length);
+				if(i==0) {
+					System.out.println(new String(aa));
+					content = aa;
+					aa = new byte[400];
+				}
+				bsis = new BufferedServletInputStream(new ByteArrayInputStream(content));
+				
+			}
+			
+			System.out.println(new String(aa));
+
+		} finally {
+			fis.close();
+		}
+	}
+
+	// "Bug" 4/22/2013 
+	// Some XML code expects Buffered InputStream can never return 0...  This isn't actually true, but we'll accommodate as far
+	// as we can. 
+	// Here, we make sure we set and read the Buffered data, making sure the buffer is empty on the last test...
+	@Test
+	public void issue04_22_2013() throws IOException {
+		String testString = "We want to read in and get out with a Buffered Stream seamlessly.";
+		ByteArrayInputStream bais = new ByteArrayInputStream(testString.getBytes());
+		BufferedServletInputStream bsis = new BufferedServletInputStream(bais);
+			try {
+			bsis.mark(0);
+			byte aa[] = new byte[testString.length()];  // 65 count... important for our test (divisible by 5);
+
+			int read;
+			for(int i=0;i<aa.length;i+=5) {
+				read = bsis.read(aa, i, 5);
+				assertEquals(5,read);
+			}
+			System.out.println(new String(aa));
+			
+			bsis.reset();
+
+			byte bb[] = new byte[aa.length];
+			read = 0;
+			for(int i=0;read>=0;i+=read) {
+				read = bsis.read(bb,i,5);
+				switch(i) {
+					case 65:
+						assertEquals(read,-1);
+						break;
+					default:
+						assertEquals(read,5);
+				}
+			}
+			System.out.println(new String(bb));
+			assertEquals(testString,new String(aa));
+			assertEquals(testString,new String(bb));
+
+		} finally {
+			bsis.close();
+			bais.close();
+		}
+		
+	}
+	
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java
new file mode 100644
index 0000000..9d11fe4
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_Capacitor.java
@@ -0,0 +1,143 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import static junit.framework.Assert.assertEquals;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.Capacitor;
+
+public class JU_Capacitor {
+	@Test
+	public void testA() {
+		Capacitor cap = new Capacitor();
+		
+		for(int iter=0;iter<200;++iter) {
+			for(int i=0;i<20;++i) {
+				cap.put((byte)('a'+i));
+			}
+			cap.setForRead();
+			byte[] array = new byte[20];
+			for(int i=0;i<20;++i) {
+				array[i]=(byte)cap.read();
+			}
+			assertEquals("abcdefghijklmnopqrst",new String(array));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	public final static String TEST_DATA = 
+			"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +
+			"bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" +
+			"cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc" +
+			"dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd" +
+			"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" +
+			"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff";
+	@Test
+	public void testB() {
+		Capacitor cap = new Capacitor();
+		byte[] arrayA = TEST_DATA.getBytes();
+		System.out.println(arrayA.length);
+		for(int iter=0;iter<200;++iter) {
+			for(int i=0;i<arrayA.length;++i) {
+				cap.put(arrayA[i]);
+			}
+			cap.setForRead();
+			assertEquals(TEST_DATA.length(),cap.available());
+			byte[] arrayB = new byte[arrayA.length];
+			for(int i=0;i<arrayB.length;++i) {
+				arrayB[i]=(byte)cap.read();
+			}
+			assertEquals(TEST_DATA,new String(arrayB));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	@Test
+	public void testC() {
+		Capacitor cap = new Capacitor();
+		byte[] arrayA = TEST_DATA.getBytes();
+		System.out.println(arrayA.length);
+		for(int iter=0;iter<200;++iter) {
+			cap.put(arrayA,0,arrayA.length);
+			cap.setForRead();
+			assertEquals(TEST_DATA.length(),cap.available());
+			byte[] arrayB = new byte[arrayA.length];
+			assertEquals(arrayA.length,cap.read(arrayB,0,arrayB.length));
+			assertEquals(TEST_DATA,new String(arrayB));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	
+	@Test
+	public void testD() {
+		StringBuffer sb = new StringBuffer();
+		for(int i=0;i<300;++i) {
+			sb.append(TEST_DATA);
+			sb.append("###FILLER##");
+		}
+		String td = sb.toString();
+		Capacitor cap = new Capacitor();
+		byte[] arrayA = td.getBytes();
+		System.out.println(arrayA.length);
+		for(int iter=0;iter<200;++iter) {
+			cap.put(arrayA,0,arrayA.length);
+			cap.setForRead();
+			assertEquals(td.length(),cap.available());
+			byte[] arrayB = new byte[arrayA.length];
+			assertEquals(arrayA.length,cap.read(arrayB,0,arrayB.length));
+			assertEquals(td,new String(arrayB));
+			assertEquals(-1,cap.read());
+			cap.done();
+		}
+	}
+
+	@Test
+	public void testE() {
+		Capacitor cap = new Capacitor();
+		
+		String b = "This is some content that we want to read";
+		byte[] a = b.getBytes();
+		byte[] c = new byte[b.length()]; // we want to use this to test reading offsets, etc
+
+		for(int i=0;i<a.length;i+=11) {
+			cap.put(a, i, Math.min(11,a.length-i));
+		}
+		cap.reset();
+		int read;
+		for(int i=0;i<c.length;i+=read) {
+			read = cap.read(c, i, Math.min(3,c.length-i));
+			if(read<0) break;
+		}
+		
+		assertEquals(b, new String(c));
+		
+		
+	}
+	
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java
new file mode 100644
index 0000000..92dd297
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_Hash.java
@@ -0,0 +1,60 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.Hash;
+
+import junit.framework.Assert;
+
+public class JU_Hash {
+
+	@Test
+	public void test() throws CadiException {
+		String init = "m82347@csp.att.com:kumquat8rie@#Tomatos3";
+		String hashed = Hash.toHex(init.getBytes());
+		System.out.println(hashed);
+		byte[] ba = Hash.fromHex(hashed);
+		String recon = new String(ba);
+		System.out.println(recon);
+		Assert.assertEquals(init, recon);
+		
+		init =hashed.substring(1);
+		try {
+			hashed = Hash.fromHex(init).toString();
+			Assert.fail("Should have thrown Exception");
+		} catch (CadiException e) {
+			
+		}
+		
+		init = hashed.replace('1', '~');
+		try {
+			hashed = Hash.fromHex(init).toString();
+			Assert.fail("Should have thrown Exception");
+		} catch (CadiException e) {
+			
+		}
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_Passcode.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_Passcode.java
new file mode 100644
index 0000000..40ceaa1
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_Passcode.java
@@ -0,0 +1,89 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.CmdLine;
+import org.onap.aaf.cadi.Symm;
+
+import junit.framework.Assert;
+
+public class JU_Passcode {
+	@Test
+	public void test() throws Exception {
+		int iterations = 0;
+		long start = System.nanoTime();
+		int gens= 800, en_de=2000;
+		for(int j=0;j<gens;++j) {
+			CmdLine.main(new String[] {"keygen","tempkey"});
+			
+			Symm symm;
+			File fi = new File("tempkey");
+			Assert.assertEquals(2074, fi.length());
+			FileInputStream fis = new FileInputStream(fi);
+			
+			try {
+				symm = Symm.obtain(fis);
+			} finally {
+				fis.close();
+			}
+			String samples[] = {"activevos","ThisIsATestPassword","I have spaces","I have 's, /s and &s and _s"};
+			ByteArrayOutputStream baos;
+			for(int i=0;i<en_de;++i) {
+				String password = samples[i%samples.length];
+				baos = new ByteArrayOutputStream();
+				symm.enpass(password, baos);
+				String pass = baos.toString();
+				byte[] array = baos.toByteArray();
+				for(int k=0;k<array.length;++k) {
+					byte ch = array[k];
+//				for(int k=0;k<pass.length();++k) {
+//					char ch = pass.charAt(k);
+					if(!(Character.isLetter(ch) || Character.isDigit(ch) || ch=='-' || ch=='_' || ch=='=')) {
+						throw new Exception("Yikes, have a bad character..." + ch + '(' + (int)ch + ')');
+					}
+				}
+				baos = new ByteArrayOutputStream();
+				symm.depass(pass, baos);
+				Assert.assertEquals(password,baos.toString());
+				Assert.assertEquals(password,symm.depass(pass));
+				++iterations;
+			}
+			symm.enpass("activevos", System.out);
+			System.out.println();
+		}
+		float ms = (System.nanoTime()-start)/1000000F;
+		System.out.println("Ran " + iterations + " Encrypt/Decrypt cycles + " + gens + " keygens");
+
+		System.out.println("Total: " + ms + "ms");
+		System.out.println("Avg:   " + ms/iterations + "ms");
+		System.out.println("Avg Gen + " + en_de + " Encrypt/Decrypt cycles:  " + ms/gens + "ms");
+
+
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_UserChainManip.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_UserChainManip.java
new file mode 100644
index 0000000..397b4b1
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_UserChainManip.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import static org.junit.Assert.*;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.util.UserChainManip;
+
+public class JU_UserChainManip {
+
+	@Test
+	public void test() {
+		assertEquals("",UserChainManip.idToNS(null));
+		assertEquals("",UserChainManip.idToNS(""));
+		assertEquals("",UserChainManip.idToNS("something"));
+		assertEquals("",UserChainManip.idToNS("something@@"));
+		assertEquals("",UserChainManip.idToNS("something@@."));
+		assertEquals("com",UserChainManip.idToNS("something@com"));
+		assertEquals("com.random",UserChainManip.idToNS("something@random.com"));
+		assertEquals("com.random",UserChainManip.idToNS("@random.com"));
+		assertEquals("com.random",UserChainManip.idToNS("something@random.com."));
+		assertEquals("com.random",UserChainManip.idToNS("something@..random...com..."));
+		assertEquals("com.random.this",UserChainManip.idToNS("something@this.random.com"));
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/JU_Vars.java b/core/src/test/java/org/onap/aaf/cadi/test/JU_Vars.java
new file mode 100644
index 0000000..47209cd
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/JU_Vars.java
@@ -0,0 +1,125 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+
+import static org.junit.Assert.assertEquals;
+
+import org.junit.AfterClass;
+import org.junit.Test;
+import org.onap.aaf.cadi.util.Vars;
+
+public class JU_Vars {
+
+	@AfterClass
+	public static void tearDownAfterClass() throws Exception {
+	}
+
+	@Test
+	public void test() {
+		StringBuilder holder = new StringBuilder();
+		String str,bstr;
+		assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "a","b"));
+		assertEquals("set a to b",holder.toString());
+		assertEquals(str,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "a","b"));
+		assertEquals("set a to b",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "a","b"));
+		
+		holder.setLength(0);
+		assertEquals(str = "%1=%2",Vars.convert(holder,str, "a","b"));
+		assertEquals("a=b",holder.toString());
+		assertEquals(str,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="%s=%s", "a","b"));
+		assertEquals("a=b",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "a","b"));
+		
+		holder.setLength(0);
+		assertEquals(str = "%1%2",Vars.convert(holder,str, "a","b"));
+		assertEquals("ab",holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="%s%s", "a","b"));
+		assertEquals("ab",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
+
+
+		holder.setLength(0);
+		assertEquals(str = " %1=%2 ",Vars.convert(holder,str, "a","b"));
+		assertEquals(" a=b ",holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr = " %s=%s ", "a","b"));
+		assertEquals(" a=b ",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
+
+		holder.setLength(0);
+		assertEquals(str = " %1%2%10 ",Vars.convert(holder,str, "a","b","c","d","e","f","g","h","i","j"));
+		assertEquals(" abj ",holder.toString());
+		assertEquals(str,Vars.convert(null,str, "a","b","c","d","e","f","g","h","i","j"));
+		holder.setLength(0);
+		assertEquals(str=" %1%2%3 ",Vars.convert(holder,bstr = " %s%s%s ", "a","b","c","d","e","f","g","h","i","j"));
+		assertEquals(" abc ",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "a","b","c","d","e","f","g","h","i","j"));
+		
+
+		holder.setLength(0);
+		assertEquals(str = "set %1 to %2",Vars.convert(holder,str, "Something much","larger"));
+		assertEquals("set Something much to larger",holder.toString());
+		assertEquals(str,Vars.convert(null,str,"Something much","larger"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="set %s to %s", "Something much","larger"));
+		assertEquals("set Something much to larger",holder.toString());
+		assertEquals(str,Vars.convert(null,bstr, "Something much","larger"));
+
+		holder.setLength(0);
+		assertEquals(str = "Text without Vars",Vars.convert(holder,str));
+		assertEquals(str,holder.toString());
+		assertEquals(str = "Text without Vars",Vars.convert(null,str));
+	
+		
+		holder.setLength(0);
+		assertEquals(str = "Not %1 Enough %2 Vars %3",Vars.convert(holder,str, "a","b"));
+		assertEquals("Not a Enough b Vars ",holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+		holder.setLength(0);
+		assertEquals(str,Vars.convert(holder,bstr="Not %s Enough %s Vars %s", "a","b"));
+		assertEquals("Not a Enough b Vars ",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "a","b"));
+
+		holder.setLength(0);
+		assertEquals(str = "!@#$%^*()-+?/,:;.",Vars.convert(holder,str, "a","b"));
+		assertEquals(str,holder.toString());
+		assertEquals(str ,Vars.convert(null,str, "a","b"));
+
+		holder.setLength(0);
+		bstr = "%s !@#$%^*()-+?/,:;.";
+		str = "%1 !@#$%^*()-+?/,:;.";
+		assertEquals(str,Vars.convert(holder,bstr, "Not Acceptable"));
+		assertEquals("Not Acceptable !@#$%^*()-+?/,:;.",holder.toString());
+		assertEquals(str ,Vars.convert(null,bstr, "Not Acceptable"));
+
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/test/Test.java b/core/src/test/java/org/onap/aaf/cadi/test/Test.java
new file mode 100644
index 0000000..ad0c517
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/test/Test.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.test;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+/**
+ * A Class to run on command line to determine suitability of environment for certain TAFs.
+ * 
+ * For instance, CSP supports services only in certain domains, and while dynamic host
+ * lookups on the machine work in most cases, sometimes, names and IPs are unexpected (and
+ * invalid) for CSP because of multiple NetworkInterfaces, etc
+ * 
+ *
+ */
+public class Test {
+
+	/**
+	 * @param args
+	 */
+	public static void main(String[] args) {
+		try {
+			System.out.println("CADI/TAF test");
+			
+			String hostName = InetAddress.getLocalHost().getCanonicalHostName();
+			
+			System.out.println("  Your automatic hostname is reported as \"" + hostName + "\"\n");
+			String[] two;
+
+			for(String str : args) {
+				two = str.split("=");
+				if(two.length==2) {
+					if("hostname".equals(two[0])) {
+						hostName = two[1];
+						System.out.println("  You have overlaid the automatic hostname with \"" + hostName + "\"\n");
+					}
+				}
+			}
+			if(hostName.endsWith("vpn.cingular.net"))
+				System.out.println("  This service appears to be an AT&T VPN address. These VPNs are typically\n" +
+						"    (and appropriately) firewalled against incoming traffic, and likely cannot be accessed.\n" +
+						"    For best results, choose a machine that is not firewalled on the ports you choose.\n");
+			
+		} catch (UnknownHostException e) {
+			e.printStackTrace();
+		}
+
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_WSSE_Read.java b/core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_WSSE_Read.java
new file mode 100644
index 0000000..af45f55
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_WSSE_Read.java
@@ -0,0 +1,190 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse.test;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNotNull;
+import static junit.framework.Assert.assertNull;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+
+import javax.xml.stream.XMLStreamException;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.BasicCred;
+import org.onap.aaf.cadi.BufferedServletInputStream;
+import org.onap.aaf.cadi.wsse.WSSEParser;
+
+public class JU_WSSE_Read {
+
+	@Test
+	public void test() {
+		try {
+			final BasicCred bc = new BasicCred() {
+
+				private String user;
+				private byte[] password;
+
+				public void setUser(String user) {
+					this.user = user;
+				}
+
+				public void setCred(byte[] passwd) {
+					this.password = passwd;
+				}
+
+				public String getUser() {
+					return user;
+				}
+
+				public byte[] getCred() {
+					return password;
+				}
+			};
+
+			WSSEParser wp = new WSSEParser();
+
+			FileInputStream fis;
+			fis = new FileInputStream("test/example.xml");
+			BufferedServletInputStream is = new BufferedServletInputStream(fis);
+			try {
+				is.mark(1536);
+				try {
+					assertNull(wp.parse(bc, is));
+				} finally {
+					is.reset();
+					assertEquals(814,is.buffered());
+				}
+				String password = new String(bc.getCred());
+				System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password);
+				assertEquals("some_user", bc.getUser());
+				assertEquals("some_password", password);
+				
+			} finally {
+				fis.close();
+			}
+
+			// CBUS (larger)
+			fis = new FileInputStream("test/CBUSevent.xml");
+			is = new BufferedServletInputStream(fis);
+			try {
+				is.mark(1536);
+				try {
+					assertNull(wp.parse(bc, is));
+				} finally {
+					is.reset();
+					assertEquals(667,is.buffered());
+				}
+				String password = new String(bc.getCred());
+				System.out.println("CadiWrap credentials are: " + bc.getUser() + ", " + password);
+				assertEquals("none", bc.getUser());
+				assertEquals("none", password);
+				
+			} finally {
+				fis.close();
+			}
+
+			// Closed Stream
+			fis = new FileInputStream("test/example.xml");
+			fis.close();
+			bc.setCred(null);
+			bc.setUser(null);
+			XMLStreamException ex = wp.parse(bc, fis);
+			assertNotNull(ex);
+			assertNull(bc.getUser());
+			assertNull(bc.getCred());
+
+
+			fis = new FileInputStream("test/exampleNoSecurity.xml");
+			try {
+				bc.setCred(null);
+				bc.setUser(null);
+				assertNull(wp.parse(bc, fis));
+				assertNull(bc.getUser());
+				assertNull(bc.getCred());
+			} finally {
+				fis.close();
+			}
+
+			fis = new FileInputStream("test/exampleBad1.xml");
+			try {
+				bc.setCred(null);
+				bc.setUser(null);
+				assertNull(wp.parse(bc, fis));
+				assertNull(bc.getUser());
+				assertNull(bc.getCred());
+			} finally {
+				fis.close();
+			}
+
+			XMLStreamException e = wp.parse(bc, new ByteArrayInputStream("Not XML".getBytes())); // empty
+			assertNotNull(e);
+
+			e = wp.parse(bc, new ByteArrayInputStream("".getBytes())); // empty
+			assertNotNull(e);
+			
+			
+			long start, count = 0L;
+			int iter = 30000;
+			File f = new File("test/CBUSevent.xml");
+			fis = new FileInputStream(f);
+			is = new BufferedServletInputStream(fis);
+			is.mark(0);
+			try {
+				while(is.read()>=0);
+			} finally {
+				fis.close();
+			}
+
+			for(int i=0;i<iter;++i) {
+				start = System.nanoTime();
+				is.reset();
+				try {
+					assertNull(wp.parse(bc, is));
+				} finally {
+					count += System.nanoTime()-start;
+				}
+			}
+			float ms = count/1000000f;
+			System.out.println("Executed " + iter + " WSSE reads from Memory Stream in " + ms + "ms.  " + ms/iter + "ms per trans");
+			
+			// SPECIFIC ISSUES
+			
+			fis = new FileInputStream("test/error2013_04_23.xml");
+			try {
+				bc.setCred(null);
+				bc.setUser(null);
+				assertNull(wp.parse(bc, fis));
+				assertNull(bc.getUser());
+				assertNull(bc.getCred());
+			} finally {
+				fis.close();
+			}
+		} catch(Exception e) {
+			e.printStackTrace(System.err);
+		}
+	}
+
+}
diff --git a/core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_XReader.java b/core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_XReader.java
new file mode 100644
index 0000000..de8da8a
--- /dev/null
+++ b/core/src/test/java/org/onap/aaf/cadi/wsse/test/JU_XReader.java
@@ -0,0 +1,65 @@
+/*******************************************************************************
+ * ============LICENSE_START====================================================
+ * * org.onap.aaf
+ * * ===========================================================================
+ * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * * ===========================================================================
+ * * Licensed under the Apache License, Version 2.0 (the "License");
+ * * you may not use this file except in compliance with the License.
+ * * You may obtain a copy of the License at
+ * * 
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ * * 
+ *  * Unless required by applicable law or agreed to in writing, software
+ * * distributed under the License is distributed on an "AS IS" BASIS,
+ * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * * See the License for the specific language governing permissions and
+ * * limitations under the License.
+ * * ============LICENSE_END====================================================
+ * *
+ * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ * *
+ ******************************************************************************/
+package org.onap.aaf.cadi.wsse.test;
+
+import java.io.FileInputStream;
+
+import javax.xml.stream.events.XMLEvent;
+
+import org.junit.Test;
+import org.onap.aaf.cadi.wsse.XEvent;
+import org.onap.aaf.cadi.wsse.XReader;
+
+public class JU_XReader {
+	@Test
+	public void test() throws Exception {
+		FileInputStream fis = new FileInputStream("test/CBUSevent.xml");
+		try {
+			XReader xr = new XReader(fis);
+			while(xr.hasNext()) {
+				XEvent xe = xr.nextEvent();
+				switch(xe.getEventType()) {
+					case XMLEvent.START_DOCUMENT:
+						System.out.println("Start Document");
+						break;
+					case XMLEvent.START_ELEMENT:
+						System.out.println("Start Event: " + xe.asStartElement().getName());
+						break;
+					case XMLEvent.END_ELEMENT:
+						System.out.println("End Event: " + xe.asEndElement().getName());
+						break;
+					case XMLEvent.CHARACTERS:
+						System.out.println("Characters: " + xe.asCharacters().getData());
+						break;
+					case XMLEvent.COMMENT:
+						System.out.println("Comment: " + ((XEvent.Comment)xe).value);
+						break;
+				}
+			}
+		} finally {
+			fis.close();
+		}
+		
+	}
+
+}
-- 
cgit 1.2.3-korg