From a7f4def785c9e169ebcb4785d7561505e47f3fc0 Mon Sep 17 00:00:00 2001
From: Sai Gandham <sg481n@att.com>
Date: Mon, 2 Jul 2018 22:37:37 -0500
Subject: Moving Shiro modules to cadi repo

Issue-ID: AAF-380
Change-Id: If1029a16958335277ff38cdbe5662b0a14ea439f
Signed-off-by: Sai Gandham <sg481n@att.com>
---
 shiro/.gitignore                                   |   4 +
 shiro/pom.xml                                      | 204 +++++++++++++++++++++
 .../onap/aaf/cadi/shiro/AAFAuthenticationInfo.java |  90 +++++++++
 .../onap/aaf/cadi/shiro/AAFAuthorizationInfo.java  |  94 ++++++++++
 .../aaf/cadi/shiro/AAFPrincipalCollection.java     | 125 +++++++++++++
 .../java/org/onap/aaf/cadi/shiro/AAFRealm.java     | 142 ++++++++++++++
 .../onap/aaf/cadi/shiro/AAFShiroPermission.java    |  45 +++++
 .../org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java  |  93 ++++++++++
 8 files changed, 797 insertions(+)
 create mode 100644 shiro/.gitignore
 create mode 100644 shiro/pom.xml
 create mode 100644 shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java
 create mode 100644 shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java
 create mode 100644 shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java
 create mode 100644 shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java
 create mode 100644 shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java
 create mode 100644 shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java

(limited to 'shiro')

diff --git a/shiro/.gitignore b/shiro/.gitignore
new file mode 100644
index 0000000..6028f0a
--- /dev/null
+++ b/shiro/.gitignore
@@ -0,0 +1,4 @@
+/.classpath
+/.settings/
+/target/
+/.project
diff --git a/shiro/pom.xml b/shiro/pom.xml
new file mode 100644
index 0000000..081313b
--- /dev/null
+++ b/shiro/pom.xml
@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<parent>
+		<groupId>org.onap.aaf.cadi</groupId>
+		<artifactId>cadimiscparent</artifactId>
+		<version>2.1.2-SNAPSHOT</version>
+		<relativePath>..</relativePath>
+	</parent>
+
+	<modelVersion>4.0.0</modelVersion>
+	<name>AAF CADI Shiro Plugin</name>
+	<packaging>jar</packaging>
+	<artifactId>aaf-cadi-shiro</artifactId>
+
+	<properties>
+	<!--  SONAR  -->
+	<sonar.skip>true</sonar.skip>
+		 <jacoco.version>0.7.7.201606060606</jacoco.version>
+	    <sonar-jacoco-listeners.version>3.2</sonar-jacoco-listeners.version>
+	    <sonar.core.codeCoveragePlugin>jacoco</sonar.core.codeCoveragePlugin>
+	    <!-- Default Sonar configuration -->
+	    <sonar.jacoco.reportPaths>target/code-coverage/jacoco-ut.exec</sonar.jacoco.reportPaths>
+	    <sonar.jacoco.itReportPaths>target/code-coverage/jacoco-it.exec</sonar.jacoco.itReportPaths>
+	    <!-- Note: This list should match jacoco-maven-plugin's exclusion list below -->
+	    <sonar.exclusions>**/gen/**,**/generated-sources/**,**/yang-gen**,**/pax/**</sonar.exclusions>
+		<nexusproxy>https://nexus.onap.org</nexusproxy>
+		<snapshotNexusPath>/content/repositories/snapshots/</snapshotNexusPath>
+		<releaseNexusPath>/content/repositories/releases/</releaseNexusPath>
+		<stagingNexusPath>/content/repositories/staging/</stagingNexusPath>
+		<sitePath>/content/sites/site/org/onap/aaf/authz/${project.artifactId}/${project.version}</sitePath>
+	</properties>
+
+	<developers>
+		<developer>
+			<name>Jonathan Gathman</name>
+			<email>jonathan.gathman@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Architect</role>
+				<role>Lead Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Gabe Maurer</name>
+			<email>gabe.maurer@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Ian Howell</name>
+			<email>ian.howell@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+		<developer>
+			<name>Sai Gandham</name>
+			<email>sai.gandham@att.com</email>
+			<organization>ATT</organization>
+			<roles>
+				<role>Developer</role>
+			</roles>
+		</developer>
+	</developers>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.onap.aaf.authz</groupId>
+			<artifactId>aaf-cadi-aaf</artifactId>
+		</dependency>
+		<!--<dependency>
+			<groupId>org.apache.shiro</groupId>
+			<artifactId>shiro-core</artifactId>
+			<version>1.4.0</version>
+		</dependency> -->
+		
+		<dependency>
+			<groupId>org.apache.shiro</groupId>
+			<artifactId>shiro-core</artifactId>
+			<version>1.3.2</version>
+		</dependency>
+		
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.sonatype.plugins</groupId>
+				<artifactId>nexus-staging-maven-plugin</artifactId>
+				<extensions>true</extensions>
+				<configuration>
+					<nexusUrl>${nexusproxy}</nexusUrl>
+					<stagingProfileId>176c31dfe190a</stagingProfileId>
+					<serverId>ecomp-staging</serverId>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<configuration>
+					<skip>false</skip>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.jacoco</groupId>
+				<artifactId>jacoco-maven-plugin</artifactId>
+				<configuration>
+					<excludes>
+						<exclude>**/gen/**</exclude>
+						<exclude>**/generated-sources/**</exclude>
+						<exclude>**/yang-gen/**</exclude>
+						<exclude>**/pax/**</exclude>
+					</excludes>
+				</configuration>
+				<executions>
+					<execution>
+						<id>pre-unit-test</id>
+						<goals>
+							<goal>prepare-agent</goal>
+						</goals>
+						<configuration>
+							<destFile>${project.build.directory}/code-coverage/jacoco-ut.exec</destFile>
+							<propertyName>surefireArgLine</propertyName>
+						</configuration>
+					</execution>
+					<execution>
+						<id>post-unit-test</id>
+						<phase>test</phase>
+						<goals>
+							<goal>report</goal>
+						</goals>
+						<configuration>
+							<dataFile>${project.build.directory}/code-coverage/jacoco-ut.exec</dataFile>
+							<outputDirectory>${project.reporting.outputDirectory}/jacoco-ut</outputDirectory>
+						</configuration>
+					</execution>
+					<execution>
+						<id>pre-integration-test</id>
+						<phase>pre-integration-test</phase>
+						<goals>
+							<goal>prepare-agent</goal>
+						</goals>
+						<configuration>
+							<destFile>${project.build.directory}/code-coverage/jacoco-it.exec</destFile>
+							<propertyName>failsafeArgLine</propertyName>
+						</configuration>
+					</execution>
+					<execution>
+						<id>post-integration-test</id>
+						<phase>post-integration-test</phase>
+						<goals>
+							<goal>report</goal>
+						</goals>
+						<configuration>
+							<dataFile>${project.build.directory}/code-coverage/jacoco-it.exec</dataFile>
+							<outputDirectory>${project.reporting.outputDirectory}/jacoco-it</outputDirectory>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+
+	</build>
+
+	<distributionManagement>
+		<repository>
+			<id>ecomp-releases</id>
+			<name>AAF Release Repository</name>
+			<url>${nexusproxy}${releaseNexusPath}</url>
+		</repository>
+		<snapshotRepository>
+			<id>ecomp-snapshots</id>
+			<name>AAF Snapshot Repository</name>
+			<url>${nexusproxy}${snapshotNexusPath}</url>
+		</snapshotRepository>
+		<site>
+			<id>ecomp-site</id>
+			<url>dav:${nexusproxy}${sitePath}</url>
+		</site>
+	</distributionManagement>
+</project>
diff --git a/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java
new file mode 100644
index 0000000..a1d304b
--- /dev/null
+++ b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthenticationInfo.java
@@ -0,0 +1,90 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.shiro;
+
+import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Hash;
+import org.onap.aaf.cadi.Access.Level;
+
+public class AAFAuthenticationInfo implements AuthenticationInfo {
+	private static final long serialVersionUID = -1502704556864321020L;
+	// We assume that Shiro is doing Memory Only, and this salt is not needed cross process
+	private final static int salt = new SecureRandom().nextInt(); 
+
+	private final AAFPrincipalCollection apc;
+	private final byte[] hash;
+	private Access access;
+
+	public AAFAuthenticationInfo(Access access, String username, String password) {
+		this.access = access;
+		apc = new AAFPrincipalCollection(username);
+		hash = getSaltedCred(password);
+	}
+	@Override
+	public byte[] getCredentials() {
+		access.log(Level.DEBUG, "AAFAuthenticationInfo.getCredentials");
+		return hash;
+	}
+
+	@Override
+	public PrincipalCollection getPrincipals() {
+		access.log(Level.DEBUG, "AAFAuthenticationInfo.getPrincipals");
+		return apc;
+	}
+
+	public boolean matches(AuthenticationToken atoken) {
+		if(atoken instanceof UsernamePasswordToken) {
+			UsernamePasswordToken upt = (UsernamePasswordToken)atoken;
+			if(apc.getPrimaryPrincipal().getName().equals(upt.getPrincipal())) {
+				byte[] newhash = getSaltedCred(new String(upt.getPassword()));
+				if(newhash.length==hash.length) {
+					for(int i=0;i<hash.length;++i) {
+						if(hash[i]!=newhash[i]) {
+							return false;
+						}
+					}
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+	
+	private byte[] getSaltedCred(String password) {
+		byte[] pbytes = password.getBytes();
+		ByteBuffer bb = ByteBuffer.allocate(pbytes.length+Integer.SIZE/8);
+		bb.asIntBuffer().put(salt);
+		bb.put(password.getBytes());
+		try {
+			return Hash.hashSHA256(bb.array());
+		} catch (NoSuchAlgorithmException e) {
+			return new byte[0]; // should never get here
+		}
+	}
+}
diff --git a/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java
new file mode 100644
index 0000000..bfdc6bf
--- /dev/null
+++ b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFAuthorizationInfo.java
@@ -0,0 +1,94 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.shiro;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.Permission;
+import org.onap.aaf.cadi.Access;
+import org.onap.aaf.cadi.Access.Level;
+
+/**
+ * We treat "roles" and "permissions" in a similar way for first pass.
+ * 
+ * @author JonathanGathman
+ *
+ */
+public class AAFAuthorizationInfo implements AuthorizationInfo {
+	private static final long serialVersionUID = -4805388954462426018L;
+	private Access access;
+	private Principal bait;
+	private List<org.onap.aaf.cadi.Permission> pond;
+	private ArrayList<String> sPerms;
+	private ArrayList<Permission> oPerms;
+
+	public AAFAuthorizationInfo(Access access, Principal bait, List<org.onap.aaf.cadi.Permission> pond) {
+		this.access = access;
+		this.bait = bait;
+		this.pond = pond;
+		sPerms=null;
+		oPerms=null;
+	}
+	
+	public Principal principal() {
+		return bait;
+	}
+	
+	@Override
+	public Collection<Permission> getObjectPermissions() {
+		access.log(Level.DEBUG, "AAFAuthorizationInfo.getObjectPermissions");
+		synchronized(bait) {
+			if(oPerms == null) {
+				oPerms = new ArrayList<Permission>(); 
+				for(final org.onap.aaf.cadi.Permission p : pond) {
+					oPerms.add(new AAFShiroPermission(p));
+				}
+			}
+		}
+		return oPerms;
+	}
+
+	@Override
+	public Collection<String> getRoles() {
+		access.log(Level.DEBUG, "AAFAuthorizationInfo.getRoles");
+		// Until we decide to make Roles available, tie into String based permissions.
+		return getStringPermissions();
+	}
+
+	@Override
+	public Collection<String> getStringPermissions() {
+		access.log(Level.DEBUG, "AAFAuthorizationInfo.getStringPermissions");
+		synchronized(bait) {
+			if(sPerms == null) {
+				sPerms = new ArrayList<String>(); 
+				for(org.onap.aaf.cadi.Permission p : pond) {
+					sPerms.add(p.getKey());
+				}
+			}
+		}
+		return sPerms;
+	}
+
+}
diff --git a/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java
new file mode 100644
index 0000000..145968d
--- /dev/null
+++ b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFPrincipalCollection.java
@@ -0,0 +1,125 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.shiro;
+
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+public class AAFPrincipalCollection implements PrincipalCollection {
+	private static final long serialVersionUID = 558246013419818831L;
+	private static final Set<String> realmSet;
+	private final Principal principal;
+	private List<Principal> list=null;
+	private Set<Principal> set=null;
+
+	static {
+		realmSet = new HashSet<String>();
+		realmSet.add(AAFRealm.AAF_REALM);
+	}
+	
+	public AAFPrincipalCollection(Principal p) {
+		principal = p;
+	}
+
+	public AAFPrincipalCollection(final String principalName) {
+		principal = 	new Principal() {
+			private final String name = principalName;
+			@Override
+			public String getName() {
+				return name;
+			}
+		};
+	}
+
+	@Override
+	public Iterator<Principal> iterator() {
+		return null;
+	}
+
+	@Override
+	public List<Principal> asList() {
+		if(list==null) {
+			list = new ArrayList<Principal>();
+		}
+		list.add(principal);
+		return list;
+	}
+
+	@Override
+	public Set<Principal> asSet() {
+		if(set==null) {
+			set = new HashSet<Principal>();
+		}
+		set.add(principal);
+		return set;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <T> Collection<T> byType(Class<T> cls) {
+		Collection<T> coll = new ArrayList<T>();
+		if(cls.isAssignableFrom(Principal.class)) {
+			coll.add((T)principal);
+		}
+		return coll;
+	}
+
+	@Override
+	public Collection<Principal> fromRealm(String realm) {
+		if(AAFRealm.AAF_REALM.equals(realm)) {
+			return asList();
+		} else {
+			return new ArrayList<Principal>();
+		}
+	}
+
+	@Override
+	public Principal getPrimaryPrincipal() {
+		return principal;
+	}
+
+	@Override
+	public Set<String> getRealmNames() {
+		return realmSet;
+	}
+
+	@Override
+	public boolean isEmpty() {
+		return principal==null;
+	}
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public <T> T oneByType(Class<T> cls) {
+		if(cls.isAssignableFrom(Principal.class)) {
+			return (T)principal;
+		}
+		return null;
+	}
+
+}
diff --git a/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java
new file mode 100644
index 0000000..006547a
--- /dev/null
+++ b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFRealm.java
@@ -0,0 +1,142 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.shiro;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.onap.aaf.cadi.Access.Level;
+import org.onap.aaf.cadi.CadiException;
+import org.onap.aaf.cadi.LocatorException;
+import org.onap.aaf.cadi.Permission;
+import org.onap.aaf.cadi.PropAccess;
+import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn;
+import org.onap.aaf.cadi.aaf.v2_0.AAFCon;
+import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.misc.env.APIException;
+
+public class AAFRealm extends AuthorizingRealm {
+	public static final String AAF_REALM = "AAFRealm";
+	
+	private PropAccess access;
+	private AAFCon<?> acon;
+	private AAFAuthn<?> authn;
+	private HashSet<Class<? extends AuthenticationToken>> supports;
+	private AAFLurPerm authz;
+	
+
+	/**
+	 * 
+	 * There appears to be no configuration objects or references available for CADI to start with.
+	 *  
+	 */
+	public AAFRealm () {
+		access = new PropAccess(); // pick up cadi_prop_files from VM_Args
+		String cadi_prop_files = access.getProperty(Config.CADI_PROP_FILES);
+		if(cadi_prop_files==null) {
+			String msg = Config.CADI_PROP_FILES + " in VM Args is required to initialize AAFRealm.";
+			access.log(Level.INIT,msg);
+			throw new RuntimeException(msg);
+		} else {
+			try {
+				acon = AAFCon.newInstance(access);
+				authn = acon.newAuthn();
+				authz = acon.newLur(authn);
+			} catch (APIException | CadiException | LocatorException e) {
+				String msg = "Cannot initiate AAFRealm";
+				access.log(Level.INIT,msg,e.getMessage());
+				throw new RuntimeException(msg,e);
+			}
+		}
+		supports = new HashSet<Class<? extends AuthenticationToken>>();
+		supports.add(UsernamePasswordToken.class);
+	}
+
+	@Override
+	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+		access.log(Level.DEBUG, "AAFRealm.doGetAuthenticationInfo",token);
+		
+		final UsernamePasswordToken upt = (UsernamePasswordToken)token;
+		String password=new String(upt.getPassword());
+		String err;
+		try {
+			err = authn.validate(upt.getUsername(),password);
+		} catch (IOException|CadiException e) {
+			err = "Credential cannot be validated";
+			access.log(e, err);
+		}
+		
+		if(err != null) {
+			access.log(Level.DEBUG, err);
+			throw new AuthenticationException(err);
+		}
+
+	    return new AAFAuthenticationInfo(
+	    		access,
+	    		upt.getUsername(),
+	    		password
+	    );
+	}
+
+	@Override
+	protected void assertCredentialsMatch(AuthenticationToken atoken, AuthenticationInfo ai)throws AuthenticationException {
+		if(ai instanceof AAFAuthenticationInfo) {
+			if(!((AAFAuthenticationInfo)ai).matches(atoken)) {
+				throw new AuthenticationException("Credentials do not match");
+			}
+		} else {
+			throw new AuthenticationException("AuthenticationInfo is not an AAFAuthenticationInfo");
+		}
+	}
+
+
+	@Override
+	protected AAFAuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+		access.log(Level.DEBUG, "AAFRealm.doGetAuthenthorizationInfo");
+		Principal bait = (Principal)principals.getPrimaryPrincipal();
+		List<Permission> pond = new ArrayList<Permission>();
+		authz.fishAll(bait,pond);
+		
+		return new AAFAuthorizationInfo(access,bait,pond);
+       
+	}
+
+	@Override
+	public boolean supports(AuthenticationToken token) {
+		return supports.contains(token.getClass());
+	}
+
+	@Override
+	public String getName() {
+		return AAF_REALM;
+	}
+
+}
diff --git a/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java
new file mode 100644
index 0000000..a348a04
--- /dev/null
+++ b/shiro/src/main/java/org/onap/aaf/cadi/shiro/AAFShiroPermission.java
@@ -0,0 +1,45 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.shiro;
+
+import org.apache.shiro.authz.Permission;
+
+public class AAFShiroPermission implements Permission {
+	private org.onap.aaf.cadi.Permission perm;
+	public AAFShiroPermission(org.onap.aaf.cadi.Permission perm) {
+		this.perm = perm;
+	}
+	@Override
+	public boolean implies(Permission sp) {
+		if(sp instanceof AAFShiroPermission) {
+			if(perm.match(((AAFShiroPermission)sp).perm)){
+				return true;
+			}
+		}
+		return false;
+	}
+	
+	@Override
+	public String toString() {
+		return perm.toString();
+	}
+
+}
diff --git a/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java b/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java
new file mode 100644
index 0000000..add449c
--- /dev/null
+++ b/shiro/src/test/java/org/onap/aaf/cadi/shiro/test/JU_AAFRealm.java
@@ -0,0 +1,93 @@
+/**
+ * ============LICENSE_START====================================================
+ * org.onap.aaf
+ * ===========================================================================
+ * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+ * ===========================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END====================================================
+ *
+ */
+package org.onap.aaf.cadi.shiro.test;
+
+import java.util.ArrayList;
+
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.Permission;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.junit.Test;
+import org.onap.aaf.cadi.aaf.AAFPermission;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.shiro.AAFRealm;
+import org.onap.aaf.cadi.shiro.AAFShiroPermission;
+
+import junit.framework.Assert;
+
+public class JU_AAFRealm {
+
+	// TODO: Ian - fix this test
+	// @Test
+	// public void test() {
+	// 	// NOTE This is a live test.  This JUnit needs to be built with "Mock"
+	// 	try {
+	// 		System.setProperty(Config.CADI_PROP_FILES, "/opt/app/osaaf/etc/org.osaaf.common.props");
+	// 		TestAAFRealm ar = new TestAAFRealm();
+			
+	// 		UsernamePasswordToken upt = new UsernamePasswordToken("jonathan@people.osaaf.org", "new2You!");
+	// 		AuthenticationInfo ani = ar.authn(upt);
+			
+	// 		AuthorizationInfo azi = ar.authz(ani.getPrincipals());
+	// 		// Change this to something YOU have, Sai...
+			
+	// 		testAPerm(true,azi,"org.access","something","*");
+	// 		testAPerm(false,azi,"org.accessX","something","*");
+	// 	} catch (Throwable t) {
+	// 		t.printStackTrace();
+	// 		Assert.fail();
+	// 	}
+	// }
+
+	private void testAPerm(boolean expect,AuthorizationInfo azi, String type, String instance, String action) {
+		
+		AAFShiroPermission testPerm = new AAFShiroPermission(new AAFPermission(type,instance,action,new ArrayList<String>()));
+
+		boolean any = false;
+		for(Permission p : azi.getObjectPermissions()) {
+			if(p.implies(testPerm)) {
+				any = true;
+			}
+		}
+		if(expect) {
+			Assert.assertTrue(any);
+		} else {
+			Assert.assertFalse(any);
+		}
+
+		
+	}
+
+	/**
+	 * Note, have to create a derived class, because "doGet"... are protected
+	 */
+	private class TestAAFRealm extends AAFRealm {
+		public AuthenticationInfo authn(UsernamePasswordToken upt) {
+			return doGetAuthenticationInfo(upt);
+		}
+		public AuthorizationInfo authz(PrincipalCollection pc) {
+			return doGetAuthorizationInfo(pc);
+		}
+		
+	}
+}
-- 
cgit 1.2.3-korg