1 files changed, 661 insertions, 239 deletions

diff --git a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java
index 54bd69120b..4b63577376 100644
--- a/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java
+++ b/qpid/java/broker-core/src/test/java/org/apache/qpid/server/security/SecurityManagerTest.java
@@ -32,16 +32,31 @@ import static org.mockito.Mockito.when;
 import java.security.AccessControlException;
 import java.util.Collections;
 
-import org.apache.qpid.server.binding.BindingImpl;
-import org.apache.qpid.server.consumer.ConsumerImpl;
-import org.apache.qpid.server.exchange.ExchangeImpl;
 import org.apache.qpid.server.model.AccessControlProvider;
+import org.apache.qpid.server.model.AuthenticationProvider;
+import org.apache.qpid.server.model.Binding;
 import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.BrokerModel;
+import org.apache.qpid.server.model.ConfiguredObject;
+import org.apache.qpid.server.model.Consumer;
+import org.apache.qpid.server.model.Exchange;
+import org.apache.qpid.server.model.ExclusivityPolicy;
+import org.apache.qpid.server.model.Group;
+import org.apache.qpid.server.model.GroupMember;
+import org.apache.qpid.server.model.GroupProvider;
+import org.apache.qpid.server.model.KeyStore;
 import org.apache.qpid.server.model.LifetimePolicy;
+import org.apache.qpid.server.model.Port;
+import org.apache.qpid.server.model.Queue;
+import org.apache.qpid.server.model.Session;
 import org.apache.qpid.server.model.State;
+import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.model.User;
 import org.apache.qpid.server.model.VirtualHost;
+import org.apache.qpid.server.model.VirtualHostNode;
 import org.apache.qpid.server.protocol.AMQConnectionModel;
 import org.apache.qpid.server.queue.AMQQueue;
+import org.apache.qpid.server.queue.QueueConsumer;
 import org.apache.qpid.server.security.access.ObjectProperties;
 import org.apache.qpid.server.security.access.ObjectProperties.Property;
 import org.apache.qpid.server.security.access.ObjectType;
@@ -59,6 +74,8 @@ public class SecurityManagerTest extends QpidTestCase
     private AccessControl _accessControl;
     private SecurityManager _securityManager;
     private VirtualHost<?,?,?> _virtualHost;
+    private Broker _broker;
+    private VirtualHostNode<?> _virtualHostNode;
 
     @Override
     public void setUp() throws Exception
@@ -72,28 +89,38 @@ public class SecurityManagerTest extends QpidTestCase
         when(aclProvider.getState()).thenReturn(State.ACTIVE);
 
         when(_virtualHost.getName()).thenReturn(TEST_VIRTUAL_HOST);
-
-        Broker broker = mock(Broker.class);
-        when(broker.getAccessControlProviders()).thenReturn(Collections.singleton(aclProvider));
-        _securityManager = new SecurityManager(broker, false);
+        when(_virtualHost.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST);
+
+        _broker = mock(Broker.class);
+        when(_broker.getAccessControlProviders()).thenReturn(Collections.singleton(aclProvider));
+        when(_broker.getChildren(AccessControlProvider.class)).thenReturn(Collections.singleton(aclProvider));
+        when(_broker.getCategoryClass()).thenReturn(Broker.class);
+        when(_broker.getName()).thenReturn("My Broker");
+        when(_broker.getAttribute(Broker.NAME)).thenReturn("My Broker");
+        when(_broker.getModel()).thenReturn(BrokerModel.getInstance());
+
+        _virtualHostNode = getMockVirtualHostNode();
+        _securityManager = new SecurityManager(_broker, false);
     }
 
     public void testAuthoriseCreateBinding()
     {
-        ExchangeImpl exchange = mock(ExchangeImpl.class);
+        VirtualHost vh = getMockVirtualHost();
+
+        Exchange exchange = mock(Exchange.class);
         when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(exchange.getName()).thenReturn(TEST_EXCHANGE);
+        when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE);
+        when(exchange.getCategoryClass()).thenReturn(Exchange.class);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(vh);
+        when(exchange.getModel()).thenReturn(BrokerModel.getInstance());
 
-        AMQQueue<?> queue = mock(AMQQueue.class);
+        Queue queue = mock(Queue.class);
         when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
-        when(queue.isDurable()).thenReturn(true);
-        when(queue.getLifetimePolicy()).thenReturn(LifetimePolicy.PERMANENT);
-
-        BindingImpl binding = mock(BindingImpl.class);
-        when(binding.getExchange()).thenReturn(exchange);
-        when(binding.getAMQQueue()).thenReturn(queue);
-        when(binding.getBindingKey()).thenReturn("bindingKey");
+        when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(Queue.DURABLE)).thenReturn(true);
+        when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT);
+        when(queue.getCategoryClass()).thenReturn(Queue.class);
+        when(queue.getParent(VirtualHost.class)).thenReturn(vh);
 
         ObjectProperties properties = new ObjectProperties();
         properties.put(Property.NAME, TEST_EXCHANGE);
@@ -103,22 +130,13 @@ public class SecurityManagerTest extends QpidTestCase
         properties.put(Property.TEMPORARY, false);
         properties.put(Property.DURABLE, true);
 
+        Binding binding = mock(Binding.class);
+        when(binding.getParent(Exchange.class)).thenReturn(exchange);
+        when(binding.getParent(Queue.class)).thenReturn(queue);
+        when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey");
+        when(binding.getCategoryClass()).thenReturn(Binding.class);
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseCreateBinding(binding);
-        verify(_accessControl).authorise(eq(Operation.BIND), eq(ObjectType.EXCHANGE), eq(properties));
-
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseCreateBinding(binding);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.BIND), eq(ObjectType.EXCHANGE), eq(properties));
+        assertCreateAuthorization(binding, Operation.BIND, ObjectType.EXCHANGE, properties, exchange, queue);
     }
 
 
@@ -192,14 +210,23 @@ public class SecurityManagerTest extends QpidTestCase
 
     public void testAuthoriseCreateConsumer()
     {
-        AMQQueue<?> queue = mock(AMQQueue.class);
+        Queue queue = mock(Queue.class);
         when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
-        when(queue.isDurable()).thenReturn(true);
-        when(queue.getLifetimePolicy()).thenReturn(LifetimePolicy.PERMANENT);
-
-        ConsumerImpl consumer = mock(ConsumerImpl.class);
-        when(consumer.getMessageSource()).thenReturn(queue);
+        when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(Queue.DURABLE)).thenReturn(true);
+        when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT);
+        when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queue.getCategoryClass()).thenReturn(Queue.class);
+
+        Session session = mock(Session.class);
+        when(session.getCategoryClass()).thenReturn(Session.class);
+        when(session.getAttribute(Session.NAME)).thenReturn("1");
+
+        QueueConsumer consumer = mock(QueueConsumer.class);
+        when(consumer.getAttribute(QueueConsumer.NAME)).thenReturn("1");
+        when(consumer.getParent(Queue.class)).thenReturn(queue);
+        when(consumer.getParent(Session.class)).thenReturn(session);
+        when(consumer.getCategoryClass()).thenReturn(Consumer.class);
 
         ObjectProperties properties = new ObjectProperties();
         properties.put(Property.NAME, TEST_QUEUE);
@@ -209,284 +236,573 @@ public class SecurityManagerTest extends QpidTestCase
         properties.put(Property.DURABLE, true);
         properties.put(Property.EXCLUSIVE, false);
 
+        assertAuthorization(Operation.CREATE, consumer, Operation.CONSUME, ObjectType.QUEUE, properties, queue, session);
+    }
+
+    public void testAuthoriseUserOperation()
+    {
+        ObjectProperties properties = new ObjectProperties("testUser");
+
         configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseCreateConsumer(consumer);
-        verify(_accessControl).authorise(eq(Operation.CONSUME), eq(ObjectType.QUEUE), eq(properties));
+       _securityManager.authoriseUserUpdate("testUser");
+       verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties));
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseCreateConsumer(consumer);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.CONSUME), eq(ObjectType.QUEUE), eq(properties));
+       configureAccessPlugin(Result.DENIED);
+       try
+       {
+           _securityManager.authoriseUserUpdate("testUser");
+           fail("AccessControlException is expected");
+       }
+       catch(AccessControlException e)
+       {
+           // pass
+       }
+       verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.USER), eq(properties));
     }
 
     public void testAuthoriseCreateExchange()
     {
-        ExchangeImpl<?> exchange = mock(ExchangeImpl.class);
-        when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(exchange.getName()).thenReturn(TEST_EXCHANGE);
-        when(exchange.getType()).thenReturn(TEST_EXCHANGE_TYPE);
+        VirtualHost vh = getMockVirtualHost();
+        ObjectProperties expectedProperties = createExpectedExchangeObjectProperties();
+
+        Exchange exchange = mock(Exchange.class);
+        when(exchange.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_EXCHANGE);
+        when(exchange.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false);
+        when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE);
+        when(exchange.getCategoryClass()).thenReturn(Exchange.class);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(vh);
+
+        assertCreateAuthorization( exchange, Operation.CREATE, ObjectType.EXCHANGE, expectedProperties, vh);
+    }
 
-        ObjectProperties properties = createExpectedExchangeObjectProperties();
+    public void testAuthoriseCreateQueue()
+    {
+        VirtualHost vh = getMockVirtualHost();
+        ObjectProperties expectedProperties = createExpectedQueueObjectProperties();
+
+        Queue queue = mock(Queue.class);
+        when(queue.getAttribute(ConfiguredObject.NAME)).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        when(queue.getAttribute(Queue.OWNER)).thenReturn(null);
+        when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queue.getAttribute(Queue.DURABLE)).thenReturn(false);
+        when(queue.getAttribute(Queue.ALTERNATE_EXCHANGE)).thenReturn(null);
+        when(queue.getCategoryClass()).thenReturn(Queue.class);
+        when(queue.getParent(VirtualHost.class)).thenReturn(vh);
+
+        assertCreateAuthorization(queue, Operation.CREATE, ObjectType.QUEUE, expectedProperties, vh);
+    }
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseCreateExchange(exchange);
-        verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.EXCHANGE), eq(properties));
+    public void testAuthoriseDeleteQueue()
+    {
+        VirtualHost vh = getMockVirtualHost();
+        ObjectProperties expectedProperties = createExpectedQueueObjectProperties();
+
+        Queue queueObject = mock(Queue.class);
+        when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null);
+        when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false);
+        when(queueObject.getParent(VirtualHost.class)).thenReturn(vh);
+        when(queueObject.getCategoryClass()).thenReturn(Queue.class);
+
+        assertDeleteAuthorization(queueObject, Operation.DELETE, ObjectType.QUEUE, expectedProperties, vh);
+    }
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseCreateExchange(exchange);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.EXCHANGE), eq(properties));
+    public void testAuthoriseUpdateQueue()
+    {
+        VirtualHost vh = getMockVirtualHost();
+        ObjectProperties expectedProperties = createExpectedQueueObjectProperties();
+
+        Queue queueObject = mock(Queue.class);
+        when(queueObject.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queueObject.getAttribute(ConfiguredObject.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        when(queueObject.getAttribute(Queue.OWNER)).thenReturn(null);
+        when(queueObject.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queueObject.getAttribute(Queue.DURABLE)).thenReturn(false);
+        when(queueObject.getParent(VirtualHost.class)).thenReturn(vh);
+        when(queueObject.getCategoryClass()).thenReturn(Queue.class);
+
+        assertUpdateAuthorization(queueObject, Operation.UPDATE, ObjectType.QUEUE, expectedProperties, vh);
     }
 
-    public void testAuthoriseCreateQueue()
+    public void testAuthoriseUpdateExchange()
     {
-        AMQQueue<?> queue = mock(AMQQueue.class);
-        when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
+        VirtualHost vh = getMockVirtualHost();
+        ObjectProperties expectedProperties = createExpectedExchangeObjectProperties();
+
+        Exchange exchange = mock(Exchange.class);
+        when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE);
+        when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false);
+        when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(vh);
+        when(exchange.getCategoryClass()).thenReturn(Exchange.class);
+
+        assertUpdateAuthorization(exchange, Operation.UPDATE, ObjectType.EXCHANGE, expectedProperties, vh);
+    }
 
-        ObjectProperties properties = createExpectedQueueObjectProperties();
+    public void testAuthoriseDeleteExchange()
+    {
+        VirtualHost vh = getMockVirtualHost();
+        ObjectProperties expectedProperties = createExpectedExchangeObjectProperties();
+
+        Exchange exchange = mock(Exchange.class);
+        when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE);
+        when(exchange.getAttribute(Exchange.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
+        when(exchange.getAttribute(Exchange.DURABLE)).thenReturn(false);
+        when(exchange.getAttribute(Exchange.TYPE)).thenReturn(TEST_EXCHANGE_TYPE);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(vh);
+        when(exchange.getCategoryClass()).thenReturn(Exchange.class);
+
+        assertDeleteAuthorization(exchange, Operation.DELETE, ObjectType.EXCHANGE, expectedProperties, vh);
+    }
+
+    public void testAuthorisePublish()
+    {
+        String routingKey = "routingKey";
+        String exchangeName = "exchangeName";
+        boolean immediate = true;
+        ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST, exchangeName, routingKey, immediate);
 
         configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseCreateQueue(queue);
-        verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.QUEUE), eq(properties));
+        _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST);
+        verify(_accessControl).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties));
 
         configureAccessPlugin(Result.DENIED);
         try
         {
-            _securityManager.authoriseCreateQueue(queue);
+            _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST);
             fail("AccessControlException is expected");
         }
         catch(AccessControlException e)
         {
             // pass
         }
-        verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.QUEUE), eq(properties));
+        verify(_accessControl, times(2)).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties));
     }
 
-    public void testAuthoriseDeleteQueue()
+    public void testAuthorisePurge()
     {
-        AMQQueue<?> queue = mock(AMQQueue.class);
+        Queue queue = mock(Queue.class);
         when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queue.getCategoryClass()).thenReturn(Queue.class);
+        when(queue.getAttribute(Queue.DURABLE)).thenReturn(false);
+        when(queue.getAttribute(Queue.EXCLUSIVE)).thenReturn(ExclusivityPolicy.NONE);
+        when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.DELETE_ON_CONNECTION_CLOSE);
 
         ObjectProperties properties = createExpectedQueueObjectProperties();
 
         configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseDelete(queue);
-        verify(_accessControl).authorise(eq(Operation.DELETE), eq(ObjectType.QUEUE), eq(properties));
+        _securityManager.authorisePurge(queue);
+        verify(_accessControl).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties));
 
         configureAccessPlugin(Result.DENIED);
         try
         {
-            _securityManager.authoriseDelete(queue);
+            _securityManager.authorisePurge(queue);
             fail("AccessControlException is expected");
         }
         catch(AccessControlException e)
         {
             // pass
         }
-        verify(_accessControl, times(2)).authorise(eq(Operation.DELETE), eq(ObjectType.QUEUE), eq(properties));
+        verify(_accessControl, times(2)).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties));
     }
 
-    public void testAuthoriseUpdateQueue()
+    public void testAuthoriseUnbind()
     {
-        AMQQueue<?> queue = mock(AMQQueue.class);
+        Exchange exchange = mock(Exchange.class);
+        when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
+        when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE);
+        when(exchange.getCategoryClass()).thenReturn(Exchange.class);
+
+        Queue queue = mock(Queue.class);
         when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(Queue.DURABLE)).thenReturn(true);
+        when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT);
+        when(queue.getCategoryClass()).thenReturn(Queue.class);
 
-        ObjectProperties properties = createExpectedQueueObjectProperties();
+        Binding binding = mock(Binding.class);
+        when(binding.getParent(Exchange.class)).thenReturn(exchange);
+        when(binding.getParent(Queue.class)).thenReturn(queue);
+        when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey");
+        when(binding.getCategoryClass()).thenReturn(Binding.class);
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseUpdate(queue);
-        verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.QUEUE), eq(properties));
+        ObjectProperties properties = new ObjectProperties();
+        properties.put(Property.NAME, TEST_EXCHANGE);
+        properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
+        properties.put(Property.QUEUE_NAME, TEST_QUEUE);
+        properties.put(Property.ROUTING_KEY, "bindingKey");
+        properties.put(Property.TEMPORARY, false);
+        properties.put(Property.DURABLE, true);
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseUpdate(queue);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.QUEUE), eq(properties));
+        assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue);
     }
 
-    public void testAuthoriseUpdateExchange()
+    public void testAuthoriseCreateVirtualHostNode()
     {
-        ExchangeImpl<?> exchange = mock(ExchangeImpl.class);
-        when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(exchange.getName()).thenReturn(TEST_EXCHANGE);
-        when(exchange.getType()).thenReturn(TEST_EXCHANGE_TYPE);
+        VirtualHostNode vhn = getMockVirtualHostNode();
+        assertCreateAuthorization(vhn, Operation.CREATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties("testVHN"), _broker);
+    }
 
-        ObjectProperties properties = createExpectedExchangeObjectProperties();
+    public void testAuthoriseCreatePort()
+    {
+        Port port = mock(Port.class);
+        when(port.getParent(Broker.class)).thenReturn(_broker);
+        when(port.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST");
+        when(port.getCategoryClass()).thenReturn(Port.class);
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseUpdate(exchange);
-        verify(_accessControl).authorise(eq(Operation.UPDATE), eq(ObjectType.EXCHANGE), eq(properties));
+        assertBrokerChildCreateAuthorization(port);
+    }
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseUpdate(exchange);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.UPDATE), eq(ObjectType.EXCHANGE), eq(properties));
+    public void testAuthoriseCreateAuthenticationProvider()
+    {
+        AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class);
+        when(authenticationProvider.getParent(Broker.class)).thenReturn(_broker);
+        when(authenticationProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST");
+        when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
+
+        assertBrokerChildCreateAuthorization(authenticationProvider);
     }
 
-    public void testAuthoriseDeleteExchange()
+    public void testAuthoriseCreateGroupProvider()
     {
-        ExchangeImpl<?> exchange = mock(ExchangeImpl.class);
-        when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(exchange.getName()).thenReturn(TEST_EXCHANGE);
-        when(exchange.getType()).thenReturn(TEST_EXCHANGE_TYPE);
+        GroupProvider groupProvider = mock(GroupProvider.class);
+        when(groupProvider.getParent(Broker.class)).thenReturn(_broker);
+        when(groupProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST");
+        when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class);
 
-        ObjectProperties properties = createExpectedExchangeObjectProperties();
+        assertBrokerChildCreateAuthorization(groupProvider);
+    }
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseDelete(exchange);
-        verify(_accessControl).authorise(eq(Operation.DELETE), eq(ObjectType.EXCHANGE), eq(properties));
+    public void testAuthoriseCreateAccessControlProvider()
+    {
+        AccessControlProvider accessControlProvider = mock(AccessControlProvider.class);
+        when(accessControlProvider.getParent(Broker.class)).thenReturn(_broker);
+        when(accessControlProvider.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST");
+        when(accessControlProvider.getCategoryClass()).thenReturn(AccessControlProvider.class);
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseDelete(exchange);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.DELETE), eq(ObjectType.EXCHANGE), eq(properties));
+        assertBrokerChildCreateAuthorization(accessControlProvider);
     }
 
-    public void testAuthoriseGroupOperation()
+    public void testAuthoriseCreateKeyStore()
     {
-        ObjectProperties properties = new ObjectProperties("testGroup");
+        KeyStore keyStore = mock(KeyStore.class);
+        when(keyStore.getParent(Broker.class)).thenReturn(_broker);
+        when(keyStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST");
+        when(keyStore.getCategoryClass()).thenReturn(KeyStore.class);
 
-         configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseGroupOperation(Operation.CREATE, "testGroup");
-        verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.GROUP), eq(properties));
+        assertBrokerChildCreateAuthorization(keyStore);
+    }
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authoriseGroupOperation(Operation.CREATE, "testGroup");
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.GROUP), eq(properties));
+    public void testAuthoriseCreateTrustStore()
+    {
+        TrustStore trustStore = mock(TrustStore.class);
+        when(trustStore.getParent(Broker.class)).thenReturn(_broker);
+        when(trustStore.getAttribute(ConfiguredObject.NAME)).thenReturn("TEST");
+        when(trustStore.getCategoryClass()).thenReturn(TrustStore.class);
+
+        assertBrokerChildCreateAuthorization(trustStore);
     }
 
-    public void testAuthoriseUserOperation()
+    public void testAuthoriseCreateGroup()
     {
-        ObjectProperties properties = new ObjectProperties("testUser");
+        GroupProvider groupProvider = mock(GroupProvider.class);
+        when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class);
+        when(groupProvider.getAttribute(GroupProvider.NAME)).thenReturn("testGroupProvider");
+        when(groupProvider.getModel()).thenReturn(BrokerModel.getInstance());
 
-        configureAccessPlugin(Result.ALLOWED);
-       _securityManager.authoriseUserOperation(Operation.CREATE, "testUser");
-       verify(_accessControl).authorise(eq(Operation.CREATE), eq(ObjectType.USER), eq(properties));
+        Group group = mock(Group.class);
+        when(group.getCategoryClass()).thenReturn(Group.class);
+        when(group.getParent(GroupProvider.class)).thenReturn(groupProvider);
+        when(group.getAttribute(Group.NAME)).thenReturn("test");
 
-       configureAccessPlugin(Result.DENIED);
-       try
-       {
-           _securityManager.authoriseUserOperation(Operation.CREATE, "testUser");
-           fail("AccessControlException is expected");
-       }
-       catch(AccessControlException e)
-       {
-           // pass
-       }
-       verify(_accessControl, times(2)).authorise(eq(Operation.CREATE), eq(ObjectType.USER), eq(properties));
+        assertCreateAuthorization(group, Operation.CREATE, ObjectType.GROUP, new ObjectProperties("test"), groupProvider);
     }
 
-    public void testAuthorisePublish()
+    public void testAuthoriseCreateGroupMember()
     {
-        String routingKey = "routingKey";
-        String exchangeName = "exchangeName";
-        boolean immediate = true;
-        ObjectProperties properties = new ObjectProperties(TEST_VIRTUAL_HOST, exchangeName, routingKey, immediate);
+        Group group = mock(Group.class);
+        when(group.getCategoryClass()).thenReturn(Group.class);
+        when(group.getAttribute(Group.NAME)).thenReturn("testGroup");
+        when(group.getModel()).thenReturn(BrokerModel.getInstance());
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST);
-        verify(_accessControl).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties));
+        GroupMember groupMember = mock(GroupMember.class);
+        when(groupMember.getCategoryClass()).thenReturn(GroupMember.class);
+        when(groupMember.getParent(Group.class)).thenReturn(group);
+        when(groupMember.getAttribute(Group.NAME)).thenReturn("test");
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authorisePublish(immediate, routingKey, exchangeName, TEST_VIRTUAL_HOST);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.PUBLISH), eq(ObjectType.EXCHANGE), eq(properties));
+        assertCreateAuthorization(groupMember, Operation.UPDATE, ObjectType.GROUP, new ObjectProperties("test"), group);
     }
 
-    public void testAuthorisePurge()
+    public void testAuthoriseCreateUser()
     {
-        AMQQueue<?> queue = mock(AMQQueue.class);
-        when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
+        AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class);
+        when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
+        when(authenticationProvider.getAttribute(AuthenticationProvider.NAME)).thenReturn("testAuthenticationProvider");
+        when(authenticationProvider.getModel()).thenReturn(BrokerModel.getInstance());
+
+        User user = mock(User.class);
+        when(user.getCategoryClass()).thenReturn(User.class);
+        when(user.getAttribute(User.NAME)).thenReturn("test");
+        when(user.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider);
+        when(user.getModel()).thenReturn(BrokerModel.getInstance());
+
+        assertCreateAuthorization(user, Operation.CREATE, ObjectType.USER, new ObjectProperties("test"), authenticationProvider);
+    }
 
-        ObjectProperties properties = createExpectedQueueObjectProperties();
+    public void testAuthoriseCreateVirtualHost()
+    {
+        VirtualHost vh = getMockVirtualHost();
+        assertCreateAuthorization(vh, Operation.CREATE, ObjectType.VIRTUALHOST, new ObjectProperties(TEST_VIRTUAL_HOST), _virtualHostNode);
+    }
 
-        configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authorisePurge(queue);
-        verify(_accessControl).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties));
+    public void testAuthoriseUpdateVirtualHostNode()
+    {
+        VirtualHostNode vhn = getMockVirtualHostNode();
+        assertUpdateAuthorization(vhn, Operation.UPDATE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn);
+    }
 
-        configureAccessPlugin(Result.DENIED);
-        try
-        {
-            _securityManager.authorisePurge(queue);
-            fail("AccessControlException is expected");
-        }
-        catch(AccessControlException e)
-        {
-            // pass
-        }
-        verify(_accessControl, times(2)).authorise(eq(Operation.PURGE), eq(ObjectType.QUEUE), eq(properties));
+    public void testAuthoriseUpdatePort()
+    {
+        Port mock = mock(Port.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(Port.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildUpdateAuthorization(mock);
     }
 
+    public void testAuthoriseUpdateAuthenticationProvider()
+    {
+        AuthenticationProvider mock = mock(AuthenticationProvider.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildUpdateAuthorization(mock);
+    }
 
-    public void testAuthoriseUnbind()
+    public void testAuthoriseUpdateGroupProvider()
+    {
+        GroupProvider mock = mock(GroupProvider.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(GroupProvider.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildUpdateAuthorization(mock);
+    }
+
+    public void testAuthoriseUpdateAccessControlProvider()
+    {
+        AccessControlProvider mock = mock(AccessControlProvider.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildUpdateAuthorization(mock);
+    }
+
+    public void testAuthoriseUpdateKeyStore()
+    {
+        KeyStore mock = mock(KeyStore.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(KeyStore.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildUpdateAuthorization(mock);
+    }
+
+    public void testAuthoriseUpdateTrustStore()
     {
-        ExchangeImpl exchange = mock(ExchangeImpl.class);
+        TrustStore mock = mock(TrustStore.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(TrustStore.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildUpdateAuthorization(mock);
+    }
+
+    public void testAuthoriseUpdateGroup()
+    {
+        GroupProvider groupProvider = mock(GroupProvider.class);
+        when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class);
+        when(groupProvider.getName()).thenReturn("testGroupProvider");
+        Group mock = mock(Group.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(Group.class);
+        when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, groupProvider);
+    }
+
+    public void testAuthoriseUpdateGroupMember()
+    {
+        Group group = mock(Group.class);
+        when(group.getCategoryClass()).thenReturn(Group.class);
+        when(group.getName()).thenReturn("testGroup");
+        GroupMember mock = mock(GroupMember.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(GroupMember.class);
+        when(mock.getParent(Group.class)).thenReturn(group);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group);
+    }
+
+    public void testAuthoriseUpdateUser()
+    {
+        AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class);
+        when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
+        when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider");
+        User mock = mock(User.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(User.class);
+        when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.USER, properties, authenticationProvider);
+    }
+
+    public void testAuthoriseUpdateVirtualHost()
+    {
+        VirtualHostNode vhn = getMockVirtualHostNode();
+
+        VirtualHost mock = mock(VirtualHost.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(VirtualHost.class);
+        when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertUpdateAuthorization(mock, Operation.UPDATE, ObjectType.VIRTUALHOST, properties, vhn);
+    }
+
+    public void testAuthoriseDeleteVirtualHostNode()
+    {
+        VirtualHostNode vhn = getMockVirtualHostNode();
+        assertDeleteAuthorization(vhn, Operation.DELETE, ObjectType.VIRTUALHOSTNODE, new ObjectProperties(vhn.getName()), vhn);
+    }
+
+    public void testAuthoriseDeletePort()
+    {
+        Port mock = mock(Port.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(Port.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildDeleteAuthorization(mock);
+    }
+
+    public void testAuthoriseDeleteAuthenticationProvider()
+    {
+        AuthenticationProvider mock = mock(AuthenticationProvider.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(AuthenticationProvider.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildDeleteAuthorization(mock);
+    }
+
+    public void testAuthoriseDeleteGroupProvider()
+    {
+        GroupProvider mock = mock(GroupProvider.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(GroupProvider.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildDeleteAuthorization(mock);
+    }
+
+    public void testAuthoriseDeleteAccessControlProvider()
+    {
+        AccessControlProvider mock = mock(AccessControlProvider.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(AccessControlProvider.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildDeleteAuthorization(mock);
+    }
+
+    public void testAuthoriseDeleteKeyStore()
+    {
+        KeyStore mock = mock(KeyStore.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(KeyStore.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildDeleteAuthorization(mock);
+    }
+
+    public void testAuthoriseDeleteTrustStore()
+    {
+        TrustStore mock = mock(TrustStore.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(TrustStore.class);
+        when(mock.getParent(Broker.class)).thenReturn(_broker);
+        assertBrokerChildDeleteAuthorization(mock);
+    }
+
+    public void testAuthoriseDeleteGroup()
+    {
+        GroupProvider groupProvider = mock(GroupProvider.class);
+        when(groupProvider.getCategoryClass()).thenReturn(GroupProvider.class);
+        when(groupProvider.getName()).thenReturn("testGroupProvider");
+        Group mock = mock(Group.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(Group.class);
+        when(mock.getParent(GroupProvider.class)).thenReturn(groupProvider);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.GROUP, properties, groupProvider);
+    }
+
+    public void testAuthoriseDeleteGroupMember()
+    {
+        Group group = mock(Group.class);
+        when(group.getCategoryClass()).thenReturn(Group.class);
+        when(group.getName()).thenReturn("testGroup");
+        GroupMember mock = mock(GroupMember.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(GroupMember.class);
+        when(mock.getParent(Group.class)).thenReturn(group);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertDeleteAuthorization(mock, Operation.UPDATE, ObjectType.GROUP, properties, group);
+    }
+
+    public void testAuthoriseDeleteUser()
+    {
+        AuthenticationProvider authenticationProvider = mock(AuthenticationProvider.class);
+        when(authenticationProvider.getCategoryClass()).thenReturn(AuthenticationProvider.class);
+        when(authenticationProvider.getName()).thenReturn("testAuthenticationProvider");
+        User mock = mock(User.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(User.class);
+        when(mock.getParent(AuthenticationProvider.class)).thenReturn(authenticationProvider);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.USER, properties, authenticationProvider);
+    }
+
+    public void testAuthoriseDeleteVirtualHost()
+    {
+        VirtualHostNode vhn = getMockVirtualHostNode();
+
+        VirtualHost mock = mock(VirtualHost.class);
+        when(mock.getAttribute(ConfiguredObject.NAME)).thenReturn("test");
+        when(mock.getCategoryClass()).thenReturn(VirtualHost.class);
+        when(mock.getParent(VirtualHostNode.class)).thenReturn(vhn);
+        ObjectProperties properties = new ObjectProperties((String)mock.getAttribute(ConfiguredObject.NAME));
+        assertDeleteAuthorization(mock, Operation.DELETE, ObjectType.VIRTUALHOST, properties, vhn);
+    }
+
+    public void testAuthoriseDeleteBinding()
+    {
+        Exchange exchange = mock(Exchange.class);
         when(exchange.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(exchange.getName()).thenReturn(TEST_EXCHANGE);
+        when(exchange.getAttribute(Exchange.NAME)).thenReturn(TEST_EXCHANGE);
+        when(exchange.getCategoryClass()).thenReturn(Exchange.class);
 
-        AMQQueue<?> queue = mock(AMQQueue.class);
+        Queue queue = mock(Queue.class);
         when(queue.getParent(VirtualHost.class)).thenReturn(_virtualHost);
-        when(queue.getName()).thenReturn(TEST_QUEUE);
-        when(queue.isDurable()).thenReturn(true);
-        when(queue.getLifetimePolicy()).thenReturn(LifetimePolicy.PERMANENT);
+        when(queue.getAttribute(Queue.NAME)).thenReturn(TEST_QUEUE);
+        when(queue.getAttribute(Queue.DURABLE)).thenReturn(true);
+        when(queue.getAttribute(Queue.LIFETIME_POLICY)).thenReturn(LifetimePolicy.PERMANENT);
+        when(queue.getCategoryClass()).thenReturn(Queue.class);
 
-        BindingImpl binding = mock(BindingImpl.class);
-        when(binding.getExchange()).thenReturn(exchange);
-        when(binding.getAMQQueue()).thenReturn(queue);
-        when(binding.getBindingKey()).thenReturn("bindingKey");
+        Binding binding = mock(Binding.class);
+        when(binding.getParent(Exchange.class)).thenReturn(exchange);
+        when(binding.getParent(Queue.class)).thenReturn(queue);
+        when(binding.getAttribute(Binding.NAME)).thenReturn("bindingKey");
+        when(binding.getCategoryClass()).thenReturn(Binding.class);
 
         ObjectProperties properties = new ObjectProperties();
         properties.put(Property.NAME, TEST_EXCHANGE);
@@ -496,35 +812,141 @@ public class SecurityManagerTest extends QpidTestCase
         properties.put(Property.TEMPORARY, false);
         properties.put(Property.DURABLE, true);
 
+        assertDeleteAuthorization(binding, Operation.UNBIND, ObjectType.EXCHANGE, properties, exchange, queue);
+    }
+
+    private VirtualHost getMockVirtualHost()
+    {
+        VirtualHost vh = mock(VirtualHost.class);
+        when(vh.getCategoryClass()).thenReturn(VirtualHost.class);
+        when(vh.getName()).thenReturn(TEST_VIRTUAL_HOST);
+        when(vh.getAttribute(VirtualHost.NAME)).thenReturn(TEST_VIRTUAL_HOST);
+        when(vh.getParent(VirtualHostNode.class)).thenReturn(_virtualHostNode);
+        when(vh.getModel()).thenReturn(BrokerModel.getInstance());
+        return vh;
+    }
+
+    private VirtualHostNode getMockVirtualHostNode()
+    {
+        VirtualHostNode vhn = mock(VirtualHostNode.class);
+        when(vhn.getCategoryClass()).thenReturn(VirtualHostNode.class);
+        when(vhn.getName()).thenReturn("testVHN");
+        when(vhn.getAttribute(ConfiguredObject.NAME)).thenReturn("testVHN");
+        when(vhn.getParent(Broker.class)).thenReturn(_broker);
+        when(vhn.getModel()).thenReturn(BrokerModel.getInstance());
+        return vhn;
+    }
+
+    private void assertBrokerChildCreateAuthorization(ConfiguredObject object)
+    {
+        String description = String.format("%s %s '%s'",
+                Operation.CREATE.name().toLowerCase(),
+                object.getCategoryClass().getSimpleName().toLowerCase(),
+                "TEST");
+        ObjectProperties properties = new OperationLoggingDetails(description);
+        assertCreateAuthorization(object, Operation.CONFIGURE, ObjectType.BROKER, properties, _broker );
+    }
+
+    private void assertBrokerChildUpdateAuthorization(ConfiguredObject configuredObject)
+    {
+        String description = String.format("%s %s '%s'",
+                Operation.UPDATE.name().toLowerCase(),
+                configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
+                configuredObject.getAttribute(ConfiguredObject.NAME));
+        ObjectProperties properties = new OperationLoggingDetails(description);
+
+        assertUpdateAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER,
+                properties, _broker );
+    }
+
+    private void assertBrokerChildDeleteAuthorization(ConfiguredObject configuredObject)
+    {
+        String description = String.format("%s %s '%s'",
+                Operation.DELETE.name().toLowerCase(),
+                configuredObject.getCategoryClass().getSimpleName().toLowerCase(),
+                configuredObject.getAttribute(ConfiguredObject.NAME));
+        ObjectProperties properties = new OperationLoggingDetails(description);
+
+        assertDeleteAuthorization(configuredObject, Operation.CONFIGURE, ObjectType.BROKER,
+                properties, _broker );
+    }
 
+    private void assertAuthorization(Operation operation, ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects)
+    {
         configureAccessPlugin(Result.ALLOWED);
-        _securityManager.authoriseUnbind(binding);
-        verify(_accessControl).authorise(eq(Operation.UNBIND), eq(ObjectType.EXCHANGE), eq(properties));
+        _securityManager.authorise(operation, configuredObject);
+        verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties));
 
         configureAccessPlugin(Result.DENIED);
         try
         {
-            _securityManager.authoriseUnbind(binding);
+            _securityManager.authorise(operation, configuredObject);
             fail("AccessControlException is expected");
         }
         catch(AccessControlException e)
         {
-            // pass
+            String expectedMessage = "Permission " + aclOperation.name() + " "
+                    + aclObjectType.name() +" is denied for : " + operation.name() + " "
+                    + configuredObject.getCategoryClass().getSimpleName() + " '"
+                    + configuredObject.getAttribute(ConfiguredObject.NAME) + "' on";
+
+            assertTrue("Unexpected exception message: " + e.getMessage() + " vs " + expectedMessage,
+                    e.getMessage().startsWith(expectedMessage));
+            for (ConfiguredObject object: objects)
+            {
+                String parentInfo = object.getCategoryClass().getSimpleName() + " '"
+                        + object.getAttribute(ConfiguredObject.NAME) + "'";
+                assertTrue("Exception message does not contain information about parent object "
+                                + object.getCategoryClass() + " " + object.getAttribute(ConfiguredObject.NAME) + ":"
+                                + e.getMessage(),
+                        e.getMessage().contains(parentInfo));
+            }
         }
-        verify(_accessControl, times(2)).authorise(eq(Operation.UNBIND), eq(ObjectType.EXCHANGE), eq(properties));
+
+        verify(_accessControl, times(2)).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties));
     }
 
-    public void testAuthoriseConfiguringBroker()
+    private void assertDeleteAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects)
     {
-        OperationLoggingDetails properties = new OperationLoggingDetails("create virtualhost 'test'");
+        assertAuthorization(Operation.DELETE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects);
+    }
 
+    private void assertUpdateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject... objects)
+    {
+        assertAuthorization(Operation.UPDATE, configuredObject, aclOperation, aclObjectType, expectedProperties, objects);
+    }
+
+    private void assertCreateAuthorization(ConfiguredObject<?> configuredObject, Operation aclOperation, ObjectType aclObjectType, ObjectProperties expectedProperties, ConfiguredObject<?>... parents)
+    {
         configureAccessPlugin(Result.ALLOWED);
-        assertTrue(_securityManager.authoriseConfiguringBroker("test", VirtualHost.class, Operation.CREATE));
-        verify(_accessControl).authorise(eq(Operation.CONFIGURE), eq(ObjectType.BROKER), eq(properties));
+        _securityManager.authorise(Operation.CREATE, configuredObject);
+        verify(_accessControl).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties));
 
         configureAccessPlugin(Result.DENIED);
-        assertFalse(_securityManager.authoriseConfiguringBroker("test", VirtualHost.class, Operation.CREATE));
-        verify(_accessControl, times(2)).authorise(eq(Operation.CONFIGURE), eq(ObjectType.BROKER), eq(properties));
+        try
+        {
+            _securityManager.authorise(Operation.CREATE, configuredObject);
+            fail("AccessControlException is expected");
+        }
+        catch(AccessControlException e)
+        {
+            String expectedMessage = "Permission " + aclOperation.name() + " "
+                    + aclObjectType.name() +" is denied for : CREATE " + configuredObject.getCategoryClass().getSimpleName() + " '"
+                    + configuredObject.getAttribute(ConfiguredObject.NAME) + "' on";
+
+            assertTrue("Unexpected exception message", e.getMessage().startsWith(expectedMessage));
+            for (ConfiguredObject object: parents)
+            {
+                String parentInfo = object.getCategoryClass().getSimpleName() + " '"
+                        + object.getAttribute(ConfiguredObject.NAME) + "'";
+                assertTrue("Exception message does not contain information about parent configuredObject "
+                                + parentInfo + ": "
+                                + e.getMessage(),
+                        e.getMessage().contains(parentInfo));
+            }
+        }
+
+        verify(_accessControl, times(2)).authorise(eq(aclOperation), eq(aclObjectType), eq(expectedProperties));
     }
 
     public void testAuthoriseLogsAccess()
@@ -548,7 +970,7 @@ public class SecurityManagerTest extends QpidTestCase
         ObjectProperties properties = new ObjectProperties();
         properties.put(Property.NAME, TEST_EXCHANGE);
         properties.put(Property.VIRTUALHOST_NAME, TEST_VIRTUAL_HOST);
-        properties.put(Property.AUTO_DELETE, false);
+        properties.put(Property.AUTO_DELETE, true);
         properties.put(Property.TEMPORARY, true);
         properties.put(Property.DURABLE, false);
         properties.put(Property.TYPE, TEST_EXCHANGE_TYPE);