From a83fbeb6d4e20d391148a4f753de7d71b4a50965 Mon Sep 17 00:00:00 2001
From: Sean Zhong <clockfly@gmail.com>
Date: Fri, 8 Jan 2016 16:07:42 +0800
Subject: [PATCH] fix #1247, add authentication for UI

---
 .travis.yml                                   |   3 +
 conf/gear.conf                                |  35 +++
 core/src/main/resources/reference.conf        |  54 +++-
 .../io/gearpump/security/Authenticator.scala  |  45 ++++
 .../ConfigFileBasedAuthenticator.scala        |  94 +++++++
 .../io/gearpump/security/PasswordUtil.scala   |  93 +++++++
 .../scala/io/gearpump/util/Constants.scala    |   3 +
 docs/dev-ide-setup.md                         |   9 +
 .../akka/stream/gearpump/AttributesSpec.scala |  23 +-
 project/Build.scala                           |   3 +-
 project/build.properties                      |   2 +-
 project/plugins.sbt                           |   2 -
 services/dashboard/dashboard.js               |   4 +-
 services/dashboard/index.html                 |  10 +-
 services/dashboard/login/login.html           | 111 ++++++++
 services/dashboard/login/login.js             |  41 +++
 services/dashboard/services/login_check.js    |  31 +++
 .../dashboard/services/streamingservice.js    |   2 +-
 services/dashboard/views/apps/apps.html       |  12 +-
 services/dashboard/views/landing/header.html  |  15 ++
 services/dashboard/views/landing/header.js    |   7 +-
 .../io/gearpump/services/AdminService.scala   |  62 +++++
 .../gearpump/services/AppMasterService.scala  | 133 +++++-----
 .../io/gearpump/services/BasicService.scala   |  68 +++++
 .../io/gearpump/services/MasterService.scala  | 241 +++++++++---------
 .../io/gearpump/services/RestServices.scala   | 100 +++-----
 .../gearpump/services/SecurityService.scala   | 179 +++++++++++++
 .../io/gearpump/services/StaticService.scala  |  21 +-
 .../io/gearpump/services/WorkerService.scala  |  67 ++---
 .../io/gearpump/services/main/Services.scala  |  36 ++-
 .../services/AppMasterServiceSpec.scala       |  12 +-
 .../gearpump/services/MasterServiceSpec.scala |  11 +-
 .../services/SecurityServiceSpec.scala        |  23 ++
 .../gearpump/services/WorkerServiceSpec.scala |  10 +-
 .../streaming/appmaster/AppMasterSpec.scala   |   2 +-
 35 files changed, 1214 insertions(+), 350 deletions(-)
 create mode 100644 core/src/main/scala/io/gearpump/security/Authenticator.scala
 create mode 100644 core/src/main/scala/io/gearpump/security/ConfigFileBasedAuthenticator.scala
 create mode 100644 core/src/main/scala/io/gearpump/security/PasswordUtil.scala
 create mode 100644 services/dashboard/login/login.html
 create mode 100644 services/dashboard/login/login.js
 create mode 100644 services/dashboard/services/login_check.js
 create mode 100644 services/jvm/src/main/scala/io/gearpump/services/AdminService.scala
 create mode 100644 services/jvm/src/main/scala/io/gearpump/services/BasicService.scala
 create mode 100644 services/jvm/src/main/scala/io/gearpump/services/SecurityService.scala
 create mode 100644 services/jvm/src/test/scala/io/gearpump/services/SecurityServiceSpec.scala

diff --git a/.travis.yml b/.travis.yml
index baf1501238..771f6522a6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,6 +2,9 @@ language:
 - java
 - scala
 sudo: false
+before_script:
+- mkdir -p $HOME/.sbt/launchers/0.13.9/
+- curl -L -o $HOME/.sbt/launchers/0.13.9/sbt-launch.jar http://dl.bintray.com/typesafe/ivy-releases/org.scala-sbt/sbt-launch/0.13.9/sbt-launch.jar
 script:
 - echo "TRAVIS_PULL_REQUEST" $TRAVIS_PULL_REQUEST
 - echo "TRAVIS_BRANCH" $TRAVIS_BRANCH
diff --git a/conf/gear.conf b/conf/gear.conf
index f61346dfe0..605a8facd1 100644
--- a/conf/gear.conf
+++ b/conf/gear.conf
@@ -259,4 +259,39 @@ gearpump {
       enabled = true
     }
   }
+
+  ## Security related settings
+  security {
+
+    ## Whether enable authentication for UI Server
+    ui-authentication-enabled = true
+
+    ## What authenticator to use. The class must implement interface
+    ## io.gearpump.security.Authenticator
+    ui-authenticator = "io.gearpump.security.ConfigFileBasedAuthenticator"
+
+    ## Configuration options for authenticator io.gearpump.security.ConfigFileBasedAuthenticator
+    config-file-based-authenticator = {
+      ## Admin users have permission to submit/change/kill a running application.
+      users = {
+        ## Default Admin. Username: admin, password: admin
+        ## Format: username = "password_hash_value"
+        ## password_hash_value can be generated by running shell tool:
+        ## bin/gear io.gearpump.security.PasswordUtil -password <your raw password>
+        ## !!! Please replace this builtin account for production cluster for security reason. !!!
+        "admin" = "AeGxGOxlU8QENdOXejCeLxy+isrCv0TrS37HwA=="
+      }
+
+      ## Guest user can only view the UI with minimum permission. With no permission to submit/change/kill
+      ## a running application.
+      guests = {
+        ## Default guest. Username: guest, Password: guest
+        ## Format: username = "password_hash_value"
+        ## password_hash_value can be generated by running shell tool:
+        ## bin/gear io.gearpump.security.PasswordUtil -password <your raw password>
+        ## !!! Please replace this builtin account for production cluster for security reason. !!!
+        "guest" = "ws+2Dy/FHX4cBb3uKGTR64kZWlWbC91XZRRoew=="
+      }
+    }
+  }
 }
diff --git a/core/src/main/resources/reference.conf b/core/src/main/resources/reference.conf
index 5b12ab9348..0377712243 100644
--- a/core/src/main/resources/reference.conf
+++ b/core/src/main/resources/reference.conf
@@ -244,6 +244,38 @@ gearpump {
   single-thread-dispatcher {
     type = PinnedDispatcher
   }
+
+  ## Security related settings
+  security {
+
+    ## Whether enable authentication for UI Server
+    ui-authentication-enabled = false
+
+    ## What authenticator to use. The class must implement interface
+    ## io.gearpump.security.Authenticator
+    ui-authenticator = "io.gearpump.security.ConfigFileBasedAuthenticator"
+
+    ## Configuration options for authenticator io.gearpump.security.ConfigFileBasedAuthenticator
+    config-file-based-authenticator = {
+      ## Admin users have permission to submit/change/kill a running application.
+      users = {
+        ## Default Admin. Username: admin, password: admin
+        ## !!! Please remove this builtin account for production cluster for security reason. !!!
+        ## Format: username = "password_hash_value"
+        ## password_hash_value can be generated by running
+        ## gear io.gearpump.security.PasswordUtil -password <your raw password>
+        "admin" = "AeGxGOxlU8QENdOXejCeLxy+isrCv0TrS37HwA=="
+      }
+
+      ## Guest user can only view the UI with minimum permission. With no permission to submit/change/kill
+      ## a running application.
+      guests = {
+        ## Default guest. Username: guest, Password: guest
+        ## !!! Please remove this builtin account for production cluster for security reason. !!!
+        "guest" = "ws+2Dy/FHX4cBb3uKGTR64kZWlWbC91XZRRoew=="
+      }
+    }
+  }
 }
 
 ### Akka system configuration for master nodes
@@ -319,7 +351,6 @@ base {
   akka.scheduler.tick-duration = 1
 
   akka {
-
     http {
       client {
         parsing {
@@ -327,11 +358,30 @@ base {
         }
       }
       server {
+        remote-address-header = on
         parsing {
           max-content-length = 2048m
           illegal-header-warnings = off
         }
       }
+
+      ## Akka-http session related settings
+      session {
+        clientSession {
+          cookie {
+            name = "gearpump_token"
+            ## domain = "..."
+            path = "/"
+            ## maxAge = 0
+            secure = false
+            httpOnly = true
+          }
+
+          ## Session lifetime.
+          maxAgeSeconds = 3600
+          encryptData = true
+        }
+      }
     }
 
     test {
@@ -411,4 +461,4 @@ windows {
   ### On windows, the value must be larger than 10ms, check
   ### https://github.com/akka/akka/blob/master/akka-actor/src/main/scala/akka/actor/Scheduler.scala#L204
   akka.scheduler.tick-duration = 10
-}
+}
\ No newline at end of file
diff --git a/core/src/main/scala/io/gearpump/security/Authenticator.scala b/core/src/main/scala/io/gearpump/security/Authenticator.scala
new file mode 100644
index 0000000000..0a9385b4ca
--- /dev/null
+++ b/core/src/main/scala/io/gearpump/security/Authenticator.scala
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.security
+
+import scala.concurrent.{ExecutionContext, Future}
+
+
+/**
+ * Authenticator for UI dashboard.
+ *
+ * Sub Class must implement a constructor with signature like this:
+ *  this(config: Config)
+ *
+ */
+trait Authenticator {
+
+  // TODO: Change the signature to return more attributes of user
+  // credentials...
+  def authenticate(user: String, password: String, ec: ExecutionContext): Future[AuthenticationResult]
+}
+
+trait AuthenticationResult {
+
+  // Whether current user is a valid user.
+  def authenticated: Boolean
+
+  // Admin user have unlimited permission
+  def isAdministrator: Boolean
+}
\ No newline at end of file
diff --git a/core/src/main/scala/io/gearpump/security/ConfigFileBasedAuthenticator.scala b/core/src/main/scala/io/gearpump/security/ConfigFileBasedAuthenticator.scala
new file mode 100644
index 0000000000..68950f3cf1
--- /dev/null
+++ b/core/src/main/scala/io/gearpump/security/ConfigFileBasedAuthenticator.scala
@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.security
+
+import io.gearpump.security.ConfigFileBasedAuthenticator._
+import com.typesafe.config.Config
+import scala.concurrent.{ExecutionContext, Future}
+
+object ConfigFileBasedAuthenticator {
+
+  private val ROOT = "gearpump.security.config-file-based-authenticator"
+  private val USERS = ROOT + "." + "users"
+  private val GUESTS = ROOT + "." + "guests"
+
+  private class Result(override val authenticated: Boolean, override val isAdministrator: Boolean)
+    extends AuthenticationResult
+
+  private case class Credentials(users: Map[String, String], guests: Map[String, String]) {
+    def verify(user: String, password: String): AuthenticationResult = {
+      if (users.contains(user)) {
+        new Result(verify(user, password, users), isAdministrator = true)
+      } else if (guests.contains(user)) {
+        new Result(verify(user, password, guests), isAdministrator = false)
+      } else {
+        new Result(authenticated = false, isAdministrator = false)
+      }
+    }
+
+    private def verify(user: String, password: String, map: Map[String, String]): Boolean = {
+      val storedPass = map(user)
+      PasswordUtil.verify(password, storedPass)
+    }
+  }
+}
+
+/**
+ * UI dashboard authenticator based on configuration file.
+ *
+ * It has two categories of users: users, and guests.
+ * users have unlimited permission on the UI, while guests can not submit/kill applications.
+ *
+ * see conf/gear.conf section gearpump.security.config-file-based-authenticator to find information
+ * about how to configure this authenticator.
+ *
+ * [Security consideration]
+ * It will keep one-way sha1 digest of password instead of password itself. The original password is NOT
+ * kept in any way, so generally it is safe.
+ *
+ * digesting flow (from original password to digest):
+ * random salt byte array of length 8 -> byte array of (salt + sha1(salt, password)) -> base64Encode
+ *
+ * verification user input password with stored digest:
+ * base64Decode -> extract salt -> do sha1(salt, password) -> generate digest: salt + sha1 ->
+ * compare the generated digest with the stored digest.
+ *
+ */
+class ConfigFileBasedAuthenticator(config: Config) extends Authenticator {
+
+  private val credentials = loadCredentials(config)
+
+  override def authenticate(user: String, password: String, ec: ExecutionContext): Future[AuthenticationResult] = {
+    implicit val ctx = ec
+    Future {
+      credentials.verify(user, password)
+    }
+  }
+
+  private def loadCredentials(config: Config): Credentials = {
+    val admins  = configToMap(config, USERS)
+    val guests = configToMap(config, GUESTS)
+    new Credentials(admins, guests)
+  }
+
+  private def configToMap(config : Config, path: String) = {
+    import scala.collection.JavaConverters._
+    config.getConfig(path).root.unwrapped.asScala.toMap map { case (k, v) => k -> v.toString }
+  }
+}
\ No newline at end of file
diff --git a/core/src/main/scala/io/gearpump/security/PasswordUtil.scala b/core/src/main/scala/io/gearpump/security/PasswordUtil.scala
new file mode 100644
index 0000000000..f8eafddc69
--- /dev/null
+++ b/core/src/main/scala/io/gearpump/security/PasswordUtil.scala
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.security
+
+import java.security.MessageDigest
+import sun.misc.{BASE64Decoder, BASE64Encoder}
+import scala.util.Try
+
+/**
+ * Util to verify whether user input password is valid or not.
+ * It use sha1 to do the digesting.
+ */
+object PasswordUtil {
+  private val SALT_LENGTH = 8
+
+  /**
+   * verification user input password with stored digest:
+   * base64Decode -> extract salt -> do sha1(salt, password) ->
+   * generate digest: salt + sha1 -> compare the generated digest with the stored digest.
+   */
+  def verify(password: String, stored: String): Boolean = {
+    Try {
+      val decoded = base64Decode(stored)
+      val salt = new Array[Byte](SALT_LENGTH)
+      Array.copy(decoded, 0, salt, 0, SALT_LENGTH)
+
+      hash(password, salt) == stored
+    }.getOrElse(false)
+  }
+  /**
+   * digesting flow (from original password to digest):
+   * random salt byte array of length 8 -> byte array of (salt + sha1(salt, password)) -> base64Encode
+   */
+  def hash(password: String): String = {
+    // Salt generation 64 bits long
+    val salt = new Array[Byte](SALT_LENGTH)
+    new java.util.Random().nextBytes(salt)
+    hash(password, salt)
+  }
+
+  private def hash(password: String, salt: Array[Byte]): String = {
+    val digest = MessageDigest.getInstance("SHA-1")
+    digest.reset()
+    digest.update(salt)
+    var input = digest.digest(password.getBytes("UTF-8"))
+    digest.reset()
+    input = digest.digest(input)
+    val withSalt = salt ++ input
+    base64Encode(withSalt)
+  }
+
+  private def base64Encode(data: Array[Byte]): String = {
+     val endecoder = new BASE64Encoder()
+     endecoder.encode(data)
+  }
+
+  private def base64Decode(data: String): Array[Byte] = {
+    val decoder = new BASE64Decoder()
+    decoder.decodeBuffer(data)
+  }
+
+  private def help = {
+    Console.println("usage: gear io.gearpump.security.PasswordUtil -password <your password>")
+  }
+
+  def main(args: Array[String]): Unit = {
+    if (args.length != 2 || args(0) != "-password") {
+      help
+    } else {
+      val pass = args(1)
+      val result = hash(pass)
+      Console.println("Here is the hashed password")
+      Console.println("==============================")
+      Console.println(result)
+    }
+  }
+}
\ No newline at end of file
diff --git a/core/src/main/scala/io/gearpump/util/Constants.scala b/core/src/main/scala/io/gearpump/util/Constants.scala
index a800f87561..98efc1d534 100644
--- a/core/src/main/scala/io/gearpump/util/Constants.scala
+++ b/core/src/main/scala/io/gearpump/util/Constants.scala
@@ -140,4 +140,7 @@ object Constants {
 
   val GEARPUMP_METRICS_MAX_LIMIT = "gearpump.metrics.akka.max-limit-on-query"
   val GEARPUMP_METRICS_AGGREGATORS = "gearpump.metrics.akka.metrics-aggregator-class"
+
+  val GEARPUMP_UI_SECURITY_ENABLED = "gearpump.security.ui-authentication-enabled"
+  val GEARPUMP_UI_AUTHENTICATOR_CLASS = "gearpump.security.ui-authenticator"
 }
diff --git a/docs/dev-ide-setup.md b/docs/dev-ide-setup.md
index b82c7b630c..fed97e9845 100644
--- a/docs/dev-ide-setup.md
+++ b/docs/dev-ide-setup.md
@@ -8,6 +8,15 @@ title: IDE Preparation for Gearpump Development
 2. Open menu "File->Open" to open Gearpump root project, then choose the Gearpump source folder.
 3. All set.
 
+**NOTE:** Intellij Scala plugin is already bundled with sbt. If you have Scala plugin installed, please don't install additional sbt plugin. Check your settings at "Settings -> Plugins"
+**NOTE:** If you are behind a proxy, to speed up the build, please set the proxy for sbt in "Settings -> Build Tools > SBT". in input field "VM parameters", add 
+```
+-Dhttp.proxyHost=<proxy host>
+-Dhttp.proxyPort=<port like 911>
+-Dhttps.proxyHost=<proxy host>
+-Dhttps.proxyPort=<port like 911>
+```
+
 ### Eclipse IDE Setup
 
 I will show how to do this in eclipse LUNA.
diff --git a/experiments/akkastream/src/test/scala/akka/stream/gearpump/AttributesSpec.scala b/experiments/akkastream/src/test/scala/akka/stream/gearpump/AttributesSpec.scala
index 975c343a34..97a52bf196 100644
--- a/experiments/akkastream/src/test/scala/akka/stream/gearpump/AttributesSpec.scala
+++ b/experiments/akkastream/src/test/scala/akka/stream/gearpump/AttributesSpec.scala
@@ -1,11 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package akka.stream.gearpump
 
 import akka.stream.Attributes
 import org.scalatest.{FlatSpec, Matchers, WordSpec}
 
-/**
- * Created by xzhong10 on 2015/11/6.
- */
 class AttributesSpec extends FlatSpec with Matchers {
   it should "merge the attributes together" in {
     val a = Attributes.name("aa")
@@ -13,7 +28,7 @@ class AttributesSpec extends FlatSpec with Matchers {
 
     val c = a and b
 
-    println("DD:" + c.nameOrDefault())
+    assert("aa-bb" == c.nameOrDefault())
   }
 
 }
diff --git a/project/Build.scala b/project/Build.scala
index 30c40ba1b0..6c2dae94c2 100644
--- a/project/Build.scala
+++ b/project/Build.scala
@@ -287,7 +287,8 @@ object Build extends sbt.Build {
       "org.webjars.bower" % "vis" % "4.7.0",
       "org.webjars.bower" % "clipboard.js" % "0.1.1",
       "org.webjars.npm" % "dashing-deps" % "0.1.2",
-      "org.webjars.npm" % "dashing" % "0.4.0"
+      "org.webjars.npm" % "dashing" % "0.4.0",
+      "com.softwaremill" %% "akka-http-session" % "0.1.4"
   ).map(_.exclude("org.scalamacros", "quasiquotes_2.10")).map(_.exclude("org.scalamacros", "quasiquotes_2.10.3")))
 
   lazy val serviceJSSettings = Seq(
diff --git a/project/build.properties b/project/build.properties
index 4b29a5b2a5..a4820ce974 100644
--- a/project/build.properties
+++ b/project/build.properties
@@ -16,4 +16,4 @@
 # limitations under the License.
 #
 
-sbt.version=0.13.7
+sbt.version=0.13.9
diff --git a/project/plugins.sbt b/project/plugins.sbt
index 78c8bd038e..58b0aa6e82 100644
--- a/project/plugins.sbt
+++ b/project/plugins.sbt
@@ -1,7 +1,5 @@
 resolvers += Resolver.url("fvunicorn", url("http://dl.bintray.com/fvunicorn/sbt-plugins"))(Resolver.ivyStylePatterns)
 
-resolvers += Resolver.url("sbt-plugin", url("http://dl.bintray.com/sbt/sbt-plugin-releases"))(Resolver.ivyStylePatterns)
-
 resolvers += Classpaths.sbtPluginReleases
 
 addSbtPlugin("org.scala-js" % "sbt-scalajs" % "0.6.4")
diff --git a/services/dashboard/dashboard.js b/services/dashboard/dashboard.js
index 559e6b6b84..2afe8b165a 100644
--- a/services/dashboard/dashboard.js
+++ b/services/dashboard/dashboard.js
@@ -14,7 +14,6 @@ angular.module('dashboard', [
   'dashing',
   'io.gearpump.models'
 ])
-
   // configure routes
   .config(['$stateProvider', '$urlRouterProvider',
     function($stateProvider, $urlRouterProvider) {
@@ -67,6 +66,7 @@ angular.module('dashboard', [
     restapiRoot: location.origin + location.pathname,
     restapiQueryInterval: 3 * 1000, // in milliseconds
     restapiQueryTimeout: 30 * 1000, // in milliseconds
-    restapiTaskLevelMetricsQueryLimit: 100
+    restapiTaskLevelMetricsQueryLimit: 100,
+    loginUrl: location.origin + location.pathname + 'login/login.html'
   })
 ;
\ No newline at end of file
diff --git a/services/dashboard/index.html b/services/dashboard/index.html
index dfb369bb65..99d7083adc 100644
--- a/services/dashboard/index.html
+++ b/services/dashboard/index.html
@@ -25,6 +25,10 @@
   <link rel="stylesheet" href="styles/bootstrap-override.css"/>
   <link rel="stylesheet" href="styles/bootstrap-doc.css"/><!-- todo: should be absorbed -->
   <link rel="stylesheet" href="styles/dashboard.css"/>
+
+  <link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
+  <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
+  <script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
 </head>
 
 <body>
@@ -43,7 +47,8 @@
 <!-- end of app -->
 
 <!-- Static Resources -->
-<script src="webjars/angularjs/1.4.8/angular.min.js"></script>
+<script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.js"></script>
+
 <script src="webjars/angularjs/1.4.8/angular-animate.min.js"></script>
 <script src="webjars/angularjs/1.4.8/angular-sanitize.min.js"></script>
 <script src="webjars/angular-loading-bar/0.8.0/build/loading-bar.min.js"></script>
@@ -59,8 +64,10 @@
 <script src="webjars/ng-file-upload/5.0.9/ng-file-upload-shim.min.js"></script>
 <script src="webjars/ng-file-upload/5.0.9/ng-file-upload.min.js"></script>
 <script src="webjars/clipboard.js/0.1.1/clipboard.js"></script>
+
 <script src="webjars/dashing-deps/0.1.2/echarts/2.2.7-compact/echarts-all.min.js"></script>
 <script src="webjars/dashing/0.4.0/dist/dashing.min.js"></script>
+<script src="http://cdn.bootcss.com/jquery-cookie/1.4.1/jquery.cookie.min.js"></script>
 
 <!-- Application -->
 <script src="dashboard.js"></script>
@@ -72,6 +79,7 @@
 <script src="services/models/streamingapp_dag.js"></script>
 <script src="services/locator.js"></script>
 <script src="services/restapi.js"></script>
+<script src="services/login_check.js"></script>
 <script src="views/widgets/radio_group.js"></script>
 <script src="views/widgets/metrics_period_switcher.js"></script>
 <script src="views/landing/breadcrumbs.js"></script>
diff --git a/services/dashboard/login/login.html b/services/dashboard/login/login.html
new file mode 100644
index 0000000000..3d024eba1c
--- /dev/null
+++ b/services/dashboard/login/login.html
@@ -0,0 +1,111 @@
+<!DOCTYPE html>
+<html>
+<head>
+
+  <!-- Standard Meta -->
+  <meta charset="utf-8"/>
+  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
+  <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"/>
+
+  <title>Login</title>
+
+  <link rel="stylesheet" type="text/css" href="http://cdn.bootcss.com/bootstrap/3.2.0/css/bootstrap.min.css">
+  <!--
+  <link rel="stylesheet" href="webjars/bootstrap/3.3.6/css/bootstrap.min.css"/>
+-->
+  <style type="text/css">
+    .login-form {
+      max-width: 330px;
+      padding: 35px 35px 20px 35px;
+      margin: 0 auto;
+      margin-top: 10px;
+
+      background-color: #ffffff;
+
+      -moz-box-shadow: 1px 4px 4px rgba(0, 0, 0, 0.3);
+      -webkit-box-shadow: 1px 4px 4px rgba(0, 0, 0, 0.3);
+      box-shadow: 1px 4px 4px rgba(0, 0, 0, 0.3);
+    }
+
+    .form-control {
+
+      position: relative;
+      font-size: 16px;
+      height: auto;
+      padding: 10px;
+      -webkit-box-sizing: border-box;
+      -moz-box-sizing: border-box;
+      box-sizing: border-box;
+
+      margin-top: 5px;
+      margin-bottom: 15px;
+      border-bottom-left-radius: 0;
+      border-bottom-right-radius: 0;
+    }
+
+    .welcome-message {
+      color: #ffffff;
+
+      font-size: 18px;
+      font-weight: 400;
+      display: block;
+    }
+
+    .icon {
+      background-color: #555;
+      color: #ffffff;
+      font-size: 40px;
+      text-align: center;
+      padding: 30px 0px 10px 0px;
+    }
+
+    .error {
+      color: red;
+    }
+  </style>
+
+  <title>Gearpump</title>
+</head>
+
+<body  style="background-color: #555;">
+
+<h1 class="icon"><span class="glyphicon glyphicon-th" aria-hidden="true"/></h1>
+<h1 class="text-center welcome-message">Sign in to Gearpump</h1>
+
+<!--
+  The links is used in javascript login.js.
+  As YARN UI proxy changed the site root path, all relative URL must be
+  rewritten to reflect the new root path.
+
+  However, YARN UI proxy can NOT detect URL in javascript files, it can only rewrite links in html.
+  For example, in html pages:
+  <a href="/login" /> will be rewritten to: <a href="/<yarn_path_prefix>/login" />
+
+  We use the trick to store the javascript variable in html to get YARN UI proxy
+  update the variable for javascript.
+ -->
+<a href="/login" id = "loginUrl"></a>
+<a href="/logout" id = "logoutUrl"></a>
+<a href="/" id = "index"></a>
+
+<div class="container">
+  <div class="row">
+    <div class="col-md-4 col-md-offset-4 ">
+
+      <form id="loginForm" class="login-form" action="http://127.0.0.1:8090/login" method="post">
+        <input type="text" class="form-control" name="username" placeholder="User Name" required autofocus />
+        <input type="password" class="form-control" name="password" placeholder="Password" required />
+        <button class="btn btn-lg btn-primary btn-block" type="button" onclick="login()">Sign In</button>
+        <div class="error" id="error"></div>
+        <a href="#" class="pull-left" style="margin-top: 15px;">Need help? </a>
+        <span class="clearfix"></span>
+      </form>
+    </div>
+  </div>
+</div>
+<script src="http://cdn.bootcss.com/jquery/2.2.0/jquery.min.js"></script>
+<script src="http://cdn.bootcss.com/jquery-cookie/1.4.1/jquery.cookie.min.js"></script>
+
+<script src="login.js"></script>
+</body>
+</html>
\ No newline at end of file
diff --git a/services/dashboard/login/login.js b/services/dashboard/login/login.js
new file mode 100644
index 0000000000..e33c5accbd
--- /dev/null
+++ b/services/dashboard/login/login.js
@@ -0,0 +1,41 @@
+/*
+ * Licensed under the Apache License, Version 2.0
+ * See accompanying LICENSE file.
+ */
+
+/**
+ * call rest service /login to setup login session tokens.
+ * If login succeeds, it will redirect to dashboard home page.
+ */
+function login() {
+
+    var loginUrl = $("#loginUrl").attr('href');
+    var index = $("#index").attr('href');
+
+    $.post(loginUrl, $("#loginForm").serialize() ).done(
+      function(msg) {
+          var user = $.parseJSON(msg);
+          $.cookie("username", user.user, { expires: 365, path: '/' });
+          // clear the errors
+          $("#error").text("");
+          // redirect to index.html
+          $(location).attr('href', index);
+      }
+    )
+    .fail( function(xhr, textStatus, errorThrown) {
+       $("#error").text(textStatus + "(" + xhr.status + "): " + xhr.responseText);
+    });
+}
+
+/**
+ * call rest service /logout to clear the session tokens.
+ */
+function logout() {
+    var logoutUrl = $("#logoutUrl").attr('href');
+    $.post(logoutUrl)
+}
+
+$(document).ready(function() {
+    // Send a initial logout to clear the sessions.
+    logout();
+});
\ No newline at end of file
diff --git a/services/dashboard/services/login_check.js b/services/dashboard/services/login_check.js
new file mode 100644
index 0000000000..1d15dc4f22
--- /dev/null
+++ b/services/dashboard/services/login_check.js
@@ -0,0 +1,31 @@
+/*
+ * Licensed under the Apache License, Version 2.0
+ * See accompanying LICENSE file.
+ */
+
+angular.module('dashboard')
+// Authentication Angular interceptor for http methods.
+// If server respond 401 (unauthenticated), will redirect to login page.
+.factory('authInterceptor', ['$q', 'conf', function ($q, conf) {
+
+    // Defer the error response to caller after this timeout to avoid browser hang issue
+    // See https://github.com/gearpump/gearpump/issues/1855
+    var deferErrorResponseMs = 3000;
+    return {
+        'responseError': function(response) {
+            if (response.status == 401) {
+                window.location.href = conf.loginUrl;
+            }
+
+            var deferred = $q.defer();
+            setTimeout(function() {
+                deferred.reject(response);
+            }, 3000);
+            return deferred.promise;
+
+        }
+    };
+}])
+.config(['$httpProvider', function ($httpProvider) {
+    $httpProvider.interceptors.push('authInterceptor');
+}]);
\ No newline at end of file
diff --git a/services/dashboard/services/streamingservice.js b/services/dashboard/services/streamingservice.js
index 05b6b36654..b2352edb46 100644
--- a/services/dashboard/services/streamingservice.js
+++ b/services/dashboard/services/streamingservice.js
@@ -9,7 +9,7 @@ angular.module('dashboard.streamingservice', [])
   .factory('StreamingService', ['$http', '$timeout', 'conf', function ($http, $timeout, conf) {
     return {
       subscribe: function (request, scope, onMessage) {
-        $http.get(conf.restapiRoot + '/websocket/url')
+        $http.get(conf.restapiRoot + 'websocket/url')
           .success(function (data) {
             var ws = new WebSocket(data.url);
             ws.onmessage = onMessage;
diff --git a/services/dashboard/views/apps/apps.html b/services/dashboard/views/apps/apps.html
index 7e8bda8b13..d6032c4b3d 100644
--- a/services/dashboard/views/apps/apps.html
+++ b/services/dashboard/views/apps/apps.html
@@ -1,7 +1,7 @@
 <div class="col-md-12">
   <!-- control toolbar -->
   <div class="row">
-    <div class="col-md-6 col-sm-6">
+    <div class="col-md-6">
       <span class="table-caption-ext pull-left">Applications</span>
       <!-- dropdown button -->
       <div class="btn-group">
@@ -14,10 +14,9 @@
         </button>
       </div>
     </div>
-    <div class="col-md-3 col-sm-6 text-right">
-       <!--FILTER-->
+    <div class="col-md-3">
     </div>
-    <div class="col-md-3 hidden-sm hidden-xs">
+    <div class="col-md-3 hidden-sm hidden-xs pull-right">
       <searchbox ng-model="search" placeholder="Search Anything"></searchbox>
     </div>
   </div>
@@ -30,10 +29,5 @@
     records-bind="appsTable.rows"
     search-bind="search"
     pagination="10">
-    <div class="table-no-data">
-      <h2 class="glyphicon glyphicon-bullhorn"></h2>
-      <h4>No application is running</h4>
-      <p>Please submit an user application first.</p>
-    </div>
   </sortable-table>
 </div>
\ No newline at end of file
diff --git a/services/dashboard/views/landing/header.html b/services/dashboard/views/landing/header.html
index fc67135aa9..9d2d037f05 100644
--- a/services/dashboard/views/landing/header.html
+++ b/services/dashboard/views/landing/header.html
@@ -22,6 +22,21 @@
         <span class="glyphicon glyphicon-tasks"></span>
         Applications</a></li>
     </ul>
+
+    <!-- User Icon and Logout Links -->
+    <ul class="dropdown nav navbar-nav pull-right">
+      <li style="margin-left: 0px; margin-right: 0px">
+      <a class="dropdown-toggle" type="button" data-toggle="dropdown">
+        <span class="glyphicon glyphicon-user"></span>
+        {{username}}
+        <span class="caret"></span></a>
+      <ul class="dropdown-menu">
+        <li><a href="{{loginUrl}}">Sign out</a></li>
+      </ul>
+      </li>
+    </ul>
+
+    <!-- Doc Link and Source Repo Link -->
     <ul class="nav navbar-nav pull-right">
       <li ng-repeat="item in links track by $index">
         <a href="{{item.href}}" target="_blank">
diff --git a/services/dashboard/views/landing/header.js b/services/dashboard/views/landing/header.js
index dc8bba6b34..57bb77728c 100644
--- a/services/dashboard/views/landing/header.js
+++ b/services/dashboard/views/landing/header.js
@@ -13,12 +13,17 @@ angular.module('dashboard')
       templateUrl: 'views/landing/header.html',
       replace: true,
       scope: {},
-      controller: ['$scope', 'restapi', function($scope, restapi) {
+      controller: ['$scope', 'restapi', 'conf', function($scope, restapi, conf) {
         $scope.menu = [
           {text: 'Cluster', pathPatt: '/cluster', href: '#/cluster', icon: 'glyphicon glyphicon-th-large'},
           {text: 'Applications', pathPatt: '/apps', href: '#/apps', icon: 'glyphicon glyphicon-tasks'}
         ];
 
+        var username = jQuery.cookie('username');
+        $scope.username = username;
+
+        $scope.loginUrl = conf.loginUrl;
+
         $scope.links = [
           {text: 'Docs', href: '//gearpump.io', icon: 'fa fa-book'},
           {text: 'GitHub', href: '//github.com/gearpump/gearpump', icon: 'fa fa-github'}
diff --git a/services/jvm/src/main/scala/io/gearpump/services/AdminService.scala b/services/jvm/src/main/scala/io/gearpump/services/AdminService.scala
new file mode 100644
index 0000000000..07622f383a
--- /dev/null
+++ b/services/jvm/src/main/scala/io/gearpump/services/AdminService.scala
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.services
+
+import akka.actor.{ActorSystem}
+import akka.http.scaladsl.model._
+import akka.http.scaladsl.server.Directives._
+import akka.stream.{Materializer}
+import io.gearpump.util.{Constants, Util}
+
+/**
+ * AdminService is for cluster-wide managements. it is not related with
+ * specific application.
+ *
+ * For example:
+ * Security management: Add user, remove user.
+ * Configuration management: Change configurations.
+ * Machine management: Add worker machines, remove worker machines, and add masters.
+ */
+class AdminService(override val system: ActorSystem)
+  extends BasicService {
+
+  private val version = Util.version
+  private val supervisorPath = system.settings.config.getString(Constants.GEARPUMP_SERVICE_SUPERVISOR_PATH)
+
+  override def prefix = Neutral
+
+  override def doRoute(implicit mat: Materializer) = {
+    path("version") {
+      get {ctx =>
+        ctx.complete(version)
+      }
+    } ~
+    path("supervisor-actor-path") {
+      get {
+        complete(supervisorPath)
+      }
+    } ~
+    path("terminate") {
+      post {
+        system.shutdown()
+        complete(StatusCodes.NotFound)
+      }
+    }
+  }
+}
diff --git a/services/jvm/src/main/scala/io/gearpump/services/AppMasterService.scala b/services/jvm/src/main/scala/io/gearpump/services/AppMasterService.scala
index 89ecfeb66c..4363d7827b 100644
--- a/services/jvm/src/main/scala/io/gearpump/services/AppMasterService.scala
+++ b/services/jvm/src/main/scala/io/gearpump/services/AppMasterService.scala
@@ -18,86 +18,78 @@
 
 package io.gearpump.services
 
-import java.io.File
-
-import akka.actor.{ActorRef}
+import akka.actor.{ActorSystem, ActorRef}
 import akka.http.scaladsl.model.{FormData, Multipart}
-import akka.http.scaladsl.server.{Route, Directive, StandardRoute}
+import akka.http.scaladsl.server.Directives._
+import akka.http.scaladsl.server.Route
 import akka.http.scaladsl.server.directives.ParameterDirectives.ParamMagnet
-import akka.stream.ActorMaterializer
+import akka.stream.{Materializer, ActorMaterializer}
 import io.gearpump.cluster.AppMasterToMaster.{AppMasterSummary, GeneralAppMasterSummary}
 import io.gearpump.cluster.ClientToMaster._
 import io.gearpump.cluster.MasterToAppMaster.{AppMasterData, AppMasterDataDetailRequest, AppMasterDataRequest}
 import io.gearpump.cluster.MasterToClient._
+import io.gearpump.jarstore.JarStoreService
 import io.gearpump.services.AppMasterService.Status
 import io.gearpump.streaming.AppMasterToMaster.StallingTasks
 import io.gearpump.streaming.appmaster.DagManager._
-import io.gearpump.streaming.appmaster.{DagManager, StreamAppMasterSummary}
+import io.gearpump.streaming.appmaster.StreamAppMasterSummary
 import io.gearpump.streaming.executor.Executor.{ExecutorConfig, ExecutorSummary, GetExecutorSummary, QueryExecutorConfig}
 import io.gearpump.util.ActorUtil.{askActor, askAppMaster}
-import io.gearpump.util.{FileDirective, Constants, Util}
+import io.gearpump.util.FileDirective._
+import io.gearpump.util.{Util}
 import upickle.default.{read, write}
 
 import scala.util.{Failure, Success, Try}
-import akka.actor.ActorSystem
-import akka.http.scaladsl.server.Directives._
-import scala.concurrent.{ExecutionContext}
-import FileDirective._
-
-trait AppMasterService  {
-  this: JarStoreProvider =>
-
-  def master: ActorRef
-  implicit def system: ActorSystem
 
-  def appMasterRoute = encodeResponse {
-    implicit val timeout = Constants.FUTURE_TIMEOUT
-    implicit def ec: ExecutionContext = system.dispatcher
-    implicit val materializer = ActorMaterializer()
-
-    pathPrefix("api" / s"$REST_VERSION" / "appmaster" / IntNumber ) { appId =>
-      path("dynamicdag") {
-        parameters(ParamMagnet("args")) { args: String =>
+/**
+ * Management service for AppMaster
+ */
+class AppMasterService(val master: ActorRef,
+    val jarStore: JarStoreService, override val system: ActorSystem)
+  extends BasicService {
 
-          def replaceProcessor(dagOperation: DAGOperation): Route = {
-            onComplete(askAppMaster[DAGOperationResult](master, appId, dagOperation)) {
-              case Success(value) =>
-                complete(write(value))
-              case Failure(ex) =>
-                failWith(ex)
-            }
+  override def doRoute(implicit mat: Materializer) = pathPrefix("appmaster" / IntNumber) { appId =>
+    path("dynamicdag") {
+      parameters(ParamMagnet("args")) { args: String =>
+        def replaceProcessor(dagOperation: DAGOperation): Route = {
+          onComplete(askAppMaster[DAGOperationResult](master, appId, dagOperation)) {
+            case Success(value) =>
+              complete(write(value))
+            case Failure(ex) =>
+              failWith(ex)
           }
+        }
 
-          val msg = java.net.URLDecoder.decode(args)
-          val dagOperation = read[DAGOperation](msg)
-          (post & entity(as[Multipart.FormData])) { _ =>
-            uploadFile { fileMap =>
-              val jar = fileMap.get("jar").map(_.file)
-              if (jar.nonEmpty) {
-                dagOperation match {
-                  case replace: ReplaceProcessor =>
-                    val description = replace.newProcessorDescription.copy(jar = Util.uploadJar(jar.get, getJarStoreService))
-                    val dagOperationWithJar = replace.copy(newProcessorDescription = description)
-                    replaceProcessor(dagOperationWithJar)
-                }
-              } else {
-                replaceProcessor(dagOperation)
-              }
+        val msg = java.net.URLDecoder.decode(args)
+        val dagOperation = read[DAGOperation](msg)
+        (post & entity(as[Multipart.FormData])) { _ =>
+        uploadFile { fileMap =>
+          val jar = fileMap.get("jar").map(_.file)
+          if (jar.nonEmpty) {
+            dagOperation match {
+              case replace: ReplaceProcessor =>
+                val description = replace.newProcessorDescription.copy(jar = Util.uploadJar(jar.get, jarStore))
+                val dagOperationWithJar = replace.copy(newProcessorDescription = description)
+                replaceProcessor(dagOperationWithJar)
             }
-          } ~ (post & entity(as[FormData])) { _ =>
+          } else {
             replaceProcessor(dagOperation)
           }
         }
-      } ~
+      } ~ (post & entity(as[FormData])) { _ =>
+        replaceProcessor(dagOperation)
+      }
+      }
+    } ~
       path("stallingtasks") {
-        onComplete(askAppMaster[StallingTasks](master, appId, GetStallingTasks(appId))){
+        onComplete(askAppMaster[StallingTasks](master, appId, GetStallingTasks(appId))) {
           case Success(value) =>
             complete(write(value))
           case Failure(ex) => failWith(ex)
         }
-      }  ~
+      } ~
       path("errors") {
-        onComplete(askAppMaster[LastFailure](master, appId, GetLastFailure(appId))){
+        onComplete(askAppMaster[LastFailure](master, appId, GetLastFailure(appId))) {
           case Success(value) =>
             complete(write(value))
           case Failure(ex) => failWith(ex)
@@ -112,7 +104,7 @@ trait AppMasterService  {
               complete(write(Status(false, ex.getMessage)))
           }
         }
-      }~
+      } ~
       path("config") {
         onComplete(askActor[AppMasterConfig](master, QueryAppMasterConfig(appId))) {
           case Success(value: AppMasterConfig) =>
@@ -145,8 +137,8 @@ trait AppMasterService  {
           }
         }
       } ~
-      path("metrics" / RestPath ) { path =>
-        parameterMap {optionMap =>
+      path("metrics" / RestPath) { path =>
+        parameterMap { optionMap =>
           parameter("aggregator" ? "") { aggregator =>
             parameter(ReadOption.Key ? ReadOption.ReadLatest) { readOption =>
               val query = QueryHistoryMetrics(path.head.toString, readOption, aggregator, optionMap)
@@ -191,29 +183,28 @@ trait AppMasterService  {
         }
       } ~
       pathEnd {
-          delete {
-            val writer = (result: ShutdownApplicationResult) => {
+        delete {
+          val writer = (result: ShutdownApplicationResult) => {
+            val output = if (result.appId.isSuccess) {
+              Map("status" -> "success", "info" -> null)
+            } else {
+              Map("status" -> "fail", "info" -> result.appId.failed.get.toString)
+            }
+            write(output)
+          }
+          onComplete(askActor[ShutdownApplicationResult](master, ShutdownApplication(appId))) {
+            case Success(result) =>
               val output = if (result.appId.isSuccess) {
                 Map("status" -> "success", "info" -> null)
               } else {
                 Map("status" -> "fail", "info" -> result.appId.failed.get.toString)
               }
-              write(output)
-            }
-            onComplete(askActor[ShutdownApplicationResult](master, ShutdownApplication(appId))) {
-              case Success(result) =>
-                val output = if (result.appId.isSuccess) {
-                  Map("status" -> "success", "info" -> null)
-                } else {
-                  Map("status" -> "fail", "info" -> result.appId.failed.get.toString)
-                }
-                complete(write(output))
-              case Failure(ex) =>
-                failWith(ex)
-            }
+              complete(write(output))
+            case Failure(ex) =>
+              failWith(ex)
           }
+        }
       }
-    }
   }
 }
 
diff --git a/services/jvm/src/main/scala/io/gearpump/services/BasicService.scala b/services/jvm/src/main/scala/io/gearpump/services/BasicService.scala
new file mode 100644
index 0000000000..079afc3b2c
--- /dev/null
+++ b/services/jvm/src/main/scala/io/gearpump/services/BasicService.scala
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.services
+
+import akka.actor.{ActorSystem}
+import akka.http.scaladsl.model.headers.CacheDirectives.{`max-age`, `no-cache`}
+import akka.http.scaladsl.model.headers.`Cache-Control`
+import akka.http.scaladsl.server.Directives._
+import akka.http.scaladsl.server.{Route}
+import akka.stream.{Materializer}
+import io.gearpump.util.{LogUtil, Constants}
+
+import scala.concurrent.ExecutionContext
+
+trait RouteService {
+  def route: Route
+}
+
+/**
+ * Wrap the cache behavior, and some common utils.
+ */
+trait BasicService extends RouteService{
+
+  implicit def system: ActorSystem
+
+  implicit def timeout = Constants.FUTURE_TIMEOUT
+
+  implicit def ec: ExecutionContext = system.dispatcher
+
+  protected def doRoute(implicit mat: Materializer): Route
+
+  protected def prefix = Slash ~ "api" / s"$REST_VERSION"
+
+  protected val LOG = LogUtil.getLogger(getClass)
+
+  protected def cache = false
+  private val noCacheHeader = `Cache-Control`(`no-cache`, `max-age`(0L))
+
+  def route: Route = encodeResponse {
+    extractMaterializer {implicit mat =>
+      rawPathPrefix(prefix) {
+        if (cache) {
+          doRoute(mat)
+        } else {
+          respondWithHeader(noCacheHeader) {
+            doRoute(mat)
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/services/jvm/src/main/scala/io/gearpump/services/MasterService.scala b/services/jvm/src/main/scala/io/gearpump/services/MasterService.scala
index 06e465856e..cce1bcd4b2 100644
--- a/services/jvm/src/main/scala/io/gearpump/services/MasterService.scala
+++ b/services/jvm/src/main/scala/io/gearpump/services/MasterService.scala
@@ -26,6 +26,7 @@ import akka.http.scaladsl.server.Directives._
 import akka.http.scaladsl.server.Route
 import akka.http.scaladsl.server.directives.ParameterDirectives.ParamMagnet
 import akka.http.scaladsl.unmarshalling.Unmarshaller._
+import akka.stream.{Materializer, ActorMaterializer}
 import com.typesafe.config.Config
 import io.gearpump.cluster.AppMasterToMaster.{GetAllWorkers, GetMasterData, GetWorkerData, MasterData, WorkerData}
 import io.gearpump.cluster.ClientToMaster.{ReadOption, QueryHistoryMetrics, QueryMasterConfig}
@@ -35,6 +36,7 @@ import io.gearpump.cluster.UserConfig
 import io.gearpump.cluster.client.ClientContext
 import io.gearpump.cluster.main.AppSubmitter
 import io.gearpump.cluster.worker.WorkerSummary
+import io.gearpump.jarstore.JarStoreService
 import io.gearpump.partitioner.{PartitionerByClassName, PartitionerDescription}
 import io.gearpump.streaming.{ProcessorDescription, ProcessorId, StreamApplication}
 import io.gearpump.util.ActorUtil.{askActor, _}
@@ -47,139 +49,128 @@ import scala.collection.JavaConversions._
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success, Try}
 
-trait MasterService {
-  this: JarStoreProvider =>
+class MasterService(val master: ActorRef,
+    val jarStore: JarStoreService, override val system: ActorSystem)
+  extends BasicService {
 
   import upickle.default.{read, write}
 
-  def master: ActorRef
-
-  implicit def system: ActorSystem
-
-  implicit def ec: ExecutionContext = system.dispatcher
-
-  implicit val timeout = Constants.FUTURE_TIMEOUT
-
-  val masterRoute = encodeResponse {
-    pathPrefix("api" / s"$REST_VERSION" / "master") {
-      extractMaterializer { implicit mat: akka.stream.Materializer =>
-        pathEnd {
-          get {
-            onComplete(askActor[MasterData](master, GetMasterData)) {
-              case Success(value: MasterData) => complete(write(value))
-              case Failure(ex) => failWith(ex)
-            }
-          }
-        } ~
-          path("applist") {
-            onComplete(askActor[AppMastersData](master, AppMastersDataRequest)) {
-              case Success(value: AppMastersData) =>
-                complete(write(value))
-              case Failure(ex) => failWith(ex)
-            }
-          } ~
-          path("workerlist") {
-            def future = askActor[WorkerList](master, GetAllWorkers).flatMap { workerList =>
-              val workers = workerList.workers
-              val workerDataList = List.empty[WorkerSummary]
-
-              Future.fold(workers.map { workerId =>
-                askWorker[WorkerData](master, workerId, GetWorkerData(workerId))
-              })(workerDataList) { (workerDataList, workerData) =>
-                workerDataList :+ workerData.workerDescription
-              }
-            }
-            onComplete(future) {
-              case Success(result: List[WorkerSummary]) => complete(write(result))
-              case Failure(ex) => failWith(ex)
-            }
-          } ~
-          path("config") {
-            onComplete(askActor[MasterConfig](master, QueryMasterConfig)) {
-              case Success(value: MasterConfig) =>
-                val config = Option(value.config).map(_.root.render()).getOrElse("{}")
-                complete(config)
-              case Failure(ex) =>
-                failWith(ex)
-            }
-          } ~
-          path("metrics" / RestPath) { path =>
-            parameters(ParamMagnet(ReadOption.Key ? ReadOption.ReadLatest)) { readOption: String =>
-              val query = QueryHistoryMetrics(path.head.toString, readOption)
-              onComplete(askActor[HistoryMetrics](master, query)) {
-                case Success(value) =>
-                  complete(write(value))
+  override def doRoute(implicit mat: Materializer) = pathPrefix("master") {
+    pathEnd {
+      get {
+        onComplete(askActor[MasterData](master, GetMasterData)) {
+          case Success(value: MasterData) => complete(write(value))
+          case Failure(ex) => failWith(ex)
+        }
+      }
+    } ~
+    path("applist") {
+      onComplete(askActor[AppMastersData](master, AppMastersDataRequest)) {
+        case Success(value: AppMastersData) =>
+          complete(write(value))
+        case Failure(ex) => failWith(ex)
+      }
+    } ~
+    path("workerlist") {
+      def future = askActor[WorkerList](master, GetAllWorkers).flatMap { workerList =>
+        val workers = workerList.workers
+        val workerDataList = List.empty[WorkerSummary]
+
+        Future.fold(workers.map { workerId =>
+          askWorker[WorkerData](master, workerId, GetWorkerData(workerId))
+        })(workerDataList) { (workerDataList, workerData) =>
+          workerDataList :+ workerData.workerDescription
+        }
+      }
+      onComplete(future) {
+        case Success(result: List[WorkerSummary]) => complete(write(result))
+        case Failure(ex) => failWith(ex)
+      }
+    } ~
+    path("config") {
+      onComplete(askActor[MasterConfig](master, QueryMasterConfig)) {
+        case Success(value: MasterConfig) =>
+          val config = Option(value.config).map(_.root.render()).getOrElse("{}")
+          complete(config)
+        case Failure(ex) =>
+          failWith(ex)
+      }
+    } ~
+    path("metrics" / RestPath) { path =>
+      parameters(ParamMagnet(ReadOption.Key ? ReadOption.ReadLatest)) { readOption: String =>
+        val query = QueryHistoryMetrics(path.head.toString, readOption)
+        onComplete(askActor[HistoryMetrics](master, query)) {
+          case Success(value) =>
+            complete(write(value))
+          case Failure(ex) =>
+            failWith(ex)
+        }
+      }
+    } ~
+    path("submitapp") {
+      post {
+        parameters("args" ? "") { args: String =>
+          uploadFile { fileMap =>
+            val jar = fileMap.get("jar").map(_.file)
+            val userConf = fileMap.get("conf").map(_.file)
+
+            if (jar.isEmpty) {
+              failWith(new Exception("jar file not supplied"))
+            } else {
+              val argsArray = args.split(" +").filter(_.nonEmpty)
+              onComplete(Future(
+                MasterService.submitJar(jar.get, userConf, argsArray, system.settings.config))) {
+                case Success(appId) =>
+                  complete(write(
+                    MasterService.AppSubmissionResult(success = true, appId = appId)))
                 case Failure(ex) =>
                   failWith(ex)
               }
             }
-          } ~
-          path("submitapp") {
-            post {
-              parameters("args" ? "") { args: String =>
-                uploadFile { fileMap =>
-                  val jar = fileMap.get("jar").map(_.file)
-                  val userConf = fileMap.get("conf").map(_.file)
-
-                  if (jar.isEmpty) {
-                    failWith(new Exception("jar file not supplied"))
-                  } else {
-                    val argsArray = args.split(" +").filter(_.nonEmpty)
-                    onComplete(Future(
-                      MasterService.submitJar(jar.get, userConf, argsArray, system.settings.config))) {
-                      case Success(appId) =>
-                        complete(write(
-                          MasterService.AppSubmissionResult(success = true, appId = appId)))
-                      case Failure(ex) =>
-                        failWith(ex)
-                    }
-                  }
-                }
-              }
-            }
-          } ~
-          path("submitdag") {
-            post {
-              entity(as[String]) { request =>
-                import io.gearpump.services.util.UpickleUtil._
-                val msg = java.net.URLDecoder.decode(request, "UTF-8")
-                val submitApplicationRequest = read[SubmitApplicationRequest](msg)
-                import submitApplicationRequest.{appName, dag, processors, userconfig}
-                val context = ClientContext(system.settings.config, system, master)
-
-                val graph = dag.mapVertex { processorId =>
-                  processors(processorId)
-                }.mapEdge { (node1, edge, node2) =>
-                  PartitionerDescription(new PartitionerByClassName(edge))
-                }
-
-                val effectiveConfig = if (userconfig == null) UserConfig.empty else userconfig
-                val appId = context.submit(new StreamApplication(appName, effectiveConfig, graph))
-
-                import upickle.default.write
-                val submitApplicationResultValue = SubmitApplicationResultValue(appId)
-                val jsonData = write(submitApplicationResultValue)
-                complete(jsonData)
-              }
-            }
-          } ~
-          path("uploadjar") {
-            uploadFile { fileMap =>
-              val jar = fileMap.get("jar").map(_.file)
-              if (jar.isEmpty) {
-                complete(write(
-                  MasterService.Status(success = false, reason = "Jar file not found")))
-              } else {
-                val jarFile = Util.uploadJar(jar.get, getJarStoreService)
-                complete(write(jarFile))
-              }
-            }
-          } ~
-          path("partitioners") {
-            get {
-              complete(write(BuiltinPartitioners(Constants.BUILTIN_PARTITIONERS.map(_.getName))))
-            }
           }
+        }
+      }
+    } ~
+    path("submitdag") {
+      post {
+        entity(as[String]) { request =>
+          import io.gearpump.services.util.UpickleUtil._
+          val msg = java.net.URLDecoder.decode(request, "UTF-8")
+          val submitApplicationRequest = read[SubmitApplicationRequest](msg)
+          import submitApplicationRequest.{appName, dag, processors, userconfig}
+          val context = ClientContext(system.settings.config, system, master)
+
+          val graph = dag.mapVertex { processorId =>
+            processors(processorId)
+          }.mapEdge { (node1, edge, node2) =>
+            PartitionerDescription(new PartitionerByClassName(edge))
+          }
+
+          val effectiveConfig = if (userconfig == null) UserConfig.empty else userconfig
+          val appId = context.submit(new StreamApplication(appName, effectiveConfig, graph))
+
+          import upickle.default.write
+          val submitApplicationResultValue = SubmitApplicationResultValue(appId)
+          val jsonData = write(submitApplicationResultValue)
+          complete(jsonData)
+        }
+      }
+    } ~
+    path("uploadjar") {
+      uploadFile { fileMap =>
+        val jar = fileMap.get("jar").map(_.file)
+        if (jar.isEmpty) {
+          complete(write(
+            MasterService.Status(success = false, reason = "Jar file not found")))
+        } else {
+          val jarFile = Util.uploadJar(jar.get, jarStore)
+          complete(write(jarFile))
+        }
+      }
+    } ~
+    path("partitioners") {
+      get {
+        complete(write(BuiltinPartitioners(Constants.BUILTIN_PARTITIONERS.map(_.getName))))
       }
     }
   }
diff --git a/services/jvm/src/main/scala/io/gearpump/services/RestServices.scala b/services/jvm/src/main/scala/io/gearpump/services/RestServices.scala
index d514d91494..deb8d178ff 100644
--- a/services/jvm/src/main/scala/io/gearpump/services/RestServices.scala
+++ b/services/jvm/src/main/scala/io/gearpump/services/RestServices.scala
@@ -19,32 +19,34 @@
 package io.gearpump.services
 
 import akka.actor.{ActorRef, ActorSystem}
-import akka.http.scaladsl.Http
 import akka.http.scaladsl.model.StatusCodes._
 import akka.http.scaladsl.model._
 import akka.http.scaladsl.model.headers.CacheDirectives.{`max-age`, `no-cache`}
 import akka.http.scaladsl.model.headers._
+
 import akka.http.scaladsl.server.Directives._
-import akka.http.scaladsl.server.{Route, _}
-import akka.stream.ActorMaterializer
+import akka.http.scaladsl.server.{ _}
+import akka.stream.{ActorMaterializer}
 import io.gearpump.jarstore.JarStoreService
 import io.gearpump.util.{Constants, LogUtil}
 import org.apache.commons.lang.exception.ExceptionUtils
 
 import scala.concurrent.Await
 import scala.concurrent.duration._
+import akka.http.scaladsl.server.Route
+
+class RestServices(master: ActorRef, mat: ActorMaterializer, system: ActorSystem) extends RouteService {
+
+  private val config = system.settings.config
+
+  private val jarStoreService = JarStoreService.get(config)
+  jarStoreService.init(config, system)
 
-class RestServices(actorSystem: ActorSystem, val master: ActorRef) extends
-    StaticService with
-    MasterService with
-    WorkerService with
-    AppMasterService with
-    JarStoreProvider {
   private val LOG = LogUtil.getLogger(getClass)
 
-  implicit def system: ActorSystem = actorSystem
+  private val securityEnabled = config.getBoolean(Constants.GEARPUMP_UI_SECURITY_ENABLED)
 
-  private def myExceptionHandler: ExceptionHandler = ExceptionHandler {
+  private val myExceptionHandler: ExceptionHandler = ExceptionHandler {
     case ex: Throwable => {
       extractUri { uri =>
         LOG.error(s"Request to $uri could not be handled normally", ex)
@@ -53,66 +55,34 @@ class RestServices(actorSystem: ActorSystem, val master: ActorRef) extends
     }
   }
 
-  private val rootService = {
-    path("version") {
-      get {
-        complete(version)
-      }
-    } ~
-    path("supervisor-actor-path") {
-      get {
-        complete(system.settings.config.getString(Constants.GEARPUMP_SERVICE_SUPERVISOR_PATH))
+  // make sure staticRoute is the final one, as it will try to lookup resource in local path
+  // if there is no match in previous routes
+  private val static = new StaticService(system).route
+
+  override def route: Route = {
+    if (securityEnabled) {
+      val security = new SecurityService(services, system)
+      handleExceptions(myExceptionHandler) {
+        security.route ~ static
       }
-    } ~
-    path("terminate") {
-      post {
-        system.shutdown()
-        complete(StatusCodes.NotFound)
+    } else {
+      handleExceptions(myExceptionHandler) {
+        services.route ~ static
       }
     }
   }
 
-  private val noCache = respondWithHeader(`Cache-Control`(`no-cache`,  `max-age`(0L)))
-
-  def routes = handleExceptions(myExceptionHandler) {
-    noCache {
-      rootService ~
-        masterRoute ~
-        workerRoute ~
-        appMasterRoute
-    } ~
-    // make sure staticRoute is the final one, as it will try to lookup resource in local path
-    // if there is no match in previous routes
-    staticResource
-  }
-
-  private val jarStoreService = JarStoreService.get(system.settings.config)
-  jarStoreService.init(system.settings.config, system)
+  private def services: RouteService = {
 
-  override def getJarStoreService: JarStoreService = jarStoreService
-}
+    val admin = new AdminService(system)
+    val masterService = new MasterService(master, jarStoreService, system)
+    val worker = new WorkerService(master, system)
+    val app = new AppMasterService(master, jarStoreService, system)
 
-trait JarStoreProvider {
-  def getJarStoreService: JarStoreService
-}
-
-object RestServices {
-  private val LOG = LogUtil.getLogger(getClass)
-
-  def apply(master:ActorRef)(implicit system:ActorSystem):Unit = {
-    implicit val executionContext = system.dispatcher
-    val services = new RestServices(system, master)
-    val config = system.settings.config
-    val port = config.getInt(Constants.GEARPUMP_SERVICE_HTTP)
-    val host = config.getString(Constants.GEARPUMP_SERVICE_HOST)
-
-    implicit val materializer = ActorMaterializer()
-
-    val bindFuture = Http().bindAndHandle(Route.handlerFlow(services.routes), host, port)
-    Await.result(bindFuture, 15 seconds)
-
-    val displayHost = if(host == "0.0.0.0") "127.0.0.1" else host
-    LOG.info(s"Please browse to http://$displayHost:$port to see the web UI")
-    println(s"Please browse to http://$displayHost:$port to see the web UI")
+    new RouteService {
+      override def route: Route = {
+        admin.route ~ masterService.route ~ worker.route ~ app.route
+      }
+    }
   }
 }
\ No newline at end of file
diff --git a/services/jvm/src/main/scala/io/gearpump/services/SecurityService.scala b/services/jvm/src/main/scala/io/gearpump/services/SecurityService.scala
new file mode 100644
index 0000000000..6f646b2829
--- /dev/null
+++ b/services/jvm/src/main/scala/io/gearpump/services/SecurityService.scala
@@ -0,0 +1,179 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.services
+
+import akka.actor.{ActorSystem}
+import akka.http.scaladsl.model.headers.HttpChallenge
+import akka.http.scaladsl.server.AuthenticationFailedRejection.{CredentialsMissing}
+import akka.http.scaladsl.server._
+import akka.http.scaladsl.server.Directives._
+import com.softwaremill.session.ClientSessionManagerMagnet._
+import com.softwaremill.session.SessionDirectives._
+import com.softwaremill.session._
+import com.typesafe.config.Config
+import io.gearpump.services.SecurityService.{User, UserSession, GUEST}
+import io.gearpump.util.{Constants, LogUtil}
+import upickle.default.{write}
+import io.gearpump.security.{Authenticator => BaseAuthenticator}
+import scala.concurrent.{ExecutionContext, Future}
+
+/**
+ * When user cannot be authenticated, will reject with 401 AuthenticationFailedRejection
+ * When user can be authenticated, but are not authorized to access certail resource, will
+ * return a 405 AuthorizationFailedRejection.
+ *
+ * When web UI frontend receive 401, it should redirect the UI to login page.
+ * When web UI receive 405,it should display errors like
+ * "current user is not authorized to access this resource."
+ *
+ * The Authenticator used is pluggable, the current Authenticator is resolved by looking up config path
+ * [[Constants.GEARPUMP_UI_AUTHENTICATOR_CLASS]].
+ *
+ * see [[BaseAuthenticator]] to find more info on custom Authenticator.
+ *
+ */
+class SecurityService(inner: RouteService, implicit val system: ActorSystem) extends RouteService {
+
+  // Use scheme "xBasic" to avoid popping up web browser native authentication box.
+  private val challenge = HttpChallenge(scheme = "xBasic", realm = "gearpump", params = Map.empty)
+
+  private val authFailedRejection = AuthenticationFailedRejection(CredentialsMissing, challenge)
+  val LOG = LogUtil.getLogger(getClass, "AUDIT")
+
+  private val config = system.settings.config
+  private val sessionConfig = SessionConfig.fromConfig(config)
+  private implicit val sessionManager = new SessionManager[UserSession](sessionConfig)
+  private val magnet = ClientSessionManagerMagnet.forSessionManager[UserSession, Unit](Unit)
+
+  private val authenticator = {
+    val clazz = Class.forName(config.getString(Constants.GEARPUMP_UI_AUTHENTICATOR_CLASS))
+    val constructor = clazz.getConstructor(classOf[Config])
+    val authenticator = constructor.newInstance(config).asInstanceOf[BaseAuthenticator]
+    authenticator
+  }
+
+  private def authenticate(user: String, pass: String)(implicit ec: ExecutionContext): Future[Option[UserSession]] = {
+    authenticator.authenticate(user, pass, ec).map{ result =>
+      if (result.authenticated) {
+        Some(UserSession(user, admin = result.isAdministrator))
+      } else {
+        None
+      }
+    }
+  }
+
+  private def authenticationFailed: Route = {
+    reject(authFailedRejection)
+  }
+
+  private def requireAuthentication(inner: UserSession => Route): Route = {
+    optionalSession(magnet) { sessionOption =>
+      sessionOption match {
+        case Some(session) => {
+          inner(session)
+        }
+        case None =>
+          authenticationFailed
+      }
+    }
+  }
+
+  private def login(session: UserSession, ip: String): Route = {
+    setSession(session) { ctx =>
+      val user = session.user
+      LOG.info(s"user $user login from $ip")
+      ctx.complete(write(new User(user)))
+    }
+  }
+
+  private def logout(user: UserSession, ip: String): Route = {
+    invalidateSession(magnet) { ctx =>
+      LOG.info(s"user ${user.user} logout from $ip")
+      ctx.complete(write(new User(user.user)))
+    }
+  }
+
+  // Only admin are able to access operation like post/delete/put
+  private def requireAuthorization(user: UserSession, route: => Route): Route = {
+    if (user.admin) {
+      route
+    } else {
+      (put | delete | post) {
+        // reject with 405 authorization error
+        reject(AuthorizationFailedRejection)
+      } ~
+      get {
+        route
+      }
+    }
+  }
+
+  override val route: Route = {
+
+    extractExecutionContext{implicit ec =>
+    extractMaterializer{implicit mat =>
+    extractClientIP { ip =>
+      path("login") {
+        post {
+          // Guest account don't have permission to submit new application in UI
+          formFields('username ? GUEST, 'password ? GUEST) { (user, pass) =>
+            val result = authenticate(user, pass)
+            onSuccess(result){
+              case Some(session) =>
+                login(session, ip.toString)
+              case None =>
+                authenticationFailed
+            }
+          }
+        }
+      } ~
+      path("logout") {
+        post {
+          requireAuthentication {session =>
+            logout(session, ip.toString())
+          }
+        }
+      } ~
+      requireAuthentication {user =>
+        requireAuthorization(user, inner.route)
+      }
+    }}}
+
+  }
+}
+
+object SecurityService {
+
+  val SESSION_MANAGER_KEY = "akka.http.session.serverSecret"
+
+  case class UserSession(user: String, admin: Boolean)
+
+  object UserSession {
+    implicit def serializer: SessionSerializer[UserSession] = new ToMapSessionSerializer[UserSession] {
+      private val User = "user"
+      private val Admin = "admin"
+
+      override def serializeToMap(t: UserSession) = Map(User -> t.user, Admin->t.admin.toString)
+      override def deserializeFromMap(m: Map[String, String]) = UserSession(m(User), m(Admin).toBoolean)
+    }
+  }
+
+  case class User(user: String)
+  val GUEST = "guest"
+}
\ No newline at end of file
diff --git a/services/jvm/src/main/scala/io/gearpump/services/StaticService.scala b/services/jvm/src/main/scala/io/gearpump/services/StaticService.scala
index 7f62f7208d..45499e83c2 100644
--- a/services/jvm/src/main/scala/io/gearpump/services/StaticService.scala
+++ b/services/jvm/src/main/scala/io/gearpump/services/StaticService.scala
@@ -18,24 +18,23 @@
 
 package io.gearpump.services
 
-import java.net.URL
-import java.util.jar.Manifest
-import io.gearpump.util.Constants
-import akka.actor.ActorSystem
+import akka.actor.{ActorSystem}
 import akka.http.scaladsl.model._
 import akka.http.scaladsl.server.Directives._
+import akka.stream.{Materializer}
 import io.gearpump.util.Util
 
+/**
+ * static resource files.
+ */
+class StaticService(override val system: ActorSystem)
+  extends BasicService {
 
-trait StaticService  {
-
-  implicit def system: ActorSystem
+  override def prefix = Neutral
 
-  val version = Util.version
+  override def cache = true
 
-  // Optionally compresses the response with Gzip or Deflate, if the client accepts
-  // compressed responses.
-  val staticResource = encodeResponse {
+  override def doRoute(implicit mat: Materializer) = {
     pathEndOrSingleSlash {
       getFromResource("index.html")
     } ~
diff --git a/services/jvm/src/main/scala/io/gearpump/services/WorkerService.scala b/services/jvm/src/main/scala/io/gearpump/services/WorkerService.scala
index 1e82c3915d..5339541767 100644
--- a/services/jvm/src/main/scala/io/gearpump/services/WorkerService.scala
+++ b/services/jvm/src/main/scala/io/gearpump/services/WorkerService.scala
@@ -18,58 +18,47 @@
 
 package io.gearpump.services
 
-import akka.actor.{ActorRef, ActorSystem}
+import akka.actor.{ActorSystem, ActorRef}
 import akka.http.scaladsl.server.Directives._
-import akka.http.scaladsl.server.Route
+import akka.stream.{Materializer}
 import io.gearpump.cluster.AppMasterToMaster.{GetWorkerData, WorkerData}
 import io.gearpump.cluster.ClientToMaster.{ReadOption, QueryHistoryMetrics, QueryWorkerConfig}
 import io.gearpump.cluster.MasterToClient.{HistoryMetrics, WorkerConfig}
 import io.gearpump.util.ActorUtil._
-import io.gearpump.util.LogUtil
 
-import scala.concurrent.ExecutionContext
-import scala.util.{Failure, Success, Try}
+import scala.util.{Failure, Success}
 
-trait WorkerService {
+class WorkerService(val master: ActorRef, override val system: ActorSystem)
+  extends BasicService {
 
   import upickle.default.write
 
-  def master: ActorRef
-
-  implicit def system: ActorSystem
-
-  private val LOG = LogUtil.getLogger(getClass)
-
-  val workerRoute = encodeResponse {
-    implicit def ec: ExecutionContext = system.dispatcher
-
-    pathPrefix("api" / s"$REST_VERSION" / "worker" / IntNumber) { workerId =>
-      pathEnd {
-        onComplete(askWorker[WorkerData](master, workerId, GetWorkerData(workerId))) {
-          case Success(value: WorkerData) =>
-            complete(write(value.workerDescription))
-          case Failure(ex) => failWith(ex)
-        }
-      } ~
-      path("config") {
-        onComplete(askWorker[WorkerConfig](master, workerId, QueryWorkerConfig(workerId))) {
-          case Success(value: WorkerConfig) =>
-            val config = Option(value.config).map(_.root.render()).getOrElse("{}")
-            complete(config)
+  override def doRoute(implicit mat: Materializer) = pathPrefix("worker" / IntNumber) { workerId =>
+    pathEnd {
+      onComplete(askWorker[WorkerData](master, workerId, GetWorkerData(workerId))) {
+        case Success(value: WorkerData) =>
+          complete(write(value.workerDescription))
+        case Failure(ex) => failWith(ex)
+      }
+    } ~
+    path("config") {
+      onComplete(askWorker[WorkerConfig](master, workerId, QueryWorkerConfig(workerId))) {
+        case Success(value: WorkerConfig) =>
+          val config = Option(value.config).map(_.root.render()).getOrElse("{}")
+          complete(config)
+        case Failure(ex) =>
+          failWith(ex)
+      }
+    } ~
+    path("metrics" / RestPath ) { path =>
+      parameter(ReadOption.Key ? ReadOption.ReadLatest) { readOption =>
+        val query = QueryHistoryMetrics(path.head.toString, readOption)
+        onComplete(askWorker[HistoryMetrics](master, workerId, query)) {
+          case Success(value) =>
+            complete(write(value))
           case Failure(ex) =>
             failWith(ex)
         }
-      } ~
-      path("metrics" / RestPath ) { path =>
-        parameter(ReadOption.Key ? ReadOption.ReadLatest) { readOption =>
-          val query = QueryHistoryMetrics(path.head.toString, readOption)
-          onComplete(askWorker[HistoryMetrics](master, workerId, query)) {
-            case Success(value) =>
-              complete(write(value))
-            case Failure(ex) =>
-              failWith(ex)
-          }
-        }
       }
     }
   }
diff --git a/services/jvm/src/main/scala/io/gearpump/services/main/Services.scala b/services/jvm/src/main/scala/io/gearpump/services/main/Services.scala
index 8c14ad39a2..7dc0277f25 100644
--- a/services/jvm/src/main/scala/io/gearpump/services/main/Services.scala
+++ b/services/jvm/src/main/scala/io/gearpump/services/main/Services.scala
@@ -18,18 +18,25 @@
 
 package io.gearpump.services.main
 
-import akka.actor.ActorSystem
+import akka.actor.{ActorSystem}
+import akka.http.scaladsl.Http
+import akka.http.scaladsl.server.Route
+import akka.stream.ActorMaterializer
 import com.typesafe.config.ConfigValueFactory
 import io.gearpump.cluster.ClusterConfig
 import io.gearpump.cluster.main.{Gear, CLIOption, ArgumentsParser}
 import io.gearpump.cluster.master.MasterProxy
-import io.gearpump.services.RestServices
+import io.gearpump.services.{SecurityService, RestServices}
 import io.gearpump.util.LogUtil.ProcessType
 import io.gearpump.util.{AkkaApp, Constants, LogUtil, Util}
 import org.slf4j.Logger
 
+import scala.concurrent.Await
+
 object Services extends AkkaApp with ArgumentsParser {
 
+  private val LOG = LogUtil.getLogger(getClass)
+
   override val options: Array[(String, CLIOption[Any])] = Array(
     "master" -> CLIOption("<host:port>", required = false),
     Gear.OPTION_CONFIG -> CLIOption("<provide a custom configuration file>", required = false),
@@ -72,14 +79,31 @@ object Services extends AkkaApp with ArgumentsParser {
 
     akkaConf = akkaConf.withValue(Constants.GEARPUMP_SERVICE_SUPERVISOR_PATH,
       ConfigValueFactory.fromAnyRef(argConfig.getString("supervisor")))
+      // Create a random unique secret key for session manager.
+      // All previous stored session token cookies will be invalidated when UI
+      // server is restarted.
+      .withValue(SecurityService.SESSION_MANAGER_KEY,
+        ConfigValueFactory.fromAnyRef(java.util.UUID.randomUUID().toString()))
 
     val masterCluster = akkaConf.getStringList(Constants.GEARPUMP_CLUSTER_MASTERS).toList.flatMap(Util.parseHostList)
 
     implicit val system = ActorSystem("services" , akkaConf)
+    implicit val executionContext = system.dispatcher
+
     import scala.concurrent.duration._
     val master = system.actorOf(MasterProxy.props(masterCluster, 1 day), s"masterproxy${system.name}")
+    val (host, port) = parseHostPort(system.settings.config)
+
 
-    RestServices(master)
+    implicit val mat = ActorMaterializer()
+    val services = new RestServices(master, mat, system)
+
+    val bindFuture = Http().bindAndHandle(Route.handlerFlow(services.route), host, port)
+    Await.result(bindFuture, 15 seconds)
+
+    val displayHost = if(host == "0.0.0.0") "127.0.0.1" else host
+    LOG.info(s"Please browse to http://$displayHost:$port to see the web UI")
+    println(s"Please browse to http://$displayHost:$port to see the web UI")
 
     killFunction = Some{() =>
       LOG.info("Shutting down UI Server")
@@ -89,6 +113,12 @@ object Services extends AkkaApp with ArgumentsParser {
     system.awaitTermination()
   }
 
+  private def parseHostPort(config: Config): (String, Int) = {
+    val port = config.getInt(Constants.GEARPUMP_SERVICE_HTTP)
+    val host = config.getString(Constants.GEARPUMP_SERVICE_HOST)
+    (host, port)
+  }
+
   // TODO: fix this
   // Hack around for YARN module, so that we can kill the UI server when application is shutting down.
   def kill(): Unit = {
diff --git a/services/jvm/src/test/scala/io/gearpump/services/AppMasterServiceSpec.scala b/services/jvm/src/test/scala/io/gearpump/services/AppMasterServiceSpec.scala
index 329ade28d8..b2be7d6dfa 100644
--- a/services/jvm/src/test/scala/io/gearpump/services/AppMasterServiceSpec.scala
+++ b/services/jvm/src/test/scala/io/gearpump/services/AppMasterServiceSpec.scala
@@ -39,8 +39,8 @@ import akka.http.scaladsl.testkit.ScalatestRouteTest
 import scala.concurrent.duration._
 import scala.util.{Success, Try}
 
-class AppMasterServiceSpec extends FlatSpec with ScalatestRouteTest with AppMasterService
-  with Matchers with BeforeAndAfterAll with JarStoreProvider{
+class AppMasterServiceSpec extends FlatSpec with ScalatestRouteTest
+  with Matchers with BeforeAndAfterAll {
 
   private val LOG: Logger = LogUtil.getLogger(getClass)
   def actorRefFactory = system
@@ -50,7 +50,11 @@ class AppMasterServiceSpec extends FlatSpec with ScalatestRouteTest with AppMast
 
   lazy val jarStoreService = JarStoreService.get(system.settings.config)
 
-  override def getJarStoreService: JarStoreService = jarStoreService
+  def jarStore: JarStoreService = jarStoreService
+
+  def master = mockMaster.ref
+
+  def appMasterRoute = new AppMasterService(master, jarStore, system).route
 
   mockAppMaster.setAutoPilot {
     new AutoPilot {
@@ -92,8 +96,6 @@ class AppMasterServiceSpec extends FlatSpec with ScalatestRouteTest with AppMast
     }
   }
 
-  def master = mockMaster.ref
-
   "AppMasterService" should "return a JSON structure for GET request when detail = false" in {
     implicit val customTimeout = RouteTestTimeout(15.seconds)
     Get(s"/api/$REST_VERSION/appmaster/0?detail=false") ~> appMasterRoute ~> check{
diff --git a/services/jvm/src/test/scala/io/gearpump/services/MasterServiceSpec.scala b/services/jvm/src/test/scala/io/gearpump/services/MasterServiceSpec.scala
index 8ed518f8a5..c78a630f8f 100644
--- a/services/jvm/src/test/scala/io/gearpump/services/MasterServiceSpec.scala
+++ b/services/jvm/src/test/scala/io/gearpump/services/MasterServiceSpec.scala
@@ -43,8 +43,8 @@ import scala.concurrent.{Future, ExecutionContext}
 import scala.concurrent.duration._
 import scala.util.{Success, Try}
 
-class MasterServiceSpec extends FlatSpec with ScalatestRouteTest with MasterService with
-  Matchers with BeforeAndAfterAll with JarStoreProvider{
+class MasterServiceSpec extends FlatSpec with ScalatestRouteTest with
+  Matchers with BeforeAndAfterAll {
   import upickle.default.{read, write}
 
   def actorRefFactory = system
@@ -53,7 +53,11 @@ class MasterServiceSpec extends FlatSpec with ScalatestRouteTest with MasterServ
 
   lazy val jarStoreService = JarStoreService.get(system.settings.config)
 
-  override def getJarStoreService: JarStoreService = jarStoreService
+  def master = mockMaster.ref
+
+  def jarStore: JarStoreService = jarStoreService
+
+  def masterRoute = new MasterService(master, jarStore, system).route
 
   mockWorker.setAutoPilot {
     new AutoPilot {
@@ -97,7 +101,6 @@ class MasterServiceSpec extends FlatSpec with ScalatestRouteTest with MasterServ
     }
   }
 
-  def master = mockMaster.ref
 
   it should "return master info when asked" in {
     implicit val customTimeout = RouteTestTimeout(15.seconds)
diff --git a/services/jvm/src/test/scala/io/gearpump/services/SecurityServiceSpec.scala b/services/jvm/src/test/scala/io/gearpump/services/SecurityServiceSpec.scala
new file mode 100644
index 0000000000..3e3170c321
--- /dev/null
+++ b/services/jvm/src/test/scala/io/gearpump/services/SecurityServiceSpec.scala
@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gearpump.services
+
+class SecurityServiceSpec {
+
+}
diff --git a/services/jvm/src/test/scala/io/gearpump/services/WorkerServiceSpec.scala b/services/jvm/src/test/scala/io/gearpump/services/WorkerServiceSpec.scala
index 7ca9f30447..a172a4e326 100644
--- a/services/jvm/src/test/scala/io/gearpump/services/WorkerServiceSpec.scala
+++ b/services/jvm/src/test/scala/io/gearpump/services/WorkerServiceSpec.scala
@@ -26,17 +26,24 @@ import io.gearpump.cluster.AppMasterToMaster.{GetWorkerData, WorkerData}
 import io.gearpump.cluster.ClientToMaster.{QueryHistoryMetrics, QueryWorkerConfig, ResolveWorkerId}
 import io.gearpump.cluster.MasterToClient.{HistoryMetrics, HistoryMetricsItem, ResolveWorkerIdResult, WorkerConfig}
 import io.gearpump.cluster.worker.WorkerSummary
+import io.gearpump.jarstore.JarStoreService
 import org.scalatest.{BeforeAndAfterAll, FlatSpec, Matchers}
 
 import scala.concurrent.duration._
 import scala.util.{Success, Try}
 import akka.http.scaladsl.testkit.{RouteTestTimeout, ScalatestRouteTest}
 
-class WorkerServiceSpec extends FlatSpec with ScalatestRouteTest with WorkerService with Matchers with BeforeAndAfterAll {
+class WorkerServiceSpec extends FlatSpec with ScalatestRouteTest  with Matchers with BeforeAndAfterAll {
   def actorRefFactory = system
 
   val mockWorker = TestProbe()
 
+  def master = mockMaster.ref
+
+  lazy val jarStoreService = JarStoreService.get(system.settings.config)
+
+  def workerRoute = new WorkerService(master, system).route
+
   mockWorker.setAutoPilot {
     new AutoPilot {
       def run(sender: ActorRef, msg: Any) = msg match {
@@ -64,7 +71,6 @@ class WorkerServiceSpec extends FlatSpec with ScalatestRouteTest with WorkerServ
     }
   }
 
-  def master = mockMaster.ref
 
   "ConfigQueryService" should "return config for worker" in {
     implicit val customTimeout = RouteTestTimeout(15.seconds)
diff --git a/streaming/src/test/scala/io/gearpump/streaming/appmaster/AppMasterSpec.scala b/streaming/src/test/scala/io/gearpump/streaming/appmaster/AppMasterSpec.scala
index 95dd5007df..bb705972f9 100644
--- a/streaming/src/test/scala/io/gearpump/streaming/appmaster/AppMasterSpec.scala
+++ b/streaming/src/test/scala/io/gearpump/streaming/appmaster/AppMasterSpec.scala
@@ -34,7 +34,7 @@ import io.gearpump.jarstore.FilePath
 import io.gearpump.partitioner.{Partitioner, HashPartitioner}
 import io.gearpump.streaming.{Processor, StreamApplication}
 import io.gearpump.streaming.task._
-import io.gearpump.util.Graph
+import io.gearpump.util.{Util, Graph}
 import io.gearpump.util.Graph._
 import org.scalatest._