You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2014/09/01 15:58:44 UTC
svn commit: r1621788 [2/7] - in /jackrabbit/site/live/oak/docs: ./ META-INF/
architecture/ nodestore/ oak_api/ plugins/ security/
security/accesscontrol/ security/authentication/ security/permission/
security/principal/ security/privilege/ security/user/
Added: jackrabbit/site/live/oak/docs/differences_authentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_authentication.html?rev=1621788&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_authentication.html (added)
+++ jackrabbit/site/live/oak/docs/differences_authentication.html Mon Sep 1 13:58:43 2014
@@ -0,0 +1,594 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - Authentication : Differences wrt Jackrabbit 2.x</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="license.html" title="License">License</a>
+</li>
+
+ <li> <a href="downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<div class="section">
+<h3>Authentication : Differences wrt Jackrabbit 2.x<a name="Authentication_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>1. Characteristics of the Default Implementation<a name="a1._Characteristics_of_the_Default_Implementation"></a></h4>
+<div class="section">
+<h5>Null Login<a name="Null_Login"></a></h5>
+<p>As of Oak 1.0 <tt>Repository#login()</tt> and <tt>Repository#login(null, wspName)</tt> is no longer treated as guest login. This behavior of Jackrabbit-core is violating the specification, which defines that null-login should be used for those cases where the authentication process is handled outside of the repository (-> see pre-authentication below).</p>
+<p>In order to get a full backwards compatible behavior OAK provides a specific <tt>GuestLoginModule</tt> [0] that can be added to the JAAS (or corresponding OSGI) configuration.</p>
+<p>Example JAAS Configuration:</p>
+
+<div class="source">
+<pre>jackrabbit.oak {
+ org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule optional;
+ org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
+};
+</pre></div></div>
+<div class="section">
+<h5>Guest Login<a name="Guest_Login"></a></h5>
+<p>With respect to guest login (aka anonymous login) the OAK content repository out of the box contains the following modifications:</p>
+
+<ul>
+
+<li>null login != guest login</li>
+
+<li>no anonymous login with uid/pw</li>
+</ul>
+<p>As explained in 1) the null login will not longer fall back to a guest login unless explicitly configured (-> <tt>GuestLoginModule</tt>). The proper way to obtain an guest session as of OAK is as specified by JSR 283:</p>
+
+<div class="source">
+<pre>String wspName = null;
+Session anonymous = repository.login(new GuestCredentials(), wspName);
+</pre></div>
+<p>Similarly, the special treatment that jackrabbit core applied for the guest (anonymous) user has been omitted altogether in OAK. In the default setup the anonymous user will created without any password. Therefore explicitly uid/pw login using the anonymous userId will no longer work. This behavior is now consistent with the default login of any other user which doesn’t have a password set.</p></div>
+<div class="section">
+<h5>Pre-Authentication in the LoginContextProvider<a name="Pre-Authentication_in_the_LoginContextProvider"></a></h5>
+<p>Like in Jackrabbit-core the repository internal authentication verification can be skipped by calling <tt>Repository#login()</tt> or <tt>Repository#login(null, wspName)</tt>. In this case the repository implementation expects the verification to be performed prior to the login call.</p>
+<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p>
+<p>Since the <tt>LoginContextProvider</tt> is a configurable with the authentication setup OAK users also have the following options by providing a custom <tt>LoginContextProvider</tt>:</p>
+
+<ul>
+
+<li>Disable pre-authentication by not trying to retrieve a pre-authenticated <tt>Subject</tt>.</li>
+
+<li>Add support for extending the pre-authenticated subject by always passing writable subjects to the <tt>JaasLoginContext</tt></li>
+
+<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
+</ul>
+<p>Example how to use the pre-auth:</p>
+
+<div class="source">
+<pre>String userId = "test";
+/**
+ Retrive valid principals e.g. by calling jackrabbit API
+ - PrincipalManager#getPrincipal and/or #getGroupMembership
+ or from Oak SPI
+ - PrincipalProvider#getPrincipals(String userId)
+ */
+Set<? extends Principal> principals = getPrincipals(userId);
+AuthInfo authInfo = new AuthInfoImpl(userId, Collections.<String, Object>emptyMap(), principals);
+Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.<Object>emptySet());
+Session session;
+try {
+ session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {
+ @Override
+ public Session run() throws Exception {
+ return login(null, null);
+ }
+ }, null);
+} catch (PrivilegedActionException e) {
+ throw new RepositoryException("failed to retrieve session.", e);
+}
+</pre></div></div></div>
+<div class="section">
+<h4>2. Impersonation<a name="a2._Impersonation"></a></h4>
+<div class="section">
+<h5>Self-Impersonation (aka Cloning a Session)<a name="Self-Impersonation_aka_Cloning_a_Session"></a></h5>
+<p>As of OAK 1.0 the latest changes made to JSR 333 with respect to <tt>Session#impersonate</tt> have been adopted [3]: Any attempt to impersonate the same session (self-impersonation) will succeed as long as the user is still valid.</p></div>
+<div class="section">
+<h5>Impersonation Credentials<a name="Impersonation_Credentials"></a></h5>
+<p>The OAK implementation of <tt>Session#impersonate</tt> no longer uses <tt>SimpleCredentials</tt> to transport the original <tt>Subject</tt> but rather performs the login with dedicated <tt>ImpersonationCredentials</tt> [4].</p>
+<p>With this change the impersonation feature no longer relies on <tt>SimpleCredentials</tt> being passed to <tt>Session#impersonate</tt> call. Instead the specified credentials are passed to a new instance of <tt>ImpersonationCredentials</tt> delegating the evaluation and validation of the specified <tt>Credentials</tt> to the configured login module(s).</p>
+<p>This modification will not affect applications that used JCR API to impersonate a given session. However the following example which ‘manually’ builds impersonation credentials the way jackrabbit core was handling it will no longer work to impersonate an existing session:</p>
+
+<div class="source">
+<pre> SessionImpl sImpl = (SessionImpl) mySession;
+ SimpleCredentials jrImpCreds = new SimpleCredentials("someUserId, new char[0]);
+ creds.setAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE, sImpl.getSubject());
+ Session impersonated = sImpl.getRepository().login(jrImpCreds, sImpl.getWorkspace().getName());
+</pre></div></div></div>
+<div class="section">
+<h4>3. Token based Authentication<a name="a3._Token_based_Authentication"></a></h4>
+<p>The token based authentication has been completely refactor in OAK.</p>
+
+<ul>
+
+<li>Dedicated API for managing login tokens [5]</li>
+
+<li>Pluggable configuration of the new token management API</li>
+
+<li>Complete separation of token based authentication from regular uid/pw authentication into a separate <tt>LoginModule</tt> [6]</li>
+</ul>
+<p>The default implementation differs from jackrabbit as follows - token node is referenceable with a dedicated node type (rep:Token) - expiration and key properties are mandatory and protected - expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the same configuration parameter.</p>
+<p>The definition of the new built-in node type “rep:Token”: [rep:Token] > mix:referenceable - rep:token.key (STRING) protected mandatory - rep:token.exp (DATE) protected mandatory - * (UNDEFINED) protected - * (UNDEFINED) multiple protected</p>
+<p>Please note the following difference with respect to Jackrabbit core: - the <tt>TokenLoginModule</tt> is responsible for creating new login tokens. Other login modules should not attempt to do so. - token characteristics such as expiration time only need to be configured with the <tt>TokenLoginModule</tt> - Other <tt>LoginModule</tt> implementations consequently no longer need to have the same config options set.</p></div>
+<div class="section">
+<h4>4. External Authentication<a name="a4._External_Authentication"></a></h4>
+<p>While the default setup in OAK is solely relying on repository functionality to ensure proper authentication it quite common to authenticate against different systems (e.g. LDAP). For those setups that wish to combine initial authentication against a third party system with repository functionality, OAK provides some basic implementation and extension points [7] and ship an example setup for LDAP authentication.</p>
+<p>This is aimed to become the replacement for <tt>com.day.crx.security.ldap.LDAPLoginModule</tt> [8], which relies on jackrabbit internals and will no longer work with OAK.</p></div>
+<div class="section">
+<h4>5. API Extensions<a name="a5._API_Extensions"></a></h4>
+<p>The OAK project introduces the following authenticated related service provider interfaces:</p>
+<p>org.apache.jackrabbit.oak.spi.security.authentication:</p>
+
+<ul>
+
+<li><tt>LoginContextProvider</tt>: Configurable provider of the <tt>LoginContext</tt> (see below)</li>
+
+<li><tt>LoginContext</tt>: Interface version of the JAAS LoginContext aimed to ease integration with non-JAAS components</li>
+
+<li><tt>Authentication</tt>: Aimed to validate credentials during the first phase of the (JAAS) login process.</li>
+</ul>
+<p>org.apache.jackrabbit.oak.spi.security.authentication.token:</p>
+
+<ul>
+
+<li><tt>TokenConfiguration</tt>: Interface to obtain a <tt>TokenProvider</tt> instance.</li>
+
+<li><tt>TokenProvider</tt>: Interface to manage login tokens.</li>
+
+<li><tt>TokenInfo</tt>: Information related to a login token and token validity.</li>
+</ul>
+<p>org.apache.jackrabbit.oak.spi.security.authentication.external:</p>
+
+<ul>
+
+<li>interfaces to ease custom implementation of the external authentication with optional user/group synchronization to the repository (see [7]).</li>
+</ul></div>
+<div class="section">
+<h4>6. Configuration<a name="a6._Configuration"></a></h4>
+<div class="section">
+<h5>AuthenticationConfiguration [9]:<a name="AuthenticationConfiguration_9:"></a></h5>
+
+<ul>
+
+<li><tt>getLoginContextProvider</tt> -> configuration of the login context</li>
+</ul></div>
+<div class="section">
+<h5>TokenConfiguration [10]:<a name="TokenConfiguration_10:"></a></h5>
+
+<ul>
+
+<li><tt>getTokenProvider</tt></li>
+</ul></div>
+<div class="section">
+<h5>Utilities<a name="Utilities"></a></h5>
+<p>There also exists a utility class that allows to obtain different <tt>javax.security.auth.login.Configuration</tt> for the most common setup [11]:</p>
+
+<ul>
+
+<li>
+<p><tt>ConfigurationUtil#getDefaultConfiguration</tt>: default OAK configuration supporting uid/pw login configures <tt>LoginModuleImpl</tt> only</p></li>
+
+<li>
+<p><tt>ConfigurationUtil#getJackrabbit2Configuration</tt>: backwards compatible configuration that provides the functionality covered by jackrabbit-core DefaultLoginModule, namely:</p>
+
+<ul>
+
+<li><tt>GuestLoginModule</tt>: null login falls back to anonymous</li>
+
+<li><tt>TokenLoginModule</tt>: covers token base authentication</li>
+
+<li><tt>LoginModuleImpl</tt>: covering regular uid/pw login</li>
+ </ul></li>
+</ul></div></div>
+<div class="section">
+<h4>7. References<a name="a7._References"></a></h4>
+<p>[0] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.java</a></p>
+<p>[1] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java</a></p>
+<p>[2] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContext.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContext.java</a></p>
+<p>[3] <a class="externalLink" href="https://java.net/jira/browse/JSR_333-27">https://java.net/jira/browse/JSR_333-27</a></p>
+<p>[4] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java</a></p>
+<p>[5] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/</a></p>
+<p>[6] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java</a></p>
+<p>[7] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/</a></p>
+<p>[8] <a class="externalLink" href="http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html">http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html</a></p>
+<p>[9] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java</a></p>
+<p>[10] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenConfiguration.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenConfiguration.java</a></p>
+<p>[11] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ConfigurationUtil.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ConfigurationUtil.java</a></p></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Added: jackrabbit/site/live/oak/docs/differences_permission.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_permission.html?rev=1621788&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_permission.html (added)
+++ jackrabbit/site/live/oak/docs/differences_permission.html Mon Sep 1 13:58:43 2014
@@ -0,0 +1,584 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - Permission Evaluation : Differences wrt Jackrabbit 2.x</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="license.html" title="License">License</a>
+</li>
+
+ <li> <a href="downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<div class="section">
+<h3>Permission Evaluation : Differences wrt Jackrabbit 2.x<a name="Permission_Evaluation_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>1. Characteristics of the Default Implementation<a name="a1._Characteristics_of_the_Default_Implementation"></a></h4>
+<div class="section">
+<h5>General<a name="General"></a></h5>
+<p>In general the permission evaluation related code in Oak is intended to be more clearly separated from the access control management such as defined by the JCR and Jackrabbit API. While permission evaluation is considered to be an internal feature of the Oak core module, the package <tt>org.apache.jackrabbit.oak.spi.security.authorization.permission</tt> provides some extensions points that allow to plug custom extensions or implementations of the permission evaluation.</p></div>
+<div class="section">
+<h5>JCR API<a name="JCR_API"></a></h5>
+<div class="section">
+<h6><tt>Session#hasPermission</tt> and <tt>Session#checkPermission</tt><a name="SessionhasPermission_and_SessioncheckPermission"></a></h6>
+<p>Since Oak the permission related API calls not only allow to pass the action strings defined by JCR specification (see constants defined in <tt>Session.java</tt>) but also handles the names of the permission defined by Oak (see <tt>Permissions#getString(long permissions)</tt>).</p></div></div>
+<div class="section">
+<h5>Mapping of JCR Actions to Permissions<a name="Mapping_of_JCR_Actions_to_Permissions"></a></h5>
+<p>`ACTION_READ’:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.READ_ACCESS_CONTROL</tt></li>
+
+<li>regular nodes: <tt>Permissions.READ_NODE</tt></li>
+
+<li>regular properties: <tt>Permissions.READ_PROPERTY</tt></li>
+
+<li>non-existing items: <tt>Permissions.READ</tt></li>
+</ul>
+<p><tt>ACTION_ADD_NODE</tt>:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
+<li>regular nodes: <tt>Permissions.ADD_NODE</tt></li>
+</ul>
+<p><tt>ACTION_REMOVE</tt>:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
+<li>regular nodes: <tt>Permissions.REMOVE_NODE</tt></li>
+
+<li>regular properties: <tt>Permissions.REMOVE_PROPERTY</tt></li>
+
+<li>non-existing nodes: <tt>Permissions.REMOVE</tt></li>
+</ul>
+<p><tt>ACTION_SET_PROPERTY</tt>:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
+<li>regular properties: <tt>Permissions.MODIFY_PROPERTY</tt></li>
+
+<li>non-existing properties: <tt>Permissions.ADD_PROPERTY</tt></li>
+</ul></div>
+<div class="section">
+<h5>Permissions<a name="Permissions"></a></h5>
+<p>The set of permissions supported by Oak are listed in <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java">Permissions</a>. The following changes have been compared compared to Jackrabbit 2.x:</p>
+
+<ul>
+
+<li><tt>READ_NODE</tt>: permission to read a node</li>
+
+<li><tt>READ_PROPERTY</tt>: permission to read a property</li>
+
+<li><tt>ADD_PROPERTY</tt>: permission to create a new property</li>
+
+<li><tt>MODIFY_PROPERTY</tt>: permission to change an existing property</li>
+
+<li><tt>REMOVE</tt>: aggregation of <tt>REMOVE_NODE</tt> and <tt>REMOVE_PROPERTY</tt></li>
+
+<li><tt>USER_MANAGEMENT</tt>: permission to execute user management related tasks such as e.g. creating or removing user/group, changing user password and editing group membership.</li>
+
+<li><tt>INDEX_DEFINITION_MANAGEMENT</tt>: permission to create, modify and remove the oak:index node and it’s subtree which is expected to contain the index definitions.</li>
+</ul>
+<p>The following permissions are now an aggregation of new permissions:</p>
+
+<ul>
+
+<li><tt>READ</tt>: aggregates <tt>READ_NODE</tt> and <tt>READ_PROPERTY</tt></li>
+
+<li><tt>SET_PROPERTY</tt>: aggregates <tt>ADD_PROPERTY</tt>, <tt>MODIFY_PROPERTY</tt> and <tt>REMOVE_PROPERTY</tt></li>
+</ul></div></div>
+<div class="section">
+<h4>2. Permission Evaluation<a name="a2._Permission_Evaluation"></a></h4>
+<div class="section">
+<h5>Reading<a name="Reading"></a></h5>
+<p>Due to the fine grained read permissions Oak read access can be separately granted/denied for nodes and properties. See also the section about extended restriction management in <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-792">OAK-792</a>. Granting the <tt>jcr:read</tt> privilege will result in a backwards compatible read access for nodes and their properties, while specifying <tt>rep:readNodes</tt> or <tt>rep:readProperties</tt> privileges allows separately granting or denying access to nodes and properties (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-910">OAK-910</a> for changes in the privilege definitions). Together with the restrictions this new behavior now allows to individually grant/deny access to properties that match a given name/path/nodetype (and as a possible extension even property value).</p>
+<p>The only break in terms of backwards compatibility is the accessibility of version content underneath <tt>/jcr:system/jcr:versionStore</tt>. As of Oak the access to version content depends on the read permissions present with the versionable node while Jackrabbit 2.x doesn’t apply any special rule. These changes are covered by <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-444">OAK-444</a> and address the concerns summarized in <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-2963">JCR-2963</a>.</p></div>
+<div class="section">
+<h5>Property Modification<a name="Property_Modification"></a></h5>
+<p>Since Oak the former <tt>SET_PROPERTY</tt> permission has been split such to allow for more fined grained control on writing JCR properties. In particular Oak clearly distinguishes between creating a new property that didn’t exist before, modifying or removing an existing property. This will allow to cover those cases where a given subject is only allowed to create content but doesn’t have the ability to modify/delete it later on.</p></div>
+<div class="section">
+<h5>Node Removal<a name="Node_Removal"></a></h5>
+<p>As of Oak <tt>Node#remove()</tt> only requires sufficient permissions to remove the target node. In contrast to Jackrabbit 2.x the validation will not traverse the tree and verify remove permission on all child nodes/properties. In order to obtain backwards compatible behavior with respect to tree removal the permission evaluation can be configured to traverse down the hierarchy upon removal. This config flag is a best effort approach but doesn’t guarantee an identical behavior.</p></div>
+<div class="section">
+<h5>Rename<a name="Rename"></a></h5>
+<p>Due to the nature of the diff mechanism in Oak it is not possible to distinguish between <tt>JackrabbitNode#rename</tt> and a move with subsequent reordering. Consequently the permission evaluation will no longer apply the special handling for the renaming as it was present in Jackrabbit 2.x (renaming just required the ability to modify the child collection of the parent node).</p></div>
+<div class="section">
+<h5>Move<a name="Move"></a></h5>
+<p>Due to the nature of the diff mechanism in Oak it is no longer possible to treat move operations the same way as it was implemented in Jackrabbit 2.x. The current permission evaluation attempts to provide a best-effort handling to achieve a similar behavior that it was present in Jackrabbit 2.x.</p>
+<p>The current implementation has the following limitations with respect to multiple move operations within a given set of transient operations:</p>
+
+<ul>
+
+<li>Move operations that replace an node that has been moved away will not be detected as modification by the diff mechanism and regular permission checks for on the subtree will be performed.</li>
+
+<li>Moving an ancestor of a node that has been moved will only detect the second move and will enforce regular permissions checks on the child that has been moved in a first step.</li>
+</ul>
+<p>For API consumers and applications running on Jackrabbit Oak this means that combinations of multiple moves can not always be properly resolved. Consequently permissions will be evaluated as if the modifications did not include move (in general being more restrictive): If the move leads to changes that are detected by the diff mechanism, regular permissions will be evaluated for all items that appear to be added, removed or modified, while a regular move operations just requires <tt>REMOVE_NODE</tt> permission on the source, <tt>ADD_NODE</tt> and <tt>NODE_TYPE_MANAGEMENT</tt> permissions at the destination.</p></div>
+<div class="section">
+<h5>User Management<a name="User_Management"></a></h5>
+<p>By default user management operations require the specific user mgt related permission to be granted for the editing subject. This permission (including a corresponding privilege) has been introduced with Oak 1.0. For backwards compatibility with Jackrabbit 2.x this behavior can be turned off by setting the corresponding configuration flag.</p></div>
+<div class="section">
+<h5>Version Management<a name="Version_Management"></a></h5>
+<p>Reading and writing items in the version store does not follow the regular permission evaluation but depends on access rights present on the corresponding versionable node. In case the version information does no longer have a versionable node in this workspace that original path is used to evaluate the effective permissions that would apply to that node if the version was restored. Note, that as in Jackrabbit VERSION_MANAGEMENT permission instead of the regular JCR write permissions is required in order to execute version operations and thus modify the version store. These changes are covered by <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-444">OAK-444</a> and address the concerns summarized in <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-2963">JCR-2963</a>.</p></div>
+<div class="section">
+<h5>Query Index Definitions<a name="Query_Index_Definitions"></a></h5>
+<p>Writing query index definitions requires the specific index definition management which is enforce on nodes named “oak:index” and the subtree defined by them. Note that the corresponding items are not protected in the JCR sense. Consequently any other modification in these subtrees like e.g. changing the primary type or adding mixin types is governed by the corresponding privileges.</p></div></div>
+<div class="section">
+<h4>3. Administrative Principals<a name="a3._Administrative_Principals"></a></h4>
+<p>The following principals always have full access to the whole content repository irrespective of the access control content:</p>
+
+<ul>
+
+<li><tt>SystemPrincipal</tt></li>
+
+<li>All instances of <tt>AdminPrincipal</tt></li>
+
+<li>All principals whose name matches the configured administrative principal names (see Configuration section below). This configuration only applies to the permission evaluation and is currently not reflected in other security models nor methods that deal with the administrator (i.e. <tt>User#isAdmin</tt>).</li>
+</ul></div>
+<div class="section">
+<h4>4. Node Types<a name="a4._Node_Types"></a></h4>
+
+<div class="source">
+<pre>[rep:PermissionStore]
+ - rep:accessControlledPath (STRING) protected IGNORE
+ - rep:numPermissions (LONG) protected IGNORE
+ - rep:modCount (LONG) protected IGNORE
+ + * (rep:PermissionStore) = rep:PermissionStore protected IGNORE
+ + * (rep:Permissions) = rep:Permissions protected IGNORE
+
+[rep:Permissions]
+ - * (UNDEFINED) protected IGNORE
+ - * (UNDEFINED) protected multiple IGNORE
+ + * (rep:Permissions) = rep:Permissions protected IGNORE
+
+[rep:VersionablePaths]
+ mixin
+ - * (PATH) protected ABORT
+</pre></div></div>
+<div class="section">
+<h4>5. API Extensions<a name="a5._API_Extensions"></a></h4>
+<p>org.apache.jackrabbit.oak.spi.security.authorization.permission</p>
+
+<ul>
+
+<li><tt>PermissionProvider</tt>: Main entry point for Oak internal permission evaluation.</li>
+
+<li><tt>Permissions</tt>: The permissions defined, respected and evaluated by the repository.</li>
+
+<li><tt>PermissionConstants</tt>: Constants used throughout the permission evaluation.</li>
+</ul></div>
+<div class="section">
+<h4>6. Configuration<a name="a6._Configuration"></a></h4>
+<p>Configuration Parameters supported by the default implementation</p>
+
+<ul>
+
+<li><tt>PARAM_PERMISSIONS_JR2</tt>: Enables backwards compatible behavior for the permissions listed in the parameter value. Currently the following values are allowed: <tt>USER_MANAGEMENT</tt> and <tt>REMOVE_NODE</tt>. The parameter value must contain the permission names separated by ‘,’.</li>
+
+<li><tt>PARAM_READ_PATHS</tt>: default set of paths that are always readable to all principals irrespective of other permissions defined at that path or inherited from other nodes.</li>
+
+<li><tt>PARAM_ADMINISTRATIVE_PRINCIPALS</tt>: The names of the additional principals that have full permission and for which the permission evaluation can be skipped altogether.</li>
+</ul>
+<p>Differences to Jackrabbit 2.x The <tt>omit-default-permission</tt> configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak. Since there are no permissions installed by default this flag has become superfluous.</p>
+<!-- hidden references --></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Added: jackrabbit/site/live/oak/docs/differences_principal.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_principal.html?rev=1621788&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_principal.html (added)
+++ jackrabbit/site/live/oak/docs/differences_principal.html Mon Sep 1 13:58:43 2014
@@ -0,0 +1,449 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - Principal Management : Differences wrt Jackrabbit 2.x</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="license.html" title="License">License</a>
+</li>
+
+ <li> <a href="downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<div class="section">
+<h3>Principal Management : Differences wrt Jackrabbit 2.x<a name="Principal_Management_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>1. Characteristics of the Principal Management Implementation<a name="a1._Characteristics_of_the_Principal_Management_Implementation"></a></h4>
+<p>The default implementation of the principal management API basically corresponds to the default in Jackrabbit 2.x and is based on the user management implementation. Note however, that as of OAK only a single principal provider is exposed on the SPI level (used to be multiple principal providers with the LoginModule configuration in Jackrabbit 2.x). See the configuration section below for details.</p></div>
+<div class="section">
+<h4>2. API Extensions<a name="a2._API_Extensions"></a></h4>
+
+<ul>
+
+<li><tt>PrincipalProvider</tt> [0]: SPI level access to principals known to the repository which is also used by the default implementation of the <tt>PrincipalManager</tt> interface. This interface replaces the internal PrincipalProvider interface present in Jackrabbit 2.x. Note, that principals from different sources can be supported by using <tt>CompositePrincipalProvider</tt> [1] or a similar implementation that proxies different sources.</li>
+</ul>
+<div class="section">
+<h5>Special Principals<a name="Special_Principals"></a></h5>
+
+<ul>
+
+<li><tt>AdminPrincipal</tt>: Marker interface to identify the principal associated with administrative user(s) [2].</li>
+
+<li><tt>EveryonePrincipal</tt>: built-in group principal implementation that has every other valid principal as member [3].</li>
+
+<li><tt>SystemPrincipal</tt>: built-in principal implementation to mark system internal subjects [4].</li>
+</ul></div></div>
+<div class="section">
+<h4>3. Configuration<a name="a3._Configuration"></a></h4>
+<div class="section">
+<h5>PrincipalConfiguration [5]:<a name="PrincipalConfiguration_5:"></a></h5>
+
+<ul>
+
+<li><tt>getPrincipalManager</tt> -> returns a new instance of o.a.j.api.security.principal.PrincipalManager [6] (see also <tt>JackrabbitSession#getPrincipalManager()</tt></li>
+
+<li><tt>getPrincipalProvider</tt> -> returns a new instance of principal provider. Note, that in contrast to Jackrabbit 2.x the system may only have one single principal provider implementation configured. In order to combine principals from different sources a implementation that properly handles the different sources is required; the <tt>CompositePrincipalProvider</tt> [1] is an example that combines multiple implementations.</li>
+</ul></div></div>
+<div class="section">
+<h4>4. References<a name="a4._References"></a></h4>
+<p>[0] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalProvider.java</a></p>
+<p>[1] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/CompositePrincipalProvider.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/CompositePrincipalProvider.java</a></p>
+<p>[2] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/AdminPrincipal.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/AdminPrincipal.java</a></p>
+<p>[3] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.java</a></p>
+<p>[4] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/SystemPrincipal.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/SystemPrincipal.java</a></p>
+<p>[5] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalConfiguration.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/principal/PrincipalConfiguration.java</a></p>
+<p>[6] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/principal/PrincipalManager.java">http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/principal/PrincipalManager.java</a></p></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file