You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/08/30 11:48:46 UTC
svn commit: r1839663 [15/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Pre-Authenticated Login</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,39 +239,42 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Pre-Authenticated_Login"></a>Pre-Authenticated Login</h2>
<p>Oak provides two different mechanisms to create pre-authentication that doesn’t involve the repositories internal authentication mechanism for credentials validation.</p>
-<ul>
+<ul>
+
<li><a href="#withloginchain">Pre-Authentication combined with Login Module Chain</a></li>
+
<li><a href="#withoutrepository">Pre-Authentication without Repository Involvement</a></li>
</ul>
-<a name="withloginchain"></a>
-### Pre-Authentication combined with Login Module Chain
-
+<p><a name="withloginchain"></a></p>
+<div class="section">
+<h3><a name="Pre-Authentication_combined_with_Login_Module_Chain"></a>Pre-Authentication combined with Login Module Chain</h3>
<p>This first variant allows to support 3rd party login modules that wish to provide the login context with pre authenticated login names, but still want to rely on the rest of the Oak’s login module chain. For example an external SSO login module can extract the userid from a servlet request and use it to authenticate against the repository. But instead of re-implementing the user lookup and subject population (and possible external user synchronization) it just informs any subsequent login modules that the credential validation was already successful.</p>
<p>The key to understand this mechanism is the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html">PreAuthenticatedLogin</a> marker class, which is pushed to the shared state of the login context and which indicates to any subsequent LoginModule that the credentials present in the state already have been verified and thus can be trusted.</p>
<p>This setup is particularly recommended in a OSGi setup that includes Apache Sling on top of the Oak repository but still requires user information to be synchronized into the repository.</p>
<div class="section">
-<div class="section">
<h4><a name="How_it_works"></a>How it works</h4>
<p>The basic steps of the pre-authentication in combination with regular JAAS login module chain are outlined as follows:</p>
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal">
+
<li>verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling Authentication Handler)</li>
+
<li>pass a custom, non-public Credentials implementation to the repository login</li>
-<li>create a custom login module that only supports these dedicated credentials and pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information required and processed by subsequent login modules (e.g. credentials and user name).</li>
-<li>make sure the subsequent login modules in the JAAS configuration are capable to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and will properly populate the subject and optionally synchronize user information or create login tokens.</li>
+
+<li>create a custom login module that only supports these dedicated credentials and pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information required and processed by subsequent login modules (e.g. credentials and user name).</li>
+
+<li>make sure the subsequent login modules in the JAAS configuration are capable to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and will properly populate the subject and optionally synchronize user information or create login tokens.</li>
</ol>
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>Example implementation of <tt>LoginModule#login</tt> that pushes the <tt>PreAuthenticatedLogin</tt> marker to the shared state:</p>
-<div>
-<div>
-<pre class="source">public class PreAuthLoginModule extends AbstractLoginModule {
+<div class="source">
+<div class="source"><pre class="prettyprint">public class PreAuthLoginModule extends AbstractLoginModule {
[...]
@@ -303,11 +294,11 @@
}
[...]
-
+
// subsequent login modules need to succeed and process the 'PreAuthenticatedLogin'
return false;
}
-
+
@Overwrite
public boolean commit() {
// this module leaves subject population to the subsequent modules
@@ -316,27 +307,29 @@
}
}
</pre></div></div>
-<a name="withoutrepository"></a>
-### Pre-Authentication without Repository Involvement
-
+<p><a name="withoutrepository"></a></p></div></div></div>
+<div class="section">
+<h3><a name="Pre-Authentication_without_Repository_Involvement"></a>Pre-Authentication without Repository Involvement</h3>
<p>Like in Jackrabbit-core the repository internal authentication verification can be skipped by calling <tt>Repository#login()</tt> or <tt>Repository#login(null, wspName)</tt>. In this case the repository implementation expects the verification to be performed prior to the login call.</p>
-<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p></div></div>
+<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p>
<div class="section">
<h4><a name="Options_to_modify_the_default_behavior"></a>Options to modify the default behavior</h4>
<p>Since the <tt>LoginContextProvider</tt> is a configurable with the authentication setup OAK users also have the following options by providing a custom <tt>LoginContextProvider</tt>:</p>
-<ul>
+<ul>
+
<li>Disable pre-authentication by not trying to retrieve a pre-authenticated <tt>Subject</tt>.</li>
+
<li>Add support for extending the pre-authenticated subject by always passing writable subjects to the <tt>JaasLoginContext</tt></li>
-<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
+
+<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
</ul>
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>Example how to use this type of pre-authentication:</p>
-<div>
-<div>
-<pre class="source">String userId = "test";
+<div class="source">
+<div class="source"><pre class="prettyprint">String userId = "test";
/**
* Retrive valid principals e.g. by using Jackrabbit or Oak API:
* - PrincipalManager#getPrincipal and/or #getGroupMembership
Modified: jackrabbit/site/live/oak/docs/security/authentication/token/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/token/default.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/token/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/token/default.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Token Management : The Default Implementation</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Token_Management_:_The_Default_Implementation"></a>Token Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
@@ -264,17 +251,15 @@
<p>The creation of a new token is triggered by valid and supported <tt>Credentials</tt> passed to the login module chain that contain an additional, empty <tt>.token</tt> attribute.</p>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will obtain these <tt>Credentials</tt> from the shared state during the commit phase (i.e. phase 2 of the JAAS authentication) and will pass them to the configured <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a> implementation the following sequence:</p>
-<div>
-<div>
-<pre class="source">Credentials shared = getSharedCredentials();
+<div class="source">
+<div class="source"><pre class="prettyprint">Credentials shared = getSharedCredentials();
if (shared != null && tokenProvider.doCreateToken(shared)) {
[...]
TokenInfo ti = tokenProvider.createToken(shared);
[...]
}
</pre></div></div>
-
-<p>In case of success these steps will have generated a new token and stored it’s hash along with all mandatory and informative attributes to the new content node representing the token.</p>
+<p>In case of success these steps will have generated a new token and stored it’s hash along with all mandatory and informative attributes to the new content node representing the token.</p>
<div class="section">
<h5><a name="Supported_Credentials_for_Token_Creation"></a>Supported Credentials for Token Creation</h5>
<p>By default the implementation deals with shared <tt>SimpleCredentials</tt>.</p>
@@ -284,9 +269,11 @@ if (shared != null && tokenProvi
<h4><a name="Token_Validation"></a>Token Validation</h4>
<p>Once a token has been created it can be used for subsequent repository logins with <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java">TokenCredentials</a>. This time the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will attempt to perform the login phase (i.e. phase 1 of the JAAS authentication).</p>
<p>This includes resolving the login token (<tt>TokenProvider.getTokenInfo</tt>) and asserting it’s validity in case it exists. The validation consists of following steps:</p>
-<ul>
+<ul>
+
<li>check that the token has not expired (<tt>TokenInfo.isExpired</tt>)</li>
+
<li>verify that all mandatory attributes are present and match the expectations (<tt>TokenInfo.matches</tt>)</li>
</ul>
<p>Only if these steps have been successfully completed the login of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will succeed.</p></div>
@@ -296,21 +283,21 @@ if (shared != null && tokenProvi
<div class="section">
<h4><a name="Resetting_Expiration_Time"></a>Resetting Expiration Time</h4>
<p>The default <tt>TokenProvider</tt> implementation will automatically reset the expiration time of a given token upon successful authentication.</p>
-<p>This behavior can be disabled by setting the <tt>tokenRefresh</tt> configuration parameter to <tt>false</tt> (see <tt>PARAM_TOKEN_REFRESH</tt> below). In this case expiration time will not be reset and an attempt to do so using the API (e.g. calling <tt>TokenInfo.resetExpiration(long loginTime)</tt>) will return <tt>false</tt> indicating that the expiration time has not been reset. The token will consequently expire and the user will need to login again using the configured login mechanism (e.g. using the credentials support for token creation).</p></div>
+<p>This behavior can be disabled by setting the <tt>tokenRefresh</tt> configuration parameter to <tt>false</tt> (see <tt>PARAM_TOKEN_REFRESH</tt> below). In this case expiration time will not be reset and an attempt to do so using the API (e.g. calling <tt>
+TokenInfo.resetExpiration(long loginTime)</tt>) will return <tt>false</tt> indicating that the expiration time has not been reset. The token will consequently expire and the user will need to login again using the configured login mechanism (e.g. using the credentials support for token creation).</p></div>
<div class="section">
<h4><a name="Token_Cleanup"></a>Token Cleanup</h4>
<p>Automatic token cleanup can be enabled by setting the <tt>tokenCleanupThreshold</tt> parameter to a value larger than <tt>0</tt> (<tt>0</tt> means disabled). This will trigger a cleanup call if the number of tokens under a user exceeds this value. (As an implementation detail a throttling method was introduced to only allow the call to go through 1/8 times).</p>
<p>This is available with Oak 1.7.12 on, see also [OAK-6818]for additional information.</p>
-<a name="representation"></a>
-### Representation in the Repository
-</div>
+<p><a name="representation"></a></p></div></div>
+<div class="section">
+<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
<div class="section">
<h4><a name="Content_Structure"></a>Content Structure</h4>
<p>The login tokens issued for a given user are all located underneath a node named <tt>.tokens</tt> that will be created by the <tt>TokenProvider</tt> once the first token is created. The default implementation creates a distinct node for each login token as described below</p>
-<div>
-<div>
-<pre class="source">testUser {
+<div class="source">
+<div class="source"><pre class="prettyprint">testUser {
"jcr:primaryType": "rep:User",
...
".tokens" {
@@ -328,33 +315,32 @@ if (shared != null && tokenProvi
}
}
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h4><a name="Token_Nodes"></a>Token Nodes</h4>
<p>As of Oak 1.0 the login token are represented in the repository as follows:</p>
-<ul>
+<ul>
+
<li>the token node is referenceable with the dedicated node type <tt>rep:Token</tt> (used to be unstructured in Jackrabbit 2.x)</li>
+
<li>expiration and key properties are defined to be mandatory and protected</li>
-<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the configuration parameter with the same name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
+
+<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the configuration parameter with the same name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
</ul>
<p>The definition of the new built-in node type <tt>rep:Token</tt>:</p>
-<div>
-<div>
-<pre class="source">[rep:Token] > mix:referenceable
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:Token] > mix:referenceable
- rep:token.key (STRING) protected mandatory
- rep:token.exp (DATE) protected mandatory
- * (UNDEFINED) protected
- * (UNDEFINED) multiple protected
</pre></div></div>
-
<p>The following example illustrates the token nodes resulting from this node type definition:</p>
-<div>
-<div>
-<pre class="source">testUser {
+<div class="source">
+<div class="source"><pre class="prettyprint">testUser {
"jcr:primaryType": "rep:User",
...
".tokens" {
@@ -379,119 +365,210 @@ if (shared != null && tokenProvi
}
}
</pre></div></div>
-<a name="validation"></a>
-### Validation
-
+<p><a name="validation"></a></p></div></div>
+<div class="section">
+<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure both on creation and modification is asserted by a dedicated <tt>TokenValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Code </th>
-<th> Message </th></tr>
-</thead><tbody>
-
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> 0060 </td>
-<td> Attempt to create reserved token property in other ctx </td></tr>
+
+<td>0060 </td>
+
+<td>Attempt to create reserved token property in other ctx </td>
+ </tr>
+
<tr class="a">
-<td> 0061 </td>
-<td> Attempt to change existing token key </td></tr>
+
+<td>0061 </td>
+
+<td>Attempt to change existing token key </td>
+ </tr>
+
<tr class="b">
-<td> 0062 </td>
-<td> Change primary type of existing node to rep:Token </td></tr>
+
+<td>0062 </td>
+
+<td>Change primary type of existing node to rep:Token </td>
+ </tr>
+
<tr class="a">
-<td> 0063 </td>
-<td> Creation/Manipulation of tokens without using provider </td></tr>
+
+<td>0063 </td>
+
+<td>Creation/Manipulation of tokens without using provider </td>
+ </tr>
+
<tr class="b">
-<td> 0064 </td>
-<td> Create a token outside of configured scope </td></tr>
+
+<td>0064 </td>
+
+<td>Create a token outside of configured scope </td>
+ </tr>
+
<tr class="a">
-<td> 0065 </td>
-<td> Invalid location of token node </td></tr>
+
+<td>0065 </td>
+
+<td>Invalid location of token node </td>
+ </tr>
+
<tr class="b">
-<td> 0066 </td>
-<td> Invalid token key </td></tr>
+
+<td>0066 </td>
+
+<td>Invalid token key </td>
+ </tr>
+
<tr class="a">
-<td> 0067 </td>
-<td> Mandatory token expiration missing </td></tr>
+
+<td>0067 </td>
+
+<td>Mandatory token expiration missing </td>
+ </tr>
+
<tr class="b">
-<td> 0068 </td>
-<td> Invalid location of .tokens node </td></tr>
+
+<td>0068 </td>
+
+<td>Invalid location of .tokens node </td>
+ </tr>
+
<tr class="a">
-<td> 0069 </td>
-<td> Change type of .tokens parent node </td></tr>
-</tbody>
+
+<td>0069 </td>
+
+<td>Change type of .tokens parent node </td>
+ </tr>
+ </tbody>
</table>
-<a name="configuration"></a>
-### Configuration
-
-<p>The default Oak <tt>TokenConfiguration</tt> allows to define the following configuration options for the <tt>TokenProvider</tt>:</p></div>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
+<p>The default Oak <tt>TokenConfiguration</tt> allows to define the following configuration options for the <tt>TokenProvider</tt>:</p>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Parameter </th>
-<th> Type </th>
-<th> Default </th></tr>
-</thead><tbody>
-
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> PARAM_TOKEN_EXPIRATION </td>
-<td> long </td>
-<td> 2 * 3600 * 1000 (2 hours)</td></tr>
-<tr class="a">
-<td> PARAM_TOKEN_LENGTH </td>
-<td> int </td>
-<td> 8 </td></tr>
+
+<td>PARAM_TOKEN_EXPIRATION </td>
+
+<td>long </td>
+
+<td>2 * 3600 * 1000 (2 hours)</td>
+ </tr>
+
+<tr class="a">
+
+<td>PARAM_TOKEN_LENGTH </td>
+
+<td>int </td>
+
+<td>8 </td>
+ </tr>
+
<tr class="b">
-<td> PARAM_TOKEN_REFRESH </td>
-<td> boolean </td>
-<td> true </td></tr>
-<tr class="a">
-<td> PARAM_PASSWORD_HASH_ALGORITHM </td>
-<td> String </td>
-<td> SHA-256 </td></tr>
+
+<td>PARAM_TOKEN_REFRESH </td>
+
+<td>boolean </td>
+
+<td>true </td>
+ </tr>
+
+<tr class="a">
+
+<td>PARAM_PASSWORD_HASH_ALGORITHM </td>
+
+<td>String </td>
+
+<td>SHA-256 </td>
+ </tr>
+
<tr class="b">
-<td> PARAM_PASSWORD_HASH_ITERATIONS </td>
-<td> int </td>
-<td> 1000 </td></tr>
-<tr class="a">
-<td> PARAM_PASSWORD_SALT_SIZE </td>
-<td> int </td>
-<td> 8 </td></tr>
+
+<td>PARAM_PASSWORD_HASH_ITERATIONS </td>
+
+<td>int </td>
+
+<td>1000 </td>
+ </tr>
+
+<tr class="a">
+
+<td>PARAM_PASSWORD_SALT_SIZE </td>
+
+<td>int </td>
+
+<td>8 </td>
+ </tr>
+
<tr class="b">
-<td> PARAM_TOKEN_CLEANUP_THRESHOLD </td>
-<td> long </td>
-<td> 0 (no cleanup) </td></tr>
+
+<td>PARAM_TOKEN_CLEANUP_THRESHOLD </td>
+
+<td>long </td>
+
+<td>0 (no cleanup) </td>
+ </tr>
+
<tr class="a">
+
+<td> </td>
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
+ </tr>
+ </tbody>
</table>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>In an OSGi-based setup the default <tt>TokenConfiguration</tt> you can bind a custom implementation of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface. Doing so allows to support any type of custom credentials, which do not reveal the ID of the user logging into repository.</p>
<p>In particular when chaining the <tt>TokenLoginModule</tt> and the <tt>ExternalLoginModule</tt> the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> can be used to authenticate and synchronize users provided by third party systems during phase 1 (login) and generate a login token during phase 2 (commit). See section <a href="../externalloginmodule.html">Authentication with the External Login Module</a> for additional details. For this to work the same <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> must be configured with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> and the <tt>TokenConfiguration</tt> and <tt>CredentialsSupport.getUserId</tt> must reveal the ID of the synced user (i.e. <tt>Ex
ternalUser.getId</tt>).</p>
<p>In general the following steps are required in order to plug a different <tt>CredentialsSupport</tt> into the default <tt>TokenConfiguration</tt>:</p>
-<ul>
+<ul>
+
<li>implement the <tt>CredentialsSupport</tt> interface (e.g. as extension to the <tt>ExternalIdentityProvider</tt>)</li>
+
<li>make sure the implementation is an OSGi service and deploy it to the Oak repository.</li>
</ul>
<div class="section">
+<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_CredentialsSupport"></a>Example CredentialsSupport</h6>
<p>In an OSGi-based setup it’s sufficient to make the service available to the repository in order to enable a custom <tt>CredentialsSupport</tt>.</p>
-<div>
-<div>
-<pre class="source">@Component
+<div class="source">
+<div class="source"><pre class="prettyprint">@Component
@Service(value = {CredentialsSupport.class})
/**
* Custom implementation of the {@code CredentialsSupport} interface.
@@ -527,14 +604,14 @@ final class MyCredentialsSupport impleme
// TODO: optional implementation
return false;
}
-
+
[...]
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Example_CredentialsSupport_in_Combination_with_External_Authentication"></a>Example CredentialsSupport in Combination with External Authentication</h6>
-<p>See section <a href="../externalloginmodule.html#pluggability">Authentication with the External Login Module</a> for an example.</p><!-- references --></div></div></div></div></div>
+<p>See section <a href="../externalloginmodule.html#pluggability">Authentication with the External Login Module</a> for an example.</p>
+<!-- references --></div></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Token Authentication and Token Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,16 +239,18 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Token_Authentication_and_Token_Management"></a>Token Authentication and Token Management</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
<p>The token based authentication has been completely refactor in Oak and has the following general characteristics.</p>
-<ul>
+<ul>
+
<li>Dedicated API for managing login tokens defined in the package <tt>org.apache.jackrabbit.oak.spi.security.authentication.token</tt>.</li>
+
<li>Pluggable configuration of the new token management API</li>
+
<li>Complete separation of token based authentication into a separate <tt>LoginModule</tt>.</li>
</ul></div>
<div class="section">
@@ -271,66 +261,80 @@
<h4><a name="TokenLoginModule"></a>TokenLoginModule</h4>
<p>The <tt>TokenLoginModule</tt>designed to support and issue <tt>TokenCredentials</tt>. The authentication phases behave as follows:</p>
<p><i>Phase 1: Login</i></p>
-<ul>
+<ul>
+
<li>if no <tt>TokenProvider</tt> is available <b>returns <tt>false</tt></b></li>
+
<li>if a <tt>TokenProvider</tt> has been configured it retrieves JCR credentials from the [CallbackHandler] using the [CredentialsCallback]</li>
-<li>in case of <tt>TokenCredentials</tt> validates these credentials: if it succeeds it pushes the users ID to the shared state and returns <tt>true</tt>; otherwise throws <tt>LoginException</tt></li>
+
+<li>in case of <tt>TokenCredentials</tt> validates these credentials: if it succeeds it pushes the users ID to the shared state and returns <tt>true</tt>; otherwise throws <tt>LoginException</tt></li>
+
<li>for other credentials the method returns <tt>false</tt></li>
</ul>
<p><i>Phase 1: Commit</i></p>
-<ul>
+<ul>
+
<li>if phase 1 succeeded the subject is populated and the method returns <tt>true</tt></li>
-<li>in case phase 1 did not succeed this method will test if the shared state contain credentials that ask for a new token being created; if this succeeds it will create a new instance of <tt>TokenCredentials</tt>, push the public attributes to the shared stated and update the subject with the new credentials; finally the commit call <b>returns <tt>false</tt></b></li>
+
+<li>in case phase 1 did not succeed this method will test if the shared state contain credentials that ask for a new token being created; if this succeeds it will create a new instance of <tt>TokenCredentials</tt>, push the public attributes to the shared stated and update the subject with the new credentials; finally the commit call <b>returns <tt>false</tt></b></li>
</ul>
<div class="section">
<h5><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h5>
-<p>jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };</p>
-<a name="api_extensions"></a>
-### Token Management API
-
+<p>jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };</p>
+<p><a name="api_extensions"></a></p></div></div></div>
+<div class="section">
+<h3><a name="Token_Management_API"></a>Token Management API</h3>
<p>Oak 1.0 defines the following interfaces used to manage login tokens:</p>
-<ul>
+<ul>
+
<li>[TokenConfiguration]: Interface to obtain a <tt>TokenProvider</tt> instance (see section <a href="#configuration">configuration</a> below).</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a>: Interface to read and manage login tokens.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenInfo.html">TokenInfo</a>: Information associated with a given login token and token validity.</li>
</ul>
<p>In addition Oak comes with a default implementation of the provider interface that is able to aggregate multiple <tt>TokenProvider</tt>s:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenConfiguration.html">CompositeTokenConfiguration</a>: Extension of the <tt>CompositeConfiguration</tt> to combined different token management implementations.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenProvider.html">CompositeTokenProvider</a>: Aggregation of the <tt>TokenProvider</tt> implementations defined by the configurations contained the <tt>CompositeTokenConfiguration</tt></li>
</ul>
<p>See section <a href="#pluggability">Pluggability</a> for an example.</p>
-<a name="default_implementation"></a>
-### Characteristics of the Default Implementation
-
-<p>The characteristics of the default token management implementation is described in section <a href="token/default.html">Token Management : The Default Implementation</a>.</p>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="default_implementation"></a></p></div>
+<div class="section">
+<h3><a name="Characteristics_of_the_Default_Implementation"></a>Characteristics of the Default Implementation</h3>
+<p>The characteristics of the default token management implementation is described in section <a href="token/default.html">Token Management : The Default Implementation</a>. </p>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>The configuration options of the default implementation are described in the <a href="token/default.html#configuration">Configuration</a> section.</p>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 is able to deal with custom token management implementations and will collect multiple implementations within <tt>CompositeTokenConfiguration</tt> present with the <tt>SecurityProvider</tt>. The <tt>CompositeTokenConfiguration</tt> itself will combine the different <tt>TokenProvider</tt> implementations using the <tt>CompositeTokenProvider</tt>.</p>
<p>In an OSGi setup the following steps are required in order to add a custom token provider implementation:</p>
-<ul>
+<ul>
+
<li>implement <tt>TokenProvider</tt> interface</li>
+
<li>expose the custom provider by your custom <tt>TokenConfiguration</tt> service</li>
+
<li>make the configuration available to the Oak repository.</li>
-</ul></div>
+</ul>
+<div class="section">
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_TokenConfiguration"></a>Example TokenConfiguration</h6>
-<div>
-<div>
-<pre class="source">@Component()
+<div class="source">
+<div class="source"><pre class="prettyprint">@Component()
@Service({TokenConfiguration.class, SecurityConfiguration.class})
public class MyTokenConfiguration extends ConfigurationBase implements TokenConfiguration {
Modified: jackrabbit/site/live/oak/docs/security/authentication/usersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/usersync.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/usersync.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/usersync.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User and Group Synchronization</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,59 +239,76 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="User_and_Group_Synchronization"></a>User and Group Synchronization</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
<p>The synchronization of users and groups is triggered by the <a href="externalloginmodule.html">ExternalLoginModule</a>, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p></div>
<div class="section">
<h3><a name="Synchronization_API"></a>Synchronization API</h3>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncManager.html">SyncManager</a>: factory for all configured <tt>SyncHandler</tt> implementations.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a>: responsible for synchronizing users/groups from an <tt>ExternalIdentityProvider</tt> into the repository.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a>: executes the synchronization</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncedIdentity.html">SyncedIdentity</a>: represents a synchronized identity</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.html">SyncResult</a>: the result of a sync operation</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncException.html">SyncException</a>: marker for sync related errors</li>
</ul>
<div class="section">
<h4><a name="JMX_Synchronization_Tool"></a>JMX Synchronization Tool</h4>
<p>In addition to the synchronization API Oak 1.0 defines utilities to manage synchronized external identities within JMX (<tt>SynchronizationMBean</tt>) which allows for the following tasks:</p>
-<ul>
+<ul>
+
<li><tt>syncUsers(String[] userIds, boolean purge)</tt></li>
+
<li><tt>syncAllUsers(boolean purge)</tt></li>
+
<li><tt>syncExternalUsers(String[] externalIds)</tt></li>
+
<li><tt>syncAllExternalUsers()</tt></li>
+
<li><tt>listOrphanedUsers()</tt></li>
+
<li><tt>purgeOrphanedUsers()</tt></li>
</ul></div></div>
<div class="section">
<h3><a name="Default_Implementation"></a>Default Implementation</h3>
-<p>Oak 1.0 provides a default implementation of the user synchronization API that allow to plug additional <tt>SyncHandler</tt> implementations.</p>
+<p>Oak 1.0 provides a default implementation of the user synchronization API that allow to plug additional <tt>SyncHandler</tt> implementations. </p>
<p>Default implementation is described in section <a href="external/defaultusersync.html">User and Group Synchronization : The Default Implementation</a>.</p></div>
<div class="section">
<h3><a name="Pluggability"></a>Pluggability</h3>
<p>There are two ways to replace/change the user synchronization behavior</p>
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal">
+
<li>Write custom <tt>SyncManager</tt></li>
+
<li>Write custom <tt>SyncHandler</tt></li>
</ol>
<p>The following steps are required in order to replace the default <tt>SyncManager</tt> implementation or plug a new implementation of the <tt>SyncHandler</tt>:</p>
-<ul>
+<ul>
+
<li>write your custom implementation of the interface</li>
+
<li>make the manager/handler available to the authentication setup or sync manager
+
<ul>
-
+
<li>OSGi setup: making the implementation an OSGi service</li>
+
<li>non-OSGi setup: configure the manager/handler during manual <a href="../../construct.html">Repository Construction</a>.</li>
+ </ul></li>
</ul>
-</li>
-</ul><!-- references --></div></div>
+<!-- references --></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authorization.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization.html (original)
+++ jackrabbit/site/live/oak/docs/security/authorization.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authorization</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,47 +239,54 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Authorization"></a>Authorization</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
<p>One of main goals for Oak security, was to clearly separates between access control management (such as defined by the JCR and Jackrabbit API) and the internal permission evaluation.</p>
<p>While access control management is defined to be an optional feature added in JCR 2.0, permission evaluation was mandated since the very first version of JCR even though it remained an implementation detail.</p>
<p>The documentation follows this separations and handles access control and permission evaluation separately:</p>
-<ul>
+<ul>
+
<li><a href="accesscontrol.html">Access Control Management</a></li>
+
<li><a href="permission.html">Permissions</a></li>
</ul>
<p>Despite the fact that there is a distinction between the public facing access control management and the internal permission evaluation, these two topics remain connected to one another and a given authorization model is expected to define and handle both in a consistent manner. Consequently the main entry point for authorization related operations is a single <tt>AuthorizationConfiguration</tt> (see section <a href="#configuration">configuration</a> below).</p>
-<a name="api_extensions"></a>
-### API Extensions
-
+<p><a name="api_extensions"></a></p></div>
+<div class="section">
+<h3><a name="API_Extensions"></a>API Extensions</h3>
<p>The API extensions provided by Oak are covered in the following sections:</p>
-<ul>
+<ul>
+
<li><a href="accesscontrol.html#api_extensions">Access Control Management</a></li>
+
<li><a href="permission.html#api_extensions">Permissions</a></li>
+
<li><a href="authorization/restriction.html#api_extensions">Restriction Management</a></li>
</ul>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>The configuration of the authorization related parts is handled by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>. This class provides the following methods:</p>
-<ul>
+<ul>
+
<li><tt>getAccessControlManager</tt>: get a new ac manager instance (see <a href="accesscontrol.html">Access Control Management</a>).</li>
+
<li><tt>getPermissionProvider</tt>: get a new permission provider instance (see <a href="permission.html">Permissions</a>).</li>
+
<li><tt>getRestrictionProvider</tt>: get a new instance of the restriction provider (see <a href="authorization/restriction.html">Restriction Management</a>.</li>
</ul>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The supported configuration options of the default implementation are described separately for <a href="accesscontrol/default.html#configuration">access control management</a> and <a href="permission/default.html#configuration">permission evalution</a> .</p>
-<a name="pluggability"></a>
-### Pluggability
-
-<p>There are multiple options for plugging authorization related custom implementations:</p></div>
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
+<p>There are multiple options for plugging authorization related custom implementations:</p>
<div class="section">
<h4><a name="Aggregation_of_Different_Authorization_Models"></a>Aggregation of Different Authorization Models</h4>
<div class="section">
@@ -301,21 +296,26 @@
<div class="section">
<h5><a name="Previous_Versions"></a>Previous Versions</h5>
<p>In previous versions of Oak aggregation of multiple authorization models was not supported and it was only possible to replace the existing <tt>AuthorizationConfiguration</tt>. This would completely replace the default way of handling authorization in the repository.</p>
-<p>In OSGi-base setup this is achieved by making the configuration implementation a service such that it takes precendece over the default.</p>
+<p>In OSGi-base setup this is achieved by making the configuration implementation a service such that it takes precendece over the default. </p>
<p>In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</p></div></div>
<div class="section">
<h4><a name="Extending_the_Restriction_Provider"></a>Extending the Restriction Provider</h4>
<p>In all versions of Oak it is possible to plug custom implementation(s) for the restriction management that allows to narrow the effect of permissions to items matching a given, defined behavior. Details can be found in section <a href="authorization/restriction.html#pluggability">RestrictionManagement</a>.</p>
-<a name="further_reading"></a>
-### Further Reading
+<p><a name="further_reading"></a></p></div></div>
+<div class="section">
+<h3><a name="Further_Reading"></a>Further Reading</h3>
<ul>
-
+
<li><a href="accesscontrol.html">Access Control Management</a></li>
+
<li><a href="permission.html">Permission Evalution</a></li>
+
<li><a href="authorization/restriction.html">Restriction Management</a></li>
+
<li><a href="authorization/composite.html">Combining Multiple Authorization Models</a></li>
-</ul><!-- hidden references --></div></div></div>
+</ul>
+<!-- hidden references --></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authorization/composite.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization/composite.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization/composite.html (original)
+++ jackrabbit/site/live/oak/docs/security/authorization/composite.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-04-18
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180418" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Combining Multiple Authorization Models</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-04-18<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,21 +239,22 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Combining_Multiple_Authorization_Models"></a>Combining Multiple Authorization Models</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
<p>Since Oak 1.4 it is possible to combine multiple authorization models within the default security setup.</p>
<p>The main entry point for the aggregation of multiple authorization models is the <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.java">CompositeAuthorizationConfiguration</a>, which is in charge of generating composite variants of the <tt>AccessControlManager</tt>, <tt>PermissionProvider</tt> and <tt>RestrictionProvider</tt> if multiple authorization modules have been configured (see section <a href="#details">Implementation Details</a> below.</p>
<p><i>Please note:</i> Despite the fact that Oak supports the aggregation of multiple authorization models, this extension is only recommended for experts that have in-depth knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so might otherwise result in severe security issues and heavily impact overall performance.</p>
-<a name="api_extensions"></a>
-### API Extensions
-
+<p><a name="api_extensions"></a></p></div>
+<div class="section">
+<h3><a name="API_Extensions"></a>API Extensions</h3>
<p>There are two interfaces required to make a given authorization model deployable in an aggregated setup:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.html">PolicyOwner</a>: Extension to the <tt>AccessControlManager</tt>, that allows a given implementation to claim responsibility for handling certain <tt>AccessControlPolicy</tt> implementations.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.html">AggregatedPermissionProvider</a>: Subclass of <tt>PermissionProvider</tt> which is mandated for permission evaluation once multiple providers are configured.</li>
</ul>
<div class="section">
@@ -277,18 +266,21 @@
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>The permission provider shipped with the <a href="cug.html#details">oak-authorization-cug</a> module has a very limited scope: it only evaluates read-access to regular items at the configured supported paths. This means e.g. that the implementation is not able to determine if write access is granted to a given set of <tt>Principal</tt>s and indicates this fact by just returning the subset of supported read permissions upon <tt>supportedPermissions(Tree, PropertyState, long)</tt>. The aggregated permission provider will consequently not consult this implementation for the evaluation of write permissions and move on to other providers in the aggregate.</p>
-<a name="details"></a>
-### Implementation Details
-
+<p><a name="details"></a></p></div></div></div>
+<div class="section">
+<h3><a name="Implementation_Details"></a>Implementation Details</h3>
<p>As soon as multiple authorization models are configured with the security setup, the <tt>CompositeAuthorizationConfiguration</tt> will return a dedicated <tt>JackrabbitAccessControlManager</tt> and <tt>PermissionProvider</tt> that are wrapping the objects provided by the aggregated implementations.</p>
-<p>Note: as long as a single authorization model is configured (default setup) the <tt>CompositeAuthorizationConfiguration</tt> will omit any extra wrapping.</p></div></div>
+<p>Note: as long as a single authorization model is configured (default setup) the <tt>CompositeAuthorizationConfiguration</tt> will omit any extra wrapping.</p>
<div class="section">
<h4><a name="Access_Control"></a>Access Control</h4>
<p>Once multiple modules are deployed a <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAccessControlManager.java">CompositeAccessControlManager</a> with the following characteristics will be returned:</p>
-<ul>
+<ul>
+
<li>API calls reading information will return the combined result of the wrapped implementations.</li>
+
<li>Methods defined solely by <tt>JackrabbitAccessControlManager</tt> additionally test for the delegatees to implement that extension.</li>
+
<li>API calls writing back policies will look for the responsible <tt>PolicyOwner</tt> and specifically delegate the call. If no owner can be found an <tt>AccessControlException</tt> is thrown.</li>
</ul>
<p>Hence, a given authorization model is free to implement JCR <tt>AccessControlManager</tt> or the Jackrabbit extension.</p>
@@ -297,12 +289,16 @@
<h4><a name="Permission_Evaluation"></a>Permission Evaluation</h4>
<p>Only models implementing the <tt>AggregatedPermissionProvider</tt> extensions will be respected for aggregation into the <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.java">CompositePermissionProvider</a>. This allows individual models to cover only a subset of permissions and|or a subset of paths within the repository.</p>
<p>The composite wrapper subsequently applies the following logic to evaluate the effective permissions:</p>
-<ul>
-<li>each delegatee is in ask to evaluate the subset of supported permissions if it claims responsible for the given item/path,</li>
+<ul>
+
+<li>each delegatee is in ask to evaluate the subset of supported permissions if it claims responsible for the given item/path,</li>
+
<li>a delegatee that doesn’t handle any of the permissions in question it is ignored,</li>
+
<li>a delegatee that doesn’t claim responsible for the item/path is ignored,</li>
-<li>a given set of permissions is ultimately granted for a given item/path, if <i>all</i> permissions have been successfully processed and none of the delegatees involved denied access.</li>
+
+<li>a given set of permissions is ultimately granted for a given item/path, if <i>all</i> permissions have been successfully processed and none of the delegatees involved denied access.</li>
</ul>
<p>This implies that evaluation of permissions across multiple implementations is strictly additive: as soon as one provider denies access (either by an explicit deny or by a missing explicit allow) permissions are denied.</p>
<p>Similarly, if a given combination of permission providers fails to process the complete set of permissions (e.g. one permission is not covered by any of the modules) the access will be denied as none of the provider was in charge of proper evaluation.</p>
@@ -310,30 +306,34 @@
<div class="section">
<h4><a name="Restriction_Management"></a>Restriction Management</h4>
<p>Support for multiple restriction providers has already been been present with the default authorization implementation since Oak 1.0. The mechanism described in section <a href="restriction.html">Restriction Management</a> is not affected by the new functionality.</p>
-<p>The <tt>CompositeAuthorizationConfiguration</tt> is in charge of collecting the <tt>RestrictionProvider</tt>s from the aggregated modules and expose the complete set of restrictions in order to meet the API contract.</p>
+<p>The <tt>CompositeAuthorizationConfiguration</tt> is in charge of collecting the <tt>RestrictionProvider</tt>s from the aggregated modules and expose the complete set of restrictions in order to meet the API contract. </p>
<p>Nevertheless, each authorization model is responsible for exposing, validating and evaluating the subset of restrictions it can handle through the access control API extensions and the permission evaluation, respectively. A given model may decide to provide no support for restrictions. Examples include modules that deal with different types of <tt>AccessControlPolicy</tt> where restriction management doesn’t apply (see for example <a href="cug.html#details">oak-authorization-cug</a>).</p>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>By default the <tt>CompositeAuthorizationConfiguration</tt> aggregates results by applying an <tt>AND</tt> operation to the current set of providers. This can be changed via configuration to an <tt>OR</tt>. See section <a href="../../introduction.html#configuration">Introduction to Oak Security</a> for further details.</p>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The following steps are required to plug an additional authorization model into the Oak repository:</p>
-<ul>
+<ul>
+
<li>Implement your custom <tt>AuthorizationConfiguration</tt></li>
+
<li>Deploy the bundle containing the implementation</li>
+
<li>Bind your <tt>AuthorizationConfiguration</tt> to the <tt>SecurityProvider</tt>:
+
<ul>
-
-<li>in an OSGi setup this is achieved by adding the configuration to the <tt>requiredServicePids</tt> property of the <tt>SecurityProviderRegistration</tt> <i>(“Apache Jackrabbit Oak SecurityProvider”)</i> i.e. forcing the recreation of the <tt>SecurityProvider</tt>.</li>
-<li>in a non-OSGi setup this requires adding the configuration to the <tt>SecurityProvider</tt> (e.g. <i>SecurityProviderBuilder.newBuilder().with(params).build()</i>) and subsequently creating the JCR/Oak repository object.</li>
-</ul>
-</li>
+
+<li>in an OSGi setup this is achieved by adding the configuration to the <tt>requiredServicePids</tt> property of the <tt>SecurityProviderRegistration</tt> <i>(“Apache Jackrabbit Oak SecurityProvider”)</i> i.e. forcing the recreation of the <tt>SecurityProvider</tt>.</li>
+
+<li>in a non-OSGi setup this requires adding the configuration to the <tt>SecurityProvider</tt> (e.g. <i>SecurityProviderBuilder.newBuilder().with(params).build()</i>) and subsequently creating the JCR/Oak repository object.</li>
+ </ul></li>
</ul>
-<p><b>Important Note</b><br />
-Despite the fact that Oak supports the aggregation of multiple authorization models, this extension is only recommended for experts that have in-depth knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so might otherwise result in severe security issues and heavily impact overall performance.</p><!-- hidden references --></div></div></div>
+<p><b>Important Note</b><br />Despite the fact that Oak supports the aggregation of multiple authorization models, this extension is only recommended for experts that have in-depth knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so might otherwise result in severe security issues and heavily impact overall performance.</p>
+<!-- hidden references --></div></div>
</div>
</div>
</div>