You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by mr...@apache.org on 2018/08/22 09:33:51 UTC
svn commit: r1838623 [15/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication with the External Login Module</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,40 +251,33 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Authentication_with_the_External_Login_Module"></a>Authentication with the External Login Module</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>The purpose of the external login module is to provide a base implementation that allows easy integration of 3rd party authentication and identity systems, such as <a href="ldap.html">LDAP</a>. The general mode of the external login module is to use the external system as authentication source and as a provider for users and groups that may also be synchronized into the repository.</p>
<p>what it does:</p>
-
<ul>
-
+
<li>facilitate the use of a 3rd party system for authentication</li>
-
<li>simplify populating the oak user manager with identities from a 3rd party system</li>
</ul>
<p>what it does not:</p>
-
<ul>
-
+
<li>provide a transparent oak user manager</li>
-
<li>provide a transparent oak principal provider.</li>
-
<li>offer services for background synchronization of users and groups</li>
</ul>
-<p><a name="details"></a></p></div>
-<div class="section">
-<h3><a name="Implementation_Details"></a>Implementation Details</h3>
-<p>The external identity and login handling is split into 3 parts:</p>
+<a name="details"></a>
+### Implementation Details
+The external identity and login handling is split into 3 parts:
<ul>
-
+
<li><b>External Login Module</b>: LoginModule implementation that represents the connection between JAAS login mechanism, the external identity provider and the synchronization handler.</li>
-
<li><b>External Identity Provider</b> (IDP): This is a service implementing the <tt>ExternalIdentityProvider</tt> interface and is responsible to retrieve and authenticate identities towards an external system (e.g. LDAP).</li>
-
<li><b>User and Group Synchronization</b>: This is a service implementing the <tt>SyncHandler</tt> interface and is responsible to actually managing the external identities within the Oak user management. A very trivial implementation might just create users and groups for external ones on demand.</li>
</ul>
<p>This modularization allows to reuse the same external login module for different combinations of IDPs and synchronization handlers. Although in practice, systems usually have 1 of each.</p>
@@ -292,41 +297,31 @@
<h5><a name="Authentication_in_Detail"></a>Authentication in Detail</h5>
<p>The details of the external authentication are as follows:</p>
<p><i>Phase 1: Login</i></p>
-
<ul>
-
+
<li>if the user exists in the repository and any of the following conditions is met <b>return <tt>false</tt></b>
-
<ul>
-
+
<li>user is not an externally synced <i>or</i></li>
-
<li>user belongs to a different IDP than configured for the <tt>ExternalLoginModule</tt> <i>or</i></li>
-
<li><a href="preauthentication.html"><tt>PreAuthenticatedLogin</tt></a> is present on the shared state <i>and</i> the external user doesn’t require an updating sync (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3508">OAK-3508</a>)</li>
- </ul></li>
-
+</ul>
+</li>
<li>if the user exists in the 3rd party system but the credentials don’t match it <b>throws <tt>LoginException</tt></b></li>
-
<li>if the user exists in the 3rd party system and the credentials match
-
<ul>
-
+
<li>put the credentials in the shared and private state</li>
-
<li>possibly sync the user</li>
-
<li>and <b>returns <tt>true</tt></b></li>
- </ul></li>
-
+</ul>
+</li>
<li>if the user does not exist in the 3rd party system, checks if it needs to remove the user and then it <b>returns <tt>false</tt></b></li>
</ul>
<p><i>Phase 2: Commit</i></p>
-
<ul>
-
+
<li>if there is no credentials in the private state, it <b>returns <tt>false</tt></b></li>
-
<li>if there are credentials in the private state propagate the subject and <b>return <tt>true</tt></b></li>
</ul>
<p>See section <a href="external/externallogin_examples.html">Example Configurations</a> for some common setup scenarios.</p></div></div>
@@ -338,106 +333,58 @@
<h4><a name="User_and_Group_Synchronization"></a>User and Group Synchronization</h4>
<p>The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p>
<p>See section <a href="usersync.html">User Synchronization</a> for further details and a description of the default implementation.</p>
-<p><a name="configuration"></a></p></div></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
+<a name="configuration"></a>
+### Configuration
+</div>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The external authentication module comes with the following configuration parameters for the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.html">ExternalLoginModuleFactory</a>/[ExternalLoginModule].</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th>
+<th> Description </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td><tt>PARAM_IDP_NAME</tt> </td>
-
-<td>String </td>
-
-<td>- </td>
-
-<td>Name of the external IDP to be retrieved from the <tt>ExternalIdentityProviderManager</tt> </td>
- </tr>
-
+<td> <tt>PARAM_IDP_NAME</tt> </td>
+<td> String </td>
+<td> - </td>
+<td> Name of the external IDP to be retrieved from the <tt>ExternalIdentityProviderManager</tt> </td></tr>
<tr class="a">
-
-<td><tt>PARAM_SYNC_HANDLER_NAME</tt> </td>
-
-<td>String </td>
-
-<td>- </td>
-
-<td>Name of the sync handler to be retrieved from the <tt>SyncManager</tt> </td>
- </tr>
-
+<td> <tt>PARAM_SYNC_HANDLER_NAME</tt> </td>
+<td> String </td>
+<td> - </td>
+<td> Name of the sync handler to be retrieved from the <tt>SyncManager</tt> </td></tr>
<tr class="b">
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
-
+<td> </td>
+<td> </td>
+<td> </td>
+<td> </td></tr>
<tr class="a">
-
-<td><i>Optional (OSGi-setup)</i> </td>
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
-
+<td> <i>Optional (OSGi-setup)</i> </td>
+<td> </td>
+<td> </td>
+<td> </td></tr>
<tr class="b">
-
-<td><tt>JAAS_RANKING</tt> </td>
-
-<td>int </td>
-
-<td>50 </td>
-
-<td>Ranking of the <tt>ExternalLoginModule</tt> in the JAAS configuration, see <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td>
- </tr>
-
+<td> <tt>JAAS_RANKING</tt> </td>
+<td> int </td>
+<td> 50 </td>
+<td> Ranking of the <tt>ExternalLoginModule</tt> in the JAAS configuration, see <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td></tr>
<tr class="a">
-
-<td><tt>JAAS_CONTROL_FLAG</tt> </td>
-
-<td>String </td>
-
-<td>SUFFICIENT </td>
-
-<td>See <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">LoginModuleControlFlag</a> for supported values. </td>
- </tr>
-
+<td> <tt>JAAS_CONTROL_FLAG</tt> </td>
+<td> String </td>
+<td> SUFFICIENT </td>
+<td> See <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">LoginModuleControlFlag</a> for supported values. </td></tr>
<tr class="b">
-
-<td><tt>JAAS_REALM_NAME</tt> </td>
-
-<td>String </td>
-
-<td>- </td>
-
-<td>See <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td>
- </tr>
- </tbody>
+<td> <tt>JAAS_REALM_NAME</tt> </td>
+<td> String </td>
+<td> - </td>
+<td> See <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td></tr>
+</tbody>
</table>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
@@ -445,8 +392,9 @@
<h6><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h6>
<p>The following JAAS configuration shows how the <tt>ExternalLoginModule</tt> could be used in a setup that not solely uses third party login (Note: JAAS configuration equivalents of the parameters defined by <tt>org.apache.felix.jaas.LoginModuleFactory</tt> are omitted):</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">jackrabbit.oak {
+<div>
+<div>
+<pre class="source">jackrabbit.oak {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
@@ -454,25 +402,22 @@
idp.name="ldap";
};
</pre></div></div>
-<p><a name="pluggability"></a></p></div></div></div></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
-<p>The design of the <tt>ExternalLoginModule</tt> allows for customization of the key features associated with third party authentication. In an OSGi-based setup these are covered by references within the <tt>ExternalLoginModuleFactory</tt>:</p>
+<a name="pluggability"></a>
+### Pluggability
+<p>The design of the <tt>ExternalLoginModule</tt> allows for customization of the key features associated with third party authentication. In an OSGi-based setup these are covered by references within the <tt>ExternalLoginModuleFactory</tt>:</p>
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>: Mandatory, unary reference for the <tt>ExternalIdentityProvider</tt> lookup; see <a href="identitymanagement.html">External Identity Management</a> for details.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncManager.html">SyncManager</a>: Mandatory, unary reference for the <tt>SyncHandler</tt> lookup; see <a href="usersync.html">User/Group Synchronization</a> for details.</li>
</ul>
<p>The default implementations (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalIDPManagerImpl.html">ExternalIDPManagerImpl</a> and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/SyncManagerImpl.html">SyncManagerImpl</a>) extend <tt>AbstractServiceTracker</tt> and will automatically keep track of new <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a> services, respectively.</p>
-<p>Since Oak 1.5.1 support for different or multiple types of <tt>Credentials</tt> can easily be plugged by providing an <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> that additionally implements <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>. This is an optional extension point for each IDP; if missing the <tt>ExternalLoginModule</tt> will fall back to a default implementation and assume the IDP only supports <tt>SimpleCredentials</tt>. See details below.</p>
+<p>Since Oak 1.5.1 support for different or multiple types of <tt>Credentials</tt> can easily be plugged by providing an <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> that additionally implements <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>. This is an optional extension point for each IDP; if missing the <tt>ExternalLoginModule</tt> will fall back to a default implementation and assume the IDP only supports <tt>SimpleCredentials</tt>. See details below.</p></div></div></div>
<div class="section">
<h4><a name="Supported_Credentials"></a>Supported Credentials</h4>
<p>The following steps are required in order to change or extend the set credential classes supported by the <tt>ExternalLoginModule</tt>:</p>
-
<ul>
-
+
<li>Extend your <tt>ExternalIdentityProvider</tt> to additionally implement the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface.</li>
</ul>
<p>Don’t forget to make sure that <tt>ExternalIdentityProvider.authenticate(Credentials)</tt> handles the same set of supported credentials!</p>
@@ -481,8 +426,9 @@
<div class="section">
<h6><a name="Example_CredentialsSupport"></a>Example CredentialsSupport</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint"> @Component()
+<div>
+<div>
+<pre class="source"> @Component()
@Service(ExternalIdentityProvider.class, CredentialsSupport.class)
public class MyIdentityProvider implements ExternalIdentityProvider, CredentialsSupport {
@@ -511,9 +457,9 @@
// our credentials never contain additional attributes
return ImmutableMap.of();
}
-
+
//-------------------------------------< ExternalIdentityProvider >---
-
+
@CheckForNull
@Override
public ExternalUser authenticate(@Nonnull Credentials credentials) {
@@ -530,7 +476,7 @@
}
[...]
-
+
//----------------------------------------------< SCR Integration >---
@Activate
private void activate() {
Modified: jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – External Identity Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,31 +251,26 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="External_Identity_Management"></a>External Identity Management</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
<p>Jackrabbit Oak provides interfaces and some base classes to ease custom implementation of the external authentication with optional user/group synchronization to the repository.</p></div>
<div class="section">
<h3><a name="Identity_Management_API"></a>Identity Management API</h3>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>: factory for the <tt>ExternalIdentityProvider</tt></li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>: used to authenticate against the third party system. Additionally provides method to obtain information about external user/group accounts such as needed for the <a href="usersync.html">synchronization</a> into the repository.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentity.html">ExternalIdentity</a>: base interface for an external user/group
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalUser.html">ExternalUser</a></li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalGroup.html">ExternalGroup</a></li>
- </ul></li>
-
+</ul>
+</li>
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>: reference to an external user/group consisting of id and provider name.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/PrincipalNameResolver.html">PrincipalNameResolver</a>: optimized lookup of principal name from <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>; see section <a href="external/dynamic.html">Dynamic Membership</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5210">OAK-5210</a> for details)</li>
</ul></div>
<div class="section">
@@ -275,13 +282,10 @@
<div class="section">
<h4><a name="Custom_External_Identity_Management"></a>Custom External Identity Management</h4>
<p>In order to plug a custom implementation of the external identity management the following steps are required:</p>
-
<ul>
-
-<li>Write your own implementation <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> including your implementations of the external identities. <i>Note:</i> If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>.</li>
-
-<li>Deploy the bundle containing your implementation such that the IDP gets tracked by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>. In an non-OSGi environment you have to register it manually</li>
-
+
+<li>Write your own implementation <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> including your implementations of the external identities. <i>Note:</i> If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>.</li>
+<li>Deploy the bundle containing your implementation such that the IDP gets tracked by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>. In an non-OSGi environment you have to register it manually</li>
<li>Link your identity provider to the <tt>ExternalLoginModule</tt> by configuring the IDP name accordingly (see section <a href="externalloginmodule.html#configuration">Configuration</a>)</li>
</ul>
<div class="section">
@@ -289,9 +293,8 @@
<p>See <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authentication/external/CustomExternalIdentityProvider.java">CustomExternalIdentityProvider</a> in the <tt>oak-exercise</tt> module for a very simplistic implementation for an OSGi-based Oak setup.</p></div></div>
<div class="section">
<h4><a name="Custom_ExternalIdentityProviderManager"></a>Custom ExternalIdentityProviderManager</h4>
-<p>Since <tt>oak-auth-external</tt> provides a default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> a custom identity management doesn’t need provide a separate implementation of this interface. </p>
-<p>If you wish to provider your own <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> in an OSGi environment, please make sure it gets properly referenced by the <tt>ExternalLoginModuleFactory</tt>.</p>
-<!-- references --></div></div></div>
+<p>Since <tt>oak-auth-external</tt> provides a default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> a custom identity management doesn’t need provide a separate implementation of this interface.</p>
+<p>If you wish to provider your own <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> in an OSGi environment, please make sure it gets properly referenced by the <tt>ExternalLoginModuleFactory</tt>.</p><!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/ldap.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/ldap.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/ldap.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/ldap.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-17
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180817" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – LDAP Integration</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-17<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,6 +161,7 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
@@ -172,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
Modified: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Pre-Authenticated Login</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,42 +251,39 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Pre-Authenticated_Login"></a>Pre-Authenticated Login</h2>
<p>Oak provides two different mechanisms to create pre-authentication that doesn’t involve the repositories internal authentication mechanism for credentials validation.</p>
-
<ul>
-
+
<li><a href="#withloginchain">Pre-Authentication combined with Login Module Chain</a></li>
-
<li><a href="#withoutrepository">Pre-Authentication without Repository Involvement</a></li>
</ul>
-<p><a name="withloginchain"></a></p>
-<div class="section">
-<h3><a name="Pre-Authentication_combined_with_Login_Module_Chain"></a>Pre-Authentication combined with Login Module Chain</h3>
+<a name="withloginchain"></a>
+### Pre-Authentication combined with Login Module Chain
+
<p>This first variant allows to support 3rd party login modules that wish to provide the login context with pre authenticated login names, but still want to rely on the rest of the Oak’s login module chain. For example an external SSO login module can extract the userid from a servlet request and use it to authenticate against the repository. But instead of re-implementing the user lookup and subject population (and possible external user synchronization) it just informs any subsequent login modules that the credential validation was already successful.</p>
<p>The key to understand this mechanism is the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html">PreAuthenticatedLogin</a> marker class, which is pushed to the shared state of the login context and which indicates to any subsequent LoginModule that the credentials present in the state already have been verified and thus can be trusted.</p>
<p>This setup is particularly recommended in a OSGi setup that includes Apache Sling on top of the Oak repository but still requires user information to be synchronized into the repository.</p>
<div class="section">
+<div class="section">
<h4><a name="How_it_works"></a>How it works</h4>
<p>The basic steps of the pre-authentication in combination with regular JAAS login module chain are outlined as follows:</p>
-
<ol style="list-style-type: decimal">
-
+
<li>verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling Authentication Handler)</li>
-
<li>pass a custom, non-public Credentials implementation to the repository login</li>
-
-<li>create a custom login module that only supports these dedicated credentials and pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information required and processed by subsequent login modules (e.g. credentials and user name).</li>
-
-<li>make sure the subsequent login modules in the JAAS configuration are capable to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and will properly populate the subject and optionally synchronize user information or create login tokens.</li>
+<li>create a custom login module that only supports these dedicated credentials and pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information required and processed by subsequent login modules (e.g. credentials and user name).</li>
+<li>make sure the subsequent login modules in the JAAS configuration are capable to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and will properly populate the subject and optionally synchronize user information or create login tokens.</li>
</ol>
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>Example implementation of <tt>LoginModule#login</tt> that pushes the <tt>PreAuthenticatedLogin</tt> marker to the shared state:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">public class PreAuthLoginModule extends AbstractLoginModule {
+<div>
+<div>
+<pre class="source">public class PreAuthLoginModule extends AbstractLoginModule {
[...]
@@ -294,11 +303,11 @@
}
[...]
-
+
// subsequent login modules need to succeed and process the 'PreAuthenticatedLogin'
return false;
}
-
+
@Overwrite
public boolean commit() {
// this module leaves subject population to the subsequent modules
@@ -307,29 +316,27 @@
}
}
</pre></div></div>
-<p><a name="withoutrepository"></a></p></div></div></div>
-<div class="section">
-<h3><a name="Pre-Authentication_without_Repository_Involvement"></a>Pre-Authentication without Repository Involvement</h3>
+<a name="withoutrepository"></a>
+### Pre-Authentication without Repository Involvement
+
<p>Like in Jackrabbit-core the repository internal authentication verification can be skipped by calling <tt>Repository#login()</tt> or <tt>Repository#login(null, wspName)</tt>. In this case the repository implementation expects the verification to be performed prior to the login call.</p>
-<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p>
+<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p></div></div>
<div class="section">
<h4><a name="Options_to_modify_the_default_behavior"></a>Options to modify the default behavior</h4>
<p>Since the <tt>LoginContextProvider</tt> is a configurable with the authentication setup OAK users also have the following options by providing a custom <tt>LoginContextProvider</tt>:</p>
-
<ul>
-
+
<li>Disable pre-authentication by not trying to retrieve a pre-authenticated <tt>Subject</tt>.</li>
-
<li>Add support for extending the pre-authenticated subject by always passing writable subjects to the <tt>JaasLoginContext</tt></li>
-
-<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
+<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
</ul>
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>Example how to use this type of pre-authentication:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">String userId = "test";
+<div>
+<div>
+<pre class="source">String userId = "test";
/**
* Retrive valid principals e.g. by using Jackrabbit or Oak API:
* - PrincipalManager#getPrincipal and/or #getGroupMembership
Modified: jackrabbit/site/live/oak/docs/security/authentication/token/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/token/default.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/token/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/token/default.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Token Management : The Default Implementation</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,7 +251,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Token_Management_:_The_Default_Implementation"></a>Token Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
@@ -251,15 +264,17 @@
<p>The creation of a new token is triggered by valid and supported <tt>Credentials</tt> passed to the login module chain that contain an additional, empty <tt>.token</tt> attribute.</p>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will obtain these <tt>Credentials</tt> from the shared state during the commit phase (i.e. phase 2 of the JAAS authentication) and will pass them to the configured <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a> implementation the following sequence:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">Credentials shared = getSharedCredentials();
+<div>
+<div>
+<pre class="source">Credentials shared = getSharedCredentials();
if (shared != null && tokenProvider.doCreateToken(shared)) {
[...]
TokenInfo ti = tokenProvider.createToken(shared);
[...]
}
</pre></div></div>
-<p>In case of success these steps will have generated a new token and stored it’s hash along with all mandatory and informative attributes to the new content node representing the token.</p>
+
+<p>In case of success these steps will have generated a new token and stored it’s hash along with all mandatory and informative attributes to the new content node representing the token.</p>
<div class="section">
<h5><a name="Supported_Credentials_for_Token_Creation"></a>Supported Credentials for Token Creation</h5>
<p>By default the implementation deals with shared <tt>SimpleCredentials</tt>.</p>
@@ -269,11 +284,9 @@ if (shared != null && tokenProvi
<h4><a name="Token_Validation"></a>Token Validation</h4>
<p>Once a token has been created it can be used for subsequent repository logins with <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java">TokenCredentials</a>. This time the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will attempt to perform the login phase (i.e. phase 1 of the JAAS authentication).</p>
<p>This includes resolving the login token (<tt>TokenProvider.getTokenInfo</tt>) and asserting it’s validity in case it exists. The validation consists of following steps:</p>
-
<ul>
-
+
<li>check that the token has not expired (<tt>TokenInfo.isExpired</tt>)</li>
-
<li>verify that all mandatory attributes are present and match the expectations (<tt>TokenInfo.matches</tt>)</li>
</ul>
<p>Only if these steps have been successfully completed the login of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will succeed.</p></div>
@@ -283,21 +296,21 @@ if (shared != null && tokenProvi
<div class="section">
<h4><a name="Resetting_Expiration_Time"></a>Resetting Expiration Time</h4>
<p>The default <tt>TokenProvider</tt> implementation will automatically reset the expiration time of a given token upon successful authentication.</p>
-<p>This behavior can be disabled by setting the <tt>tokenRefresh</tt> configuration parameter to <tt>false</tt> (see <tt>PARAM_TOKEN_REFRESH</tt> below). In this case expiration time will not be reset and an attempt to do so using the API (e.g. calling <tt>
-TokenInfo.resetExpiration(long loginTime)</tt>) will return <tt>false</tt> indicating that the expiration time has not been reset. The token will consequently expire and the user will need to login again using the configured login mechanism (e.g. using the credentials support for token creation).</p></div>
+<p>This behavior can be disabled by setting the <tt>tokenRefresh</tt> configuration parameter to <tt>false</tt> (see <tt>PARAM_TOKEN_REFRESH</tt> below). In this case expiration time will not be reset and an attempt to do so using the API (e.g. calling <tt>TokenInfo.resetExpiration(long loginTime)</tt>) will return <tt>false</tt> indicating that the expiration time has not been reset. The token will consequently expire and the user will need to login again using the configured login mechanism (e.g. using the credentials support for token creation).</p></div>
<div class="section">
<h4><a name="Token_Cleanup"></a>Token Cleanup</h4>
<p>Automatic token cleanup can be enabled by setting the <tt>tokenCleanupThreshold</tt> parameter to a value larger than <tt>0</tt> (<tt>0</tt> means disabled). This will trigger a cleanup call if the number of tokens under a user exceeds this value. (As an implementation detail a throttling method was introduced to only allow the call to go through 1/8 times).</p>
<p>This is available with Oak 1.7.12 on, see also [OAK-6818]for additional information.</p>
-<p><a name="representation"></a></p></div></div>
-<div class="section">
-<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
+<a name="representation"></a>
+### Representation in the Repository
+</div>
<div class="section">
<h4><a name="Content_Structure"></a>Content Structure</h4>
<p>The login tokens issued for a given user are all located underneath a node named <tt>.tokens</tt> that will be created by the <tt>TokenProvider</tt> once the first token is created. The default implementation creates a distinct node for each login token as described below</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">testUser {
+<div>
+<div>
+<pre class="source">testUser {
"jcr:primaryType": "rep:User",
...
".tokens" {
@@ -315,32 +328,33 @@ TokenInfo.resetExpiration(long loginTime
}
}
}
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h4><a name="Token_Nodes"></a>Token Nodes</h4>
<p>As of Oak 1.0 the login token are represented in the repository as follows:</p>
-
<ul>
-
+
<li>the token node is referenceable with the dedicated node type <tt>rep:Token</tt> (used to be unstructured in Jackrabbit 2.x)</li>
-
<li>expiration and key properties are defined to be mandatory and protected</li>
-
-<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the configuration parameter with the same name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
+<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the configuration parameter with the same name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
</ul>
<p>The definition of the new built-in node type <tt>rep:Token</tt>:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:Token] > mix:referenceable
+<div>
+<div>
+<pre class="source">[rep:Token] > mix:referenceable
- rep:token.key (STRING) protected mandatory
- rep:token.exp (DATE) protected mandatory
- * (UNDEFINED) protected
- * (UNDEFINED) multiple protected
</pre></div></div>
+
<p>The following example illustrates the token nodes resulting from this node type definition:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">testUser {
+<div>
+<div>
+<pre class="source">testUser {
"jcr:primaryType": "rep:User",
...
".tokens" {
@@ -365,210 +379,119 @@ TokenInfo.resetExpiration(long loginTime
}
}
</pre></div></div>
-<p><a name="validation"></a></p></div></div>
-<div class="section">
-<h3><a name="Validation"></a>Validation</h3>
-<p>The consistency of this content structure both on creation and modification is asserted by a dedicated <tt>TokenValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
+<a name="validation"></a>
+### Validation
+<p>The consistency of this content structure both on creation and modification is asserted by a dedicated <tt>TokenValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>0060 </td>
-
-<td>Attempt to create reserved token property in other ctx </td>
- </tr>
-
+<td> 0060 </td>
+<td> Attempt to create reserved token property in other ctx </td></tr>
<tr class="a">
-
-<td>0061 </td>
-
-<td>Attempt to change existing token key </td>
- </tr>
-
+<td> 0061 </td>
+<td> Attempt to change existing token key </td></tr>
<tr class="b">
-
-<td>0062 </td>
-
-<td>Change primary type of existing node to rep:Token </td>
- </tr>
-
+<td> 0062 </td>
+<td> Change primary type of existing node to rep:Token </td></tr>
<tr class="a">
-
-<td>0063 </td>
-
-<td>Creation/Manipulation of tokens without using provider </td>
- </tr>
-
+<td> 0063 </td>
+<td> Creation/Manipulation of tokens without using provider </td></tr>
<tr class="b">
-
-<td>0064 </td>
-
-<td>Create a token outside of configured scope </td>
- </tr>
-
+<td> 0064 </td>
+<td> Create a token outside of configured scope </td></tr>
<tr class="a">
-
-<td>0065 </td>
-
-<td>Invalid location of token node </td>
- </tr>
-
+<td> 0065 </td>
+<td> Invalid location of token node </td></tr>
<tr class="b">
-
-<td>0066 </td>
-
-<td>Invalid token key </td>
- </tr>
-
+<td> 0066 </td>
+<td> Invalid token key </td></tr>
<tr class="a">
-
-<td>0067 </td>
-
-<td>Mandatory token expiration missing </td>
- </tr>
-
+<td> 0067 </td>
+<td> Mandatory token expiration missing </td></tr>
<tr class="b">
-
-<td>0068 </td>
-
-<td>Invalid location of .tokens node </td>
- </tr>
-
+<td> 0068 </td>
+<td> Invalid location of .tokens node </td></tr>
<tr class="a">
-
-<td>0069 </td>
-
-<td>Change type of .tokens parent node </td>
- </tr>
- </tbody>
+<td> 0069 </td>
+<td> Change type of .tokens parent node </td></tr>
+</tbody>
</table>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
-<p>The default Oak <tt>TokenConfiguration</tt> allows to define the following configuration options for the <tt>TokenProvider</tt>:</p>
+<a name="configuration"></a>
+### Configuration
+
+<p>The default Oak <tt>TokenConfiguration</tt> allows to define the following configuration options for the <tt>TokenProvider</tt>:</p></div>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>PARAM_TOKEN_EXPIRATION </td>
-
-<td>long </td>
-
-<td>2 * 3600 * 1000 (2 hours)</td>
- </tr>
-
-<tr class="a">
-
-<td>PARAM_TOKEN_LENGTH </td>
-
-<td>int </td>
-
-<td>8 </td>
- </tr>
-
+<td> PARAM_TOKEN_EXPIRATION </td>
+<td> long </td>
+<td> 2 * 3600 * 1000 (2 hours)</td></tr>
+<tr class="a">
+<td> PARAM_TOKEN_LENGTH </td>
+<td> int </td>
+<td> 8 </td></tr>
<tr class="b">
-
-<td>PARAM_TOKEN_REFRESH </td>
-
-<td>boolean </td>
-
-<td>true </td>
- </tr>
-
-<tr class="a">
-
-<td>PARAM_PASSWORD_HASH_ALGORITHM </td>
-
-<td>String </td>
-
-<td>SHA-256 </td>
- </tr>
-
+<td> PARAM_TOKEN_REFRESH </td>
+<td> boolean </td>
+<td> true </td></tr>
+<tr class="a">
+<td> PARAM_PASSWORD_HASH_ALGORITHM </td>
+<td> String </td>
+<td> SHA-256 </td></tr>
<tr class="b">
-
-<td>PARAM_PASSWORD_HASH_ITERATIONS </td>
-
-<td>int </td>
-
-<td>1000 </td>
- </tr>
-
-<tr class="a">
-
-<td>PARAM_PASSWORD_SALT_SIZE </td>
-
-<td>int </td>
-
-<td>8 </td>
- </tr>
-
+<td> PARAM_PASSWORD_HASH_ITERATIONS </td>
+<td> int </td>
+<td> 1000 </td></tr>
+<tr class="a">
+<td> PARAM_PASSWORD_SALT_SIZE </td>
+<td> int </td>
+<td> 8 </td></tr>
<tr class="b">
-
-<td>PARAM_TOKEN_CLEANUP_THRESHOLD </td>
-
-<td>long </td>
-
-<td>0 (no cleanup) </td>
- </tr>
-
+<td> PARAM_TOKEN_CLEANUP_THRESHOLD </td>
+<td> long </td>
+<td> 0 (no cleanup) </td></tr>
<tr class="a">
-
-<td> </td>
-
<td> </td>
-
<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table>
-<p><a name="pluggability"></a></p></div></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
+<a name="pluggability"></a>
+### Pluggability
+
<p>In an OSGi-based setup the default <tt>TokenConfiguration</tt> you can bind a custom implementation of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface. Doing so allows to support any type of custom credentials, which do not reveal the ID of the user logging into repository.</p>
<p>In particular when chaining the <tt>TokenLoginModule</tt> and the <tt>ExternalLoginModule</tt> the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> can be used to authenticate and synchronize users provided by third party systems during phase 1 (login) and generate a login token during phase 2 (commit). See section <a href="../externalloginmodule.html">Authentication with the External Login Module</a> for additional details. For this to work the same <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> must be configured with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> and the <tt>TokenConfiguration</tt> and <tt>CredentialsSupport.getUserId</tt> must reveal the ID of the synced user (i.e. <tt>Ex
ternalUser.getId</tt>).</p>
<p>In general the following steps are required in order to plug a different <tt>CredentialsSupport</tt> into the default <tt>TokenConfiguration</tt>:</p>
-
<ul>
-
+
<li>implement the <tt>CredentialsSupport</tt> interface (e.g. as extension to the <tt>ExternalIdentityProvider</tt>)</li>
-
<li>make sure the implementation is an OSGi service and deploy it to the Oak repository.</li>
</ul>
<div class="section">
-<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_CredentialsSupport"></a>Example CredentialsSupport</h6>
<p>In an OSGi-based setup it’s sufficient to make the service available to the repository in order to enable a custom <tt>CredentialsSupport</tt>.</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">@Component
+<div>
+<div>
+<pre class="source">@Component
@Service(value = {CredentialsSupport.class})
/**
* Custom implementation of the {@code CredentialsSupport} interface.
@@ -604,14 +527,14 @@ final class MyCredentialsSupport impleme
// TODO: optional implementation
return false;
}
-
+
[...]
}
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h6><a name="Example_CredentialsSupport_in_Combination_with_External_Authentication"></a>Example CredentialsSupport in Combination with External Authentication</h6>
-<p>See section <a href="../externalloginmodule.html#pluggability">Authentication with the External Login Module</a> for an example.</p>
-<!-- references --></div></div></div></div></div>
+<p>See section <a href="../externalloginmodule.html#pluggability">Authentication with the External Login Module</a> for an example.</p><!-- references --></div></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Token Authentication and Token Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,18 +251,16 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Token_Authentication_and_Token_Management"></a>Token Authentication and Token Management</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
<p>The token based authentication has been completely refactor in Oak and has the following general characteristics.</p>
-
<ul>
-
+
<li>Dedicated API for managing login tokens defined in the package <tt>org.apache.jackrabbit.oak.spi.security.authentication.token</tt>.</li>
-
<li>Pluggable configuration of the new token management API</li>
-
<li>Complete separation of token based authentication into a separate <tt>LoginModule</tt>.</li>
</ul></div>
<div class="section">
@@ -261,80 +271,66 @@
<h4><a name="TokenLoginModule"></a>TokenLoginModule</h4>
<p>The <tt>TokenLoginModule</tt>designed to support and issue <tt>TokenCredentials</tt>. The authentication phases behave as follows:</p>
<p><i>Phase 1: Login</i></p>
-
<ul>
-
+
<li>if no <tt>TokenProvider</tt> is available <b>returns <tt>false</tt></b></li>
-
<li>if a <tt>TokenProvider</tt> has been configured it retrieves JCR credentials from the [CallbackHandler] using the [CredentialsCallback]</li>
-
-<li>in case of <tt>TokenCredentials</tt> validates these credentials: if it succeeds it pushes the users ID to the shared state and returns <tt>true</tt>; otherwise throws <tt>LoginException</tt></li>
-
+<li>in case of <tt>TokenCredentials</tt> validates these credentials: if it succeeds it pushes the users ID to the shared state and returns <tt>true</tt>; otherwise throws <tt>LoginException</tt></li>
<li>for other credentials the method returns <tt>false</tt></li>
</ul>
<p><i>Phase 1: Commit</i></p>
-
<ul>
-
+
<li>if phase 1 succeeded the subject is populated and the method returns <tt>true</tt></li>
-
-<li>in case phase 1 did not succeed this method will test if the shared state contain credentials that ask for a new token being created; if this succeeds it will create a new instance of <tt>TokenCredentials</tt>, push the public attributes to the shared stated and update the subject with the new credentials; finally the commit call <b>returns <tt>false</tt></b></li>
+<li>in case phase 1 did not succeed this method will test if the shared state contain credentials that ask for a new token being created; if this succeeds it will create a new instance of <tt>TokenCredentials</tt>, push the public attributes to the shared stated and update the subject with the new credentials; finally the commit call <b>returns <tt>false</tt></b></li>
</ul>
<div class="section">
<h5><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h5>
-<p>jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };</p>
-<p><a name="api_extensions"></a></p></div></div></div>
-<div class="section">
-<h3><a name="Token_Management_API"></a>Token Management API</h3>
-<p>Oak 1.0 defines the following interfaces used to manage login tokens:</p>
+<p>jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };</p>
+<a name="api_extensions"></a>
+### Token Management API
+<p>Oak 1.0 defines the following interfaces used to manage login tokens:</p>
<ul>
-
+
<li>[TokenConfiguration]: Interface to obtain a <tt>TokenProvider</tt> instance (see section <a href="#configuration">configuration</a> below).</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a>: Interface to read and manage login tokens.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenInfo.html">TokenInfo</a>: Information associated with a given login token and token validity.</li>
</ul>
<p>In addition Oak comes with a default implementation of the provider interface that is able to aggregate multiple <tt>TokenProvider</tt>s:</p>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenConfiguration.html">CompositeTokenConfiguration</a>: Extension of the <tt>CompositeConfiguration</tt> to combined different token management implementations.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenProvider.html">CompositeTokenProvider</a>: Aggregation of the <tt>TokenProvider</tt> implementations defined by the configurations contained the <tt>CompositeTokenConfiguration</tt></li>
</ul>
<p>See section <a href="#pluggability">Pluggability</a> for an example.</p>
-<p><a name="default_implementation"></a></p></div>
-<div class="section">
-<h3><a name="Characteristics_of_the_Default_Implementation"></a>Characteristics of the Default Implementation</h3>
-<p>The characteristics of the default token management implementation is described in section <a href="token/default.html">Token Management : The Default Implementation</a>. </p>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
+<a name="default_implementation"></a>
+### Characteristics of the Default Implementation
+
+<p>The characteristics of the default token management implementation is described in section <a href="token/default.html">Token Management : The Default Implementation</a>.</p>
+<a name="configuration"></a>
+### Configuration
+
<p>The configuration options of the default implementation are described in the <a href="token/default.html#configuration">Configuration</a> section.</p>
-<p><a name="pluggability"></a></p></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
+<a name="pluggability"></a>
+### Pluggability
+
<p>The default security setup as present with Oak 1.0 is able to deal with custom token management implementations and will collect multiple implementations within <tt>CompositeTokenConfiguration</tt> present with the <tt>SecurityProvider</tt>. The <tt>CompositeTokenConfiguration</tt> itself will combine the different <tt>TokenProvider</tt> implementations using the <tt>CompositeTokenProvider</tt>.</p>
<p>In an OSGi setup the following steps are required in order to add a custom token provider implementation:</p>
-
<ul>
-
+
<li>implement <tt>TokenProvider</tt> interface</li>
-
<li>expose the custom provider by your custom <tt>TokenConfiguration</tt> service</li>
-
<li>make the configuration available to the Oak repository.</li>
-</ul>
-<div class="section">
+</ul></div>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_TokenConfiguration"></a>Example TokenConfiguration</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">@Component()
+<div>
+<div>
+<pre class="source">@Component()
@Service({TokenConfiguration.class, SecurityConfiguration.class})
public class MyTokenConfiguration extends ConfigurationBase implements TokenConfiguration {