You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/08/21 10:31:38 UTC
svn commit: r1838538 [33/35] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak-mongo-js/fonts/ oak-mongo-js/scripts/
oak-mongo-js/scripts/prettify/ oak-mongo...
Modified: jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Privilege Management : Mapping API Calls to Privileges</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<div class="section">
<h3><a name="Privilege_Management_:_Mapping_API_Calls_to_Privileges"></a>Privilege Management : Mapping API Calls to Privileges</h3>
<p>The following table allows to identify which API calls require which type of privilege(s)</p>
@@ -251,660 +247,1333 @@
<h4><a name="Transient_Operations"></a>Transient Operations</h4>
<div class="section">
<h5><a name="Read"></a>Read</h5>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>Session.itemExists</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Session.getItem</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Session.nodeExists</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="a">
-<td> <tt>Session.nodeExists</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="b">
-<td> <tt>Session.getNode</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="a">
-<td> <tt>Session.getRootNode</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="b">
-<td> <tt>Session.getNodeByUUID</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Session.getNodeByIdentifier</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Session.getNode</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="a">
-<td> <tt>Session.propertyExists</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Session.getProperty</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Item.getParent</tt> </td>
-<td> <tt>rep:readNodes</tt> on parent </td></tr>
-<tr class="b">
-<td> <tt>Item.getAncestor</tt> </td>
-<td> <tt>rep:readNodes</tt> on ancestor </td></tr>
-<tr class="a">
-<td> <tt>Node.hasNode</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.hasNodes</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.getNode</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.getNodes</tt> </td>
-<td> <tt>rep:readNodes</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.hasProperty</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.hasProperties</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.getProperty</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.getProperties</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.getUUID</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.getIdentifier</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.getReferences</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.getWeakReferences</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.getPrimaryItem</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.getPrimaryNodeType</tt> </td>
-<td> <tt>rep:readProperties</tt> on jcr:primaryType </td></tr>
-<tr class="a">
-<td> <tt>Node.getMixinNodeTypes</tt> </td>
-<td> <tt>rep:readProperties</tt> on jcr:mixinTypes </td></tr>
-<tr class="b">
-<td> <tt>Property.getValue</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Property.getValues</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Property.get*</tt> </td>
-<td> <tt>rep:readProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Property.getNode</tt> </td>
-<td> <tt>rep:readProperties</tt>, <tt>rep:readNodes</tt> on ref-target </td></tr>
-<tr class="b">
-<td> <tt>Session.exportSystemView</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>Session.exportDocumentView</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Session.itemExists</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.getItem</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Session.nodeExists</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.nodeExists</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Session.getNode</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.getRootNode</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Session.getNodeByUUID</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.getNodeByIdentifier</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Session.getNode</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.propertyExists</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Session.getProperty</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Item.getParent</tt> </td>
+
+<td><tt>rep:readNodes</tt> on parent </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Item.getAncestor</tt> </td>
+
+<td><tt>rep:readNodes</tt> on ancestor </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.hasNode</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.hasNodes</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.getNode</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.getNodes</tt> </td>
+
+<td><tt>rep:readNodes</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.hasProperty</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.hasProperties</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.getProperty</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.getProperties</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.getUUID</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.getIdentifier</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.getReferences</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.getWeakReferences</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.getPrimaryItem</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.getPrimaryNodeType</tt> </td>
+
+<td><tt>rep:readProperties</tt> on jcr:primaryType </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.getMixinNodeTypes</tt> </td>
+
+<td><tt>rep:readProperties</tt> on jcr:mixinTypes </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Property.getValue</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Property.getValues</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Property.get*</tt> </td>
+
+<td><tt>rep:readProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Property.getNode</tt> </td>
+
+<td><tt>rep:readProperties</tt>, <tt>rep:readNodes</tt> on ref-target </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Session.exportSystemView</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.exportDocumentView</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Writing_Properties"></a>Writing Properties</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>Node.setProperty</tt> (new) </td>
-<td> <tt>rep:addProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.setProperty</tt> (existing) </td>
-<td> <tt>rep:alterProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Property.setValue</tt> </td>
-<td> <tt>rep:alterProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Property.remove</tt> </td>
-<td> <tt>rep:removeProperties</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.setProperty(String, null)</tt> </td>
-<td> <tt>rep:removeProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>JackrabbitSession.removeItem</tt> (item is a property) </td>
-<td> <tt>rep:removeProperties</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Node.setProperty</tt> (new) </td>
+
+<td><tt>rep:addProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.setProperty</tt> (existing) </td>
+
+<td><tt>rep:alterProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Property.setValue</tt> </td>
+
+<td><tt>rep:alterProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Property.remove</tt> </td>
+
+<td><tt>rep:removeProperties</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.setProperty(String, null)</tt> </td>
+
+<td><tt>rep:removeProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>JackrabbitSession.removeItem</tt> (item is a property) </td>
+
+<td><tt>rep:removeProperties</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Writing_Nodes"></a>Writing Nodes</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>Node.addNode(String)</tt> </td>
-<td> <tt>jcr:addChildNodes</tt> (on parent) </td></tr>
-<tr class="a">
-<td> <tt>Node.remove</tt> </td>
-<td> <tt>jcr:removeChildNodes</tt> (on parent), <tt>jcr:removeNode</tt> </td></tr>
-<tr class="b">
-<td> <tt>JackrabbitSession.removeItem</tt> (if item is a node) </td>
-<td> <tt>jcr:removeChildNodes</tt> (on parent), <tt>jcr:removeNode</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.addNode(String, String)</tt> </td>
-<td> <tt>jcr:addChildNodes</tt> (on parent), <tt>jcr:nodeTypeManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.setPrimaryType</tt> </td>
-<td> <tt>jcr:nodeTypeManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.addMixin</tt> </td>
-<td> <tt>jcr:nodeTypeManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>Node.removeMixin</tt> </td>
-<td> <tt>jcr:nodeTypeManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>Node.orderBefore</tt> </td>
-<td> <tt>jcr:addChildNodes</tt> and <tt>jcr:removeChildNodes</tt> (on parent) </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Node.addNode(String)</tt> </td>
+
+<td><tt>jcr:addChildNodes</tt> (on parent) </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.remove</tt> </td>
+
+<td><tt>jcr:removeChildNodes</tt> (on parent), <tt>jcr:removeNode</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>JackrabbitSession.removeItem</tt> (if item is a node) </td>
+
+<td><tt>jcr:removeChildNodes</tt> (on parent), <tt>jcr:removeNode</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.addNode(String, String)</tt> </td>
+
+<td><tt>jcr:addChildNodes</tt> (on parent), <tt>jcr:nodeTypeManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.setPrimaryType</tt> </td>
+
+<td><tt>jcr:nodeTypeManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.addMixin</tt> </td>
+
+<td><tt>jcr:nodeTypeManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.removeMixin</tt> </td>
+
+<td><tt>jcr:nodeTypeManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.orderBefore</tt> </td>
+
+<td><tt>jcr:addChildNodes</tt> and <tt>jcr:removeChildNodes</tt> (on parent) </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Writing_Index_Definition"></a>Writing Index Definition</h5>
<p>While covered by regular JCR API write operations the target items require a dedicated privilege despite the fact that the item definitions are not protected (see Oak JIRA for corresponding discussions).</p>
<p>All items located within a path that contains <tt>oak:index</tt> will be considered part of the special index definition.</p>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>Node.addNode(String, String)</tt> </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
-<tr class="a">
-<td> <tt>Node.addNode(String)</tt> </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
-<tr class="b">
-<td> <tt>Node.orderBefore</tt> </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
-<tr class="a">
-<td> <tt>Node.setProperty</tt> </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
-<tr class="b">
-<td> <tt>Property.setValue</tt> </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>Item.remove</tt> (i.e. Node and Property) </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
-<tr class="b">
-<td> <tt>JackrabbitSession.removeItem</tt> </td>
-<td> <tt>rep:indexDefinitionManagement</tt></td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Node.addNode(String, String)</tt> </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.addNode(String)</tt> </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Node.orderBefore</tt> </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Node.setProperty</tt> </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Property.setValue</tt> </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Item.remove</tt> (i.e. Node and Property) </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>JackrabbitSession.removeItem</tt> </td>
+
+<td><tt>rep:indexDefinitionManagement</tt></td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Move_and_Import"></a>Move and Import</h5>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>Session.move</tt> </td>
-<td> <tt>jcr:removeChildNodes</tt> (source parent) and <tt>jcr:addChildNodes</tt> (target parent) </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>Session.importXml</tt> </td>
-<td> same privileges as if items would be created using regular API calls </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Session.move</tt> </td>
+
+<td><tt>jcr:removeChildNodes</tt> (source parent) and <tt>jcr:addChildNodes</tt> (target parent) </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Session.importXml</tt> </td>
+
+<td>same privileges as if items would be created using regular API calls </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Access_Control_Management"></a>Access Control Management</h5>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>AccessControlManager.getApplicablePolicies</tt> </td>
-<td> <tt>jcr:readAccessControl</tt> </td></tr>
-<tr class="a">
-<td> <tt>AccessControlManager.getPolicies</tt> </td>
-<td> <tt>jcr:readAccessControl</tt> </td></tr>
-<tr class="b">
-<td> <tt>AccessControlManager.getEffectivePolicies</tt> </td>
-<td> <tt>jcr:readAccessControl</tt> </td></tr>
-<tr class="a">
-<td> <tt>AccessControlManager.setPolicy</tt> </td>
-<td> <tt>jcr:modifyAccessControl</tt> </td></tr>
-<tr class="b">
-<td> <tt>AccessControlManager.removePolicy</tt> </td>
-<td> <tt>jcr:modifyAccessControl</tt> </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>PrivilegeManager.registerPrivilege</tt> </td>
-<td> <tt>rep:privilegeManagent</tt> at ‘null’ path </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>AccessControlManager.getApplicablePolicies</tt> </td>
+
+<td><tt>jcr:readAccessControl</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>AccessControlManager.getPolicies</tt> </td>
+
+<td><tt>jcr:readAccessControl</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>AccessControlManager.getEffectivePolicies</tt> </td>
+
+<td><tt>jcr:readAccessControl</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>AccessControlManager.setPolicy</tt> </td>
+
+<td><tt>jcr:modifyAccessControl</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>AccessControlManager.removePolicy</tt> </td>
+
+<td><tt>jcr:modifyAccessControl</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>PrivilegeManager.registerPrivilege</tt> </td>
+
+<td><tt>rep:privilegeManagent</tt> at ‘null’ path </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="User_Management"></a>User Management</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>UserManager.getAuthorizable</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>UserManager.findAuthorizable</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>UserManager.createUser</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>UserManager.createSystemUser</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>UserManager.createGroup</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>User.isDisabled</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>User.getDisabledReason</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>User.disable</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>User.changePassword</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>User.getCredentials</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>User.getImpersonation</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Impersonation.getImpersonators</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Impersonation.allows</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Impersonation.grantImpersonation</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>Impersonation.revokeImpersonation</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>Group.getDeclaredMembers</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Group.getMembers</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Group.isDeclaredMember</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Group.isMember</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Group.addMember</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>Group.removeMember</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>Authorizable.getID</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Authorizable.getPrincipal</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>Authorizable.getPath</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>Authorizable.declaredMemberOf</tt> </td>
-<td> <tt>jcr:read</tt> (on groups listing this user/group as member) </td></tr>
-<tr class="a">
-<td> <tt>Authorizable.memberOf</tt> </td>
-<td> <tt>jcr:read</tt> (on groups listing this user/group as member) </td></tr>
-<tr class="b">
-<td> <tt>Authorizable.remove</tt> </td>
-<td> <tt>rep:userManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>Authorizable.getPropertyNames</tt> </td>
-<td> <tt>jcr:read</tt> or <tt>rep:readProperties</tt> (no relPath) </td></tr>
-<tr class="b">
-<td> <tt>Authorizable.hasProperty</tt> </td>
-<td> <tt>jcr:read</tt> or <tt>rep:readProperties</tt> (no relPath) </td></tr>
-<tr class="a">
-<td> <tt>Authorizable.getProperty</tt> </td>
-<td> <tt>jcr:read</tt> or <tt>rep:readProperties</tt> (no relPath) </td>
-<td> </td></tr>
-<tr class="b">
-<td> <tt>Authorizable.setProperty</tt> (no relPath) </td>
-<td> <tt>rep:addProperties</tt> and/or <tt>rep:alterProperties</tt> </td></tr>
-<tr class="a">
-<td> <tt>Authorizable.setProperty</tt> (with relPath </td>
-<td> <tt>rep:addProperties</tt> and/or <tt>rep:alterProperties</tt>, <tt>jcr:addChildNodes</tt> </td></tr>
-<tr class="b">
-<td> <tt>Authorizable.removeProperty</tt> </td>
-<td> <tt>rep:removeProperties</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>UserManager.getAuthorizable</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>UserManager.findAuthorizable</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>UserManager.createUser</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>UserManager.createSystemUser</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>UserManager.createGroup</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>User.isDisabled</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>User.getDisabledReason</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>User.disable</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>User.changePassword</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>User.getCredentials</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>User.getImpersonation</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Impersonation.getImpersonators</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Impersonation.allows</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Impersonation.grantImpersonation</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Impersonation.revokeImpersonation</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Group.getDeclaredMembers</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Group.getMembers</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Group.isDeclaredMember</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Group.isMember</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Group.addMember</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Group.removeMember</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Authorizable.getID</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Authorizable.getPrincipal</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Authorizable.getPath</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Authorizable.declaredMemberOf</tt> </td>
+
+<td><tt>jcr:read</tt> (on groups listing this user/group as member) </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Authorizable.memberOf</tt> </td>
+
+<td><tt>jcr:read</tt> (on groups listing this user/group as member) </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Authorizable.remove</tt> </td>
+
+<td><tt>rep:userManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Authorizable.getPropertyNames</tt> </td>
+
+<td><tt>jcr:read</tt> or <tt>rep:readProperties</tt> (no relPath) </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Authorizable.hasProperty</tt> </td>
+
+<td><tt>jcr:read</tt> or <tt>rep:readProperties</tt> (no relPath) </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Authorizable.getProperty</tt> </td>
+
+<td><tt>jcr:read</tt> or <tt>rep:readProperties</tt> (no relPath) </td>
+
+<td> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Authorizable.setProperty</tt> (no relPath) </td>
+
+<td><tt>rep:addProperties</tt> and/or <tt>rep:alterProperties</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Authorizable.setProperty</tt> (with relPath </td>
+
+<td><tt>rep:addProperties</tt> and/or <tt>rep:alterProperties</tt>, <tt>jcr:addChildNodes</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Authorizable.removeProperty</tt> </td>
+
+<td><tt>rep:removeProperties</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="LifeCycle_Management"></a>LifeCycle Management</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>Node.followLifecycleTransition</tt> </td>
-<td> <tt>jcr:lifecycleManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Node.followLifecycleTransition</tt> </td>
+
+<td><tt>jcr:lifecycleManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Retention_Management"></a>Retention Management</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>RetentionManager.getHolds</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>RetentionManager.getRetentionPolicy</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>RetentionManager.addHold</tt> </td>
-<td> <tt>jcr:retentionManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>RetentionManager.removeHold</tt> </td>
-<td> <tt>jcr:retentionManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>RetentionManager.setRetentionPolicy</tt> </td>
-<td> <tt>jcr:retentionManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>RetentionManager.removeRetentionPolicy</tt> </td>
-<td> <tt>jcr:retentionManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>RetentionManager.getHolds</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>RetentionManager.getRetentionPolicy</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>RetentionManager.addHold</tt> </td>
+
+<td><tt>jcr:retentionManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>RetentionManager.removeHold</tt> </td>
+
+<td><tt>jcr:retentionManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>RetentionManager.setRetentionPolicy</tt> </td>
+
+<td><tt>jcr:retentionManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>RetentionManager.removeRetentionPolicy</tt> </td>
+
+<td><tt>jcr:retentionManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div></div>
<div class="section">
<h4><a name="Workspace_Operations"></a>Workspace Operations</h4>
<div class="section">
<h5><a name="Move_Copy_and_Import"></a>Move, Copy and Import</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>Workspace.move</tt> </td>
-<td> <tt>jcr:removeChildNodes</tt> (source parent) and <tt>jcr:addChildNodes</tt> (target parent) </td></tr>
-<tr class="a">
-<td> <tt>Workspace.copy</tt> </td>
-<td> same privileges as if items would be created using regular API calls </td></tr>
-<tr class="b">
-<td> <tt>Workspace.importXml</tt> </td>
-<td> same privileges as if items would be created using regular API calls </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Workspace.move</tt> </td>
+
+<td><tt>jcr:removeChildNodes</tt> (source parent) and <tt>jcr:addChildNodes</tt> (target parent) </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Workspace.copy</tt> </td>
+
+<td>same privileges as if items would be created using regular API calls </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>Workspace.importXml</tt> </td>
+
+<td>same privileges as if items would be created using regular API calls </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Version_Management"></a>Version Management</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>VersionManager.isCheckedOut</tt> </td>
-<td> <tt>rep:readNodes</tt> on versionable node and <tt>rep:readProperties</tt> on its property <tt>jcr:isCheckedOut</tt> </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.getVersionHistory</tt> </td>
-<td> <tt>rep:readNodes</tt> on versionable node and <tt>rep:readProperties</tt> on its property <tt>jcr:versionHistory</tt> </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.getBaseVersion</tt> </td>
-<td> <tt>rep:readNodes</tt> on versionable node and <tt>rep:readProperties</tt> on its property <tt>jcr:baseVersion</tt> </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.checkin</tt> </td>
-<td> <tt>jcr:versionManagement</tt> on versionable node </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.checkout</tt> </td>
-<td> <tt>jcr:versionManagement</tt> on versionable node </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.checkpoint</tt> </td>
-<td> <tt>jcr:versionManagement</tt> on versionable node </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.restore</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.restoreByLabel</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.merge</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.cancelMerge</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.doneMerge</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.createConfiguration</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.setActivity</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="a">
-<td> <tt>VersionManager.createActivity</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="b">
-<td> <tt>VersionManager.removeActivity</tt> </td>
-<td> <i>TODO</i> </td></tr>
-<tr class="a">
-<td> <tt>VersionHistory.*</tt> (read) </td>
-<td> <tt>rep:readNodes</tt> on versionable node </td></tr>
-<tr class="b">
-<td> <tt>VersionHistory.removeVersion</tt> </td>
-<td> <tt>jcr:versionManagement</tt> on versionable node </td></tr>
-<tr class="a">
-<td> <tt>Version.*</tt> (read) </td>
-<td> <tt>rep:readNodes</tt> on versionable node </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>VersionManager.isCheckedOut</tt> </td>
+
+<td><tt>rep:readNodes</tt> on versionable node and <tt>rep:readProperties</tt> on its property <tt>jcr:isCheckedOut</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.getVersionHistory</tt> </td>
+
+<td><tt>rep:readNodes</tt> on versionable node and <tt>rep:readProperties</tt> on its property <tt>jcr:versionHistory</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.getBaseVersion</tt> </td>
+
+<td><tt>rep:readNodes</tt> on versionable node and <tt>rep:readProperties</tt> on its property <tt>jcr:baseVersion</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.checkin</tt> </td>
+
+<td><tt>jcr:versionManagement</tt> on versionable node </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.checkout</tt> </td>
+
+<td><tt>jcr:versionManagement</tt> on versionable node </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.checkpoint</tt> </td>
+
+<td><tt>jcr:versionManagement</tt> on versionable node </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.restore</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.restoreByLabel</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.merge</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.cancelMerge</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.doneMerge</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.createConfiguration</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.setActivity</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionManager.createActivity</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionManager.removeActivity</tt> </td>
+
+<td><i>TODO</i> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>VersionHistory.*</tt> (read) </td>
+
+<td><tt>rep:readNodes</tt> on versionable node </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>VersionHistory.removeVersion</tt> </td>
+
+<td><tt>jcr:versionManagement</tt> on versionable node </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Version.*</tt> (read) </td>
+
+<td><tt>rep:readNodes</tt> on versionable node </td>
+ </tr>
+ </tbody>
</table>
<p>NOTE: since Oak 1.0 read/write access to version storage is defined by accessibility of the versionable node and <i>not</i> to the version store items.</p></div>
<div class="section">
<h5><a name="Lock_Management"></a>Lock Management</h5>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>LockManager.getLock</tt> = <tt>Node.getLock</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>LockManager.isLocked</tt> = <tt>Node.isLocked</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>LockManager.holdsLock</tt> = <tt>Node.holdsLock</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>LockManager.lock</tt> = <tt>Node.lock</tt> </td>
-<td> <tt>jcr:lockManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>LockManager.unlock</tt> = <tt>Node.unlock</tt> </td>
-<td> <tt>jcr:lockManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>LockManager.getLock</tt> = <tt>Node.getLock</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>LockManager.isLocked</tt> = <tt>Node.isLocked</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>LockManager.holdsLock</tt> = <tt>Node.holdsLock</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>LockManager.lock</tt> = <tt>Node.lock</tt> </td>
+
+<td><tt>jcr:lockManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>LockManager.unlock</tt> = <tt>Node.unlock</tt> </td>
+
+<td><tt>jcr:lockManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div></div>
<div class="section">
<h4><a name="Repository_Operations"></a>Repository Operations</h4>
<p>Note: privileges for repository operations need to be granted|denied on the <i>null</i> path.</p>
<div class="section">
<h5><a name="Namespace_Management"></a>Namespace Management</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>NamespaceRegistry.getPrefix</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>NamespaceRegistry.getPrefixes</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>NamespaceRegistry.getURI</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>NamespaceRegistry.getURIs</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>NamespaceRegistry.registerNamespace</tt> </td>
-<td> <tt>jcr:namespaceManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>NamespaceRegistry.unregisterNamespace</tt> </td>
-<td> <tt>jcr:namespaceManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>NamespaceRegistry.getPrefix</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NamespaceRegistry.getPrefixes</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NamespaceRegistry.getURI</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NamespaceRegistry.getURIs</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NamespaceRegistry.registerNamespace</tt> </td>
+
+<td><tt>jcr:namespaceManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NamespaceRegistry.unregisterNamespace</tt> </td>
+
+<td><tt>jcr:namespaceManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="NodeType_Management"></a>NodeType Management</h5>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> <tt>NodeTypeManager.hasNodeType</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>NodeTypeManager.getNodeType</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>NodeTypeManager.getAllNodeTypes</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>NodeTypeManager.getPrimaryNodeTypes</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>NodeTypeManager.getMixinNodeTypes</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="a">
-<td> <tt>NodeTypeManager.createNodeTypeTemplate</tt> </td>
-<td> NA </td></tr>
-<tr class="b">
-<td> <tt>NodeTypeManager.createNodeDefinitionTemplate</tt> </td>
-<td> NA </td></tr>
-<tr class="a">
-<td> <tt>NodeTypeManager.createPropertyDefinitionTemplate</tt> </td>
-<td> NA </td></tr>
-<tr class="b">
-<td> <tt>NodeTypeManager.registerNodeType</tt> </td>
-<td> <tt>jcr:nodeTypeDefinitionManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>NodeTypeManager.registerNodeTypes</tt> </td>
-<td> <tt>jcr:nodeTypeDefinitionManagement</tt> </td></tr>
-<tr class="b">
-<td> <tt>NodeTypeManager.unregisterNodeType</tt> </td>
-<td> <tt>jcr:nodeTypeDefinitionManagement</tt> </td></tr>
-<tr class="a">
-<td> <tt>NodeTypeManager.unregisterNodeTypes</tt> </td>
-<td> <tt>jcr:nodeTypeDefinitionManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>NodeTypeManager.hasNodeType</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NodeTypeManager.getNodeType</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NodeTypeManager.getAllNodeTypes</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NodeTypeManager.getPrimaryNodeTypes</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NodeTypeManager.getMixinNodeTypes</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NodeTypeManager.createNodeTypeTemplate</tt> </td>
+
+<td>NA </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NodeTypeManager.createNodeDefinitionTemplate</tt> </td>
+
+<td>NA </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NodeTypeManager.createPropertyDefinitionTemplate</tt> </td>
+
+<td>NA </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NodeTypeManager.registerNodeType</tt> </td>
+
+<td><tt>jcr:nodeTypeDefinitionManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NodeTypeManager.registerNodeTypes</tt> </td>
+
+<td><tt>jcr:nodeTypeDefinitionManagement</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>NodeTypeManager.unregisterNodeType</tt> </td>
+
+<td><tt>jcr:nodeTypeDefinitionManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>NodeTypeManager.unregisterNodeTypes</tt> </td>
+
+<td><tt>jcr:nodeTypeDefinitionManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Privilege_Management"></a>Privilege Management</h5>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>PrivilegeManager.getRegisteredPrivileges</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>PrivilegeManager.getPrivilege</tt> </td>
-<td> <tt>jcr:read</tt> </td></tr>
-<tr class="b">
-<td> <tt>PrivilegeManager.registerPrivilege</tt> </td>
-<td> <tt>rep:privilegeManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>PrivilegeManager.getRegisteredPrivileges</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>PrivilegeManager.getPrivilege</tt> </td>
+
+<td><tt>jcr:read</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>PrivilegeManager.registerPrivilege</tt> </td>
+
+<td><tt>rep:privilegeManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="Workspace_Management"></a>Workspace Management</h5>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> API Call </th>
-<th> Privilege(s) </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>Workspace.createWorkspace</tt> </td>
-<td> <tt>jcr:workspaceManagement</tt> </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>Workspace.deleteWorkspace</tt> </td>
-<td> <tt>jcr:workspaceManagement</tt> </td></tr>
-</tbody>
+
+<th>API Call </th>
+
+<th>Privilege(s) </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>Workspace.createWorkspace</tt> </td>
+
+<td><tt>jcr:workspaceManagement</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>Workspace.deleteWorkspace</tt> </td>
+
+<td><tt>jcr:workspaceManagement</tt> </td>
+ </tr>
+ </tbody>
</table></div></div></div></div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user.html (original)
+++ jackrabbit/site/live/oak/docs/security/user.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,103 +239,125 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="User_Management"></a>User Management</h2>
-<a name="jcr_api"></a>
-### JCR API
-
+<p><a name="jcr_api"></a></p>
+<div class="section">
+<h3><a name="JCR_API"></a>JCR API</h3>
<p>JCR itself doesn’t come with a dedicated user management API. The only method related and ultimately used for user management tasks is <tt>Session.getUserID()</tt>. Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.</p>
-<a name="jackrabbit_api"></a>
-### Jackrabbit API
-
+<p><a name="jackrabbit_api"></a></p></div>
+<div class="section">
+<h3><a name="Jackrabbit_API"></a>Jackrabbit API</h3>
<p>The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user’ package space:</p>
-<ul>
+<ul>
+
<li><tt>UserManager</tt></li>
+
<li><tt>Authorizable</tt>
+
<ul>
-
+
<li><tt>User</tt></li>
+
<li><tt>Group</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li><tt>Impersonation</tt></li>
+
<li><tt>QueryBuilder</tt>
+
<ul>
-
+
<li><tt>Query</tt></li>
+ </ul></li>
</ul>
-</li>
-</ul>
-<a name="api_extensions"></a>
-### API Extensions
-
+<p><a name="api_extensions"></a></p></div>
+<div class="section">
+<h3><a name="API_Extensions"></a>API Extensions</h3>
<p>The Oak project introduces the following user management related public interfaces and classes:</p>
-<ul>
+<ul>
+
<li><tt>AuthorizableType</tt>: ease handling with the different authorizable types.</li>
+
<li><tt>AuthorizableAction</tt> and <tt>AuthorizableActionProvider</tt>: see <a href="user/authorizableaction.html">Authorizable Actions</a> for details.</li>
-<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
+
+<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
+
<li><tt>GroupAction</tt> (via <tt>AuthorizableActionProvider</tt>): see <a href="user/groupaction.html">Group Actions</a> for details.</li>
+
<li><tt>UserAuthenticationFactory</tt>: see sections <a href="user/default.html#pluggability">pluggability</a> and <a href="authentication/default.html#user_authentication">user authentication</a> for additional details.</li>
</ul>
-<a name="utilities"></a>
-### Utilities
-
+<p><a name="utilities"></a></p></div>
+<div class="section">
+<h3><a name="Utilities"></a>Utilities</h3>
<p><tt>org.apache.jackrabbit.oak.spi.security.user.*</tt></p>
-<ul>
+<ul>
+
<li><tt>UserConstants</tt> : Constants (NOTE: OAK names/paths)</li>
+
<li><tt>UserIdCredentials</tt> : Simple credentials implementation that might be used for `User.getCredentials’ without exposing pw information.</li>
</ul>
<p><tt>org.apache.jackrabbit.oak.spi.security.user.util.*</tt></p>
-<ul>
-<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.</li>
+<ul>
+
+<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.</li>
+
<li><tt>UserUtil</tt> : Utilities related to general user management tasks.</li>
</ul>
-<a name="default_implementation"></a>
-### Oak User Management Implementation
-
+<p><a name="default_implementation"></a></p></div>
+<div class="section">
+<h3><a name="Oak_User_Management_Implementation"></a>Oak User Management Implementation</h3>
<p>The behavior of the default user management implementation is described in section <a href="user/default.html">User Management: The Default Implementation</a>.</p>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>The Oak user management comes with a dedicated entry point called <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a>. This class is responsible for passing configuration options to the implementation and provides the following two methods:</p>
-<ul>
+<ul>
+
<li><tt>getUserManager(Root, NamePathMapper)</tt>: get a new <tt>UserManager</tt> instance</li>
+
<li><tt>getUserPrincipalProvider(Root, NamePathMapper)</tt>: optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).</li>
</ul>
<div class="section">
-<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The supported configuration options of the default implementation are described in the corresponding <a href="user/default.html#configuration">section</a>.</p>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 is able to have the default user management implementation replaced as follows:</p>
<p>The complete user management implementation can be changed by plugging a different <tt>UserConfiguration</tt> implementations. In OSGi-base setup this is achieved by making the configuration a service which must take precedence over the default. In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</p>
<p>Alternatively the default user management implementation can be extended and adjusted using various means. See the corresponding <a href="user/default.html#pluggability">section</a> for further details.</p>
-<a name="further_reading"></a>
-### Further Reading
+<p><a name="further_reading"></a></p></div>
+<div class="section">
+<h3><a name="Further_Reading"></a>Further Reading</h3>
<ul>
-
+
<li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="user/default.html">User Management : The Default Implementation</a>
+
<ul>
-
+
<li><a href="user/membership.html">Group Membership</a></li>
+
<li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
+
<li><a href="user/authorizablenodename.html">Authorizable Node Name</a></li>
+
<li><a href="user/expiry.html">Password Expiry and Force Initial Password Change</a></li>
+
<li><a href="user/history.html">Password History</a></li>
-</ul>
-</li>
+ </ul></li>
+
<li><a href="user/query.html">Searching Users and Groups</a></li>
-</ul><!-- hidden references --></div></div></div>
+</ul>
+<!-- hidden references --></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/authorizableaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizableaction.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizableaction.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizableaction.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-04-18
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180418" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authorizable Actions</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-04-18<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,25 +239,29 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<h2><a name="Authorizable_Actions"></a>Authorizable Actions</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>Oak 1.0 comes with a extension to the Jackrabbit user management API that allows to perform additional actions or validations upon common user management tasks such as</p>
-<ul>
+<ul>
+
<li>create authorizables</li>
+
<li>remove authorizables</li>
+
<li>change a user’s password</li>
</ul>
<p>Similar functionality has been present in Jackrabbit 2.x as internal interface. Compared to the Jackrabbit interface the new <tt>AuthorizableAction</tt> has been slightly adjusted to match Oak requirements operate directly on the Oak API, which eases the handling of implementation specific tasks such as writing protected items.</p></div>
<div class="section">
<h3><a name="AuthorizableAction_API"></a>AuthorizableAction API</h3>
<p>The following public interfaces are provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user.action</tt>:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.html">AuthorizableAction</a></li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableActionProvider.html">AuthorizableActionProvider</a></li>
</ul>
<p>The <tt>AuthorizableAction</tt> interface itself allows to perform validations or write additional application specific content while executing user management related write operations. Therefore these actions are executed as part of the transient user management modifications. This contrasts to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s which in turn are only triggered once modifications are persisted.</p>
@@ -269,27 +270,36 @@
<div class="section">
<h3><a name="Default_Implementations"></a>Default Implementations</h3>
<p>Oak 1.0 provides the following base implementations:</p>
-<ul>
+<ul>
+
<li><tt>AbstractAuthorizableAction</tt>: abstract base implementation that doesn’t perform any action.</li>
+
<li><tt>DefaultAuthorizableActionProvider</tt>: default action provider service that allows to enable the built-in actions provided with oak.</li>
+
<li><tt>CompositeActionProvider</tt>: Allows to aggregate multiple provider implementations.</li>
</ul>
<div class="section">
<h4><a name="Changes_wrt_Jackrabbit_2.x"></a>Changes wrt Jackrabbit 2.x</h4>
-<ul>
+<ul>
+
<li>actions no longer operate on JCR API but rather on the Oak API direct.</li>
+
<li>provider interface simplifies pluggability</li>
</ul></div>
<div class="section">
<h4><a name="Built-in_AuthorizableAction_Implementations"></a>Built-in AuthorizableAction Implementations</h4>
<p>The following implementations of the <tt>AuthorizableAction</tt> interface are provided:</p>
-<ul>
+<ul>
+
<li><tt>AccessControlAction</tt>: set up permission for new authorizables</li>
+
<li><tt>PasswordValidationAction</tt>: simplistic password verification upon user creation and password modification</li>
+
<li><tt>PasswordChangeAction</tt>: verifies that the new password is different from the old one</li>
+
<li><tt>ClearMembershipAction</tt>: clear group membership upon removal of an authorizable.</li>
</ul>
<p>As in Jackrabbit 2.x the actions are executed with the editing session and the target operation will fail if any of the configured actions fails (e.g. due to insufficient permissions by the editing Oak ContentSession).</p></div></div>
@@ -297,9 +307,11 @@
<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 is able to provide custom <tt>AuthorizableActionProvider</tt> implementations and will automatically combine the different implementations using the <tt>CompositeActionProvider</tt>.</p>
<p>In an OSGi setup the following steps are required in order to add an action provider implementation:</p>
-<ul>
+<ul>
+
<li>implement <tt>AuthorizableActionProvider</tt> interface exposing your custom action(s).</li>
+
<li>make the provider implementation an OSGi service and make it available to the Oak repository.</li>
</ul>
<div class="section">
@@ -308,9 +320,8 @@
<div class="section">
<h6><a name="Example_Action_Provider"></a>Example Action Provider</h6>
-<div>
-<div>
-<pre class="source">@Component()
+<div class="source">
+<div class="source"><pre class="prettyprint">@Component()
@Service(AuthorizableActionProvider.class)
public class MyAuthorizableActionProvider implements AuthorizableActionProvider {
@@ -349,15 +360,13 @@ public class MyAuthorizableActionProvide
config = ConfigurationParameters.of(properties);
}
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Example_Action"></a>Example Action</h6>
<p>This example action generates additional child nodes upon user/group creation that will later be used to store various target-specific profile information:</p>
-<div>
-<div>
-<pre class="source">class ProfileAction extends AbstractAuthorizableAction {
+<div class="source">
+<div class="source"><pre class="prettyprint">class ProfileAction extends AbstractAuthorizableAction {
private final String publicName;
private final String privateName;
@@ -394,14 +403,12 @@ public class MyAuthorizableActionProvide
}
}
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Example_Non-OSGI_Setup"></a>Example Non-OSGI Setup</h6>
-<div>
-<div>
-<pre class="source">Map<String, Object> userParams = new HashMap<String, Object>();
+<div class="source">
+<div class="source"><pre class="prettyprint">Map<String, Object> userParams = new HashMap<String, Object>();
userParams.put(UserConstants.PARAM_AUTHORIZABLE_ACTION_PROVIDER, new MyAuthorizableActionProvider());
ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams)));
SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build();
Modified: jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-04-18
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180418" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authorizable Node Name Generation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-04-18<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,48 +239,55 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<h2><a name="Authorizable_Node_Name_Generation"></a>Authorizable Node Name Generation</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>Oak 1.0 comes with a extension to the Jackrabbit user management API that allows to change the way how the name of an authorizable node is being generated.</p>
<p>As in Jackrabbit 2.x the target ID is used as name-hint by default. In order to prevent exposing identifier related information in the path of the authorizable node, it it’s desirable to change this default behavior by plugging a different implementation of the <tt>AuthorizableNodeName</tt> interface.</p>
-<ul>
-<li><tt>AuthorizableNodeName</tt> : Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository.</li>
+<ul>
+
+<li><tt>AuthorizableNodeName</tt> : Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository.</li>
</ul>
<p>In the default implementation the corresponding configuration parameter is <tt>PARAM_AUTHORIZABLE_NODE_NAME</tt>. The default name generator can be replace by installing an OSGi service that implementations the <tt>AuthorizableNodeName</tt> interface. In a non-OSGi setup the user configuration must be initialized with configuration parameters that provide the custom generator implementation.</p></div>
<div class="section">
<h3><a name="AuthorizableNodeName_API"></a>AuthorizableNodeName API</h3>
<p>The following public interfaces are provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user</tt>:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/AuthorizableNodeName.html">AuthorizableNodeName</a></li>
</ul>
<p>The <tt>AuthorizableNodeName</tt> interface itself defines single method that allows to generate a valid JCR name for a given authorizable ID.</p>
<div class="section">
<h4><a name="Changes_wrt_Jackrabbit_2.x"></a>Changes wrt Jackrabbit 2.x</h4>
-<ul>
-<li>The generation of the node name is a configuration option of the default user management implementation.</li>
-<li>In an OSGi-based setup the default can be changed at runtime by plugging a different implementation. E.g. the <tt>RandomAuthorizableNodeName</tt> component can easily be enabled by providing the required configuration.</li>
+<ul>
+
+<li>The generation of the node name is a configuration option of the default user management implementation.</li>
+
+<li>In an OSGi-based setup the default can be changed at runtime by plugging a different implementation. E.g. the <tt>RandomAuthorizableNodeName</tt> component can easily be enabled by providing the required configuration.</li>
</ul></div>
<div class="section">
<h4><a name="Built-in_AuthorizableAction_Implementations"></a>Built-in AuthorizableAction Implementations</h4>
<p>Oak 1.0 provides the following base implementations:</p>
-<ul>
-<li><tt>AuthorizableNodeName.Default</tt>: Backwards compatible implementation that uses the authorizable ID as name hint.</li>
+<ul>
+
+<li><tt>AuthorizableNodeName.Default</tt>: Backwards compatible implementation that uses the authorizable ID as name hint.</li>
+
<li><tt>RandomAuthorizableNodeName</tt>: Generating a random JCR name (see <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.html">RandomAuthorizableNodeName</a>.java).</li>
</ul></div></div>
<div class="section">
<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 can be run with a custom <tt>RandomAuthorizableNodeName</tt> implementations.</p>
<p>In an OSGi setup the following steps are required in order to add a different implementation:</p>
-<ul>
+<ul>
+
<li>implement <tt>AuthorizableNodeName</tt> interface.</li>
+
<li>make the implementation an OSGi service and make it available to the Oak repository.</li>
</ul>
<div class="section">
@@ -293,9 +297,8 @@
<h6><a name="Example_AuthorizableNodeName"></a>Example AuthorizableNodeName</h6>
<p>In an OSGi-based setup it’s sufficient to make the service available to the repository in order to enable this custom node name generator.</p>
-<div>
-<div>
-<pre class="source">@Component
+<div class="source">
+<div class="source"><pre class="prettyprint">@Component
@Service(value = {AuthorizableNodeName.class})
/**
* Custom implementation of the {@code AuthorizableNodeName} interface
@@ -310,12 +313,10 @@ final class UUIDNodeName implements Auth
}
}
</pre></div></div>
-
<p>In a non-OSGi setup this custom name generator can be plugged by making it available to the user configuration as follows:</p>
-<div>
-<div>
-<pre class="source">Map<String, Object> userParams = new HashMap<String, Object>();
+<div class="source">
+<div class="source"><pre class="prettyprint">Map<String, Object> userParams = new HashMap<String, Object>();
userParams.put(UserConstants.PARAM_AUTHORIZABLE_NODE_NAME, new UUIDNodeName());
ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams)));
SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build();