You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2014/09/24 14:24:02 UTC
svn commit: r1627294 [6/7] - in /jackrabbit/site/live/oak/docs: ./ META-INF/
architecture/ coldstandby/ nodestore/ oak_api/ plugins/ security/
security/accesscontrol/ security/authentication/ security/permission/
security/principal/ security/privilege/...
Added: jackrabbit/site/live/oak/docs/security/external_login_module.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/external_login_module.html?rev=1627294&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/external_login_module.html (added)
+++ jackrabbit/site/live/oak/docs/security/external_login_module.html Wed Sep 24 12:23:59 2014
@@ -0,0 +1,918 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - The Oak Security Layer</title>
+ <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="../css/site.css" />
+ <link rel="stylesheet" href="../css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="../license.html" title="License">License</a>
+</li>
+
+ <li> <a href="../downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="../from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="../nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="../microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="../query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="../blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="../security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="../clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="../osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="../known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="../dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="../when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="../apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="../index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="../downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="../from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="../overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="../nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="../microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="../query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="../blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="../security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="../clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="../use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="../osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="../dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="../when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="../dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="../apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><h1>The Oak Security Layer</h1>
+<div class="section">
+<h2>Authentication / Login Modules<a name="Authentication__Login_Modules"></a></h2>
+<div class="section">
+<h3>Types of login modules<a name="Types_of_login_modules"></a></h3>
+<p>In order to understand how login modules work and how Oak can help providing extension points we need to look at how JAAS authentication works in general and discuss where the actual credential-verification is performed.</p>
+<div class="section">
+<h4>Brief recap of the JAAS authentication<a name="Brief_recap_of_the_JAAS_authentication"></a></h4>
+<p>The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html">javax.security.auth.spi.LoginModule</a>:</p>
+<p>The authentication process within the <tt>LoginModule</tt> proceeds in two distinct phases. </p>
+<p>1.</p>
+
+<ol style="list-style-type: decimal">
+
+<li>In the first phase, the <tt>LoginModule</tt>’s <tt>login</tt> method gets invoked by the <tt>LoginContext</tt>’s <tt>login</tt> method.</li>
+
+<li>The <tt>login</tt> method for the <tt>LoginModule</tt> then performs the actual authentication (prompt for and verify a password for example) and saves its authentication status as private state information.</li>
+
+<li>Once finished, the <tt>LoginModule</tt>’s login method either returns <tt>true</tt> (if it succeeded) or <tt>false</tt> (if it should be ignored), or throws a <tt>LoginException</tt> to specify a failure. In the failure case, the <tt>LoginModule</tt> must not retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, the <tt>LoginModule</tt>’s <tt>login</tt> method will be called again.</li>
+</ol>
+<p>2.</p>
+
+<ol style="list-style-type: decimal">
+
+<li>In the second phase, if the <tt>LoginContext</tt>’s overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded), then the <tt>commit</tt> method for the <tt>LoginModule</tt> gets invoked.</li>
+
+<li>The <tt>commit</tt> method for a <tt>LoginModule</tt> checks its privately saved state to see if its own authentication succeeded.</li>
+
+<li>If the overall <tt>LoginContext</tt> authentication succeeded and the <tt>LoginModule</tt>’s own authentication succeeded, then the <tt>commit</tt> method associates the relevant Principals (authenticated identities) and Credentials (authentication data such as cryptographic keys) with the Subject located within the <tt>LoginModule</tt>.</li>
+
+<li>If the <tt>LoginContext</tt>’s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed), then the <tt>abort</tt> method for each <tt>LoginModule</tt> gets invoked. In this case, the <tt>LoginModule</tt> removes/destroys any authentication state originally saved.</li>
+</ol></div>
+<div class="section">
+<h4>Login module execution order<a name="Login_module_execution_order"></a></h4>
+<p>Very simply put, all the login modules that participate in JAAS authentication are configured in a list and can have flags indicating how to treat their behaviors on the <tt>login()</tt> calls.</p>
+<p>JAAS defines the following module flags:<br />(The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html">javax.security.auth.login.Configuration</a>)</p>
+
+<dl>
+<dt><b>Required</b></dt>
+<dd>The LoginModule is required to succeed.<br /> If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</dd>
+<dt><b>Requisite</b></dt>
+<dd>The LoginModule is required to succeed.<br /> If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).</dd>
+<dt><b>Sufficient</b></dt>
+<dd>The LoginModule is not required to succeed.<br /> If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.</dd>
+<dt><b>Optional</b></dt>
+<dd>The LoginModule is not required to succeed.<br /> If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</dd>
+</dl>
+<p>The overall authentication succeeds <b>only</b> if <b>all</b> Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.</p></div></div>
+<div class="section">
+<h3>Pre Authenticated Logins<a name="Pre_Authenticated_Logins"></a></h3>
+<p>Pre authenticated logins allows to support 3rd party login modules that wish to provide the login context with pre authenticated login names, but still want to rely on the rest of the oak’s login module chain. For example an external SSO login module can extract the userid from a servlet request and use it to authenticate against the repository. But instead of re-implementing the user lookup and subject population (and possible external user synchronization) it just sets a respective <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html">org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin</a> on the shared state.</p></div></div>
+<div class="section">
+<h2>Default Login Module<a name="Default_Login_Module"></a></h2>
+<div class="section">
+<h3>Behavior of the Default Login Module<a name="Behavior_of_the_Default_Login_Module"></a></h3>
+<p>The behavior of the default login module is relatively simple, so it is explained first:</p>
+<p>upon login():</p>
+
+<ul>
+
+<li>if a user does not exist in the repository (i.e. cannot be provided by the user manager) it <b>returns <tt>false</tt></b>.</li>
+
+<li>if an authorizable with the respective userId exists but is a group or a disabled users, it <b>throws <tt>LoginException</tt></b></li>
+
+<li>if a user exists in the repository and the credentials don’t match, it <b>throws <tt>LoginException</tt></b></li>
+
+<li>if a user exists in the repository and the credentials match, it <b>returns <tt>true</tt></b>
+
+<ul>
+
+<li>also, it adds the credentials to the shared state</li>
+
+<li>also, it adds the login name to the shared state</li>
+
+<li>also, it calculates the principals and adds them to the private state</li>
+
+<li>also, it adds the credentials to the private state</li>
+ </ul></li>
+</ul>
+<p>upon commit():</p>
+
+<ul>
+
+<li>if the private state contains the credentials and principals, it adds them (both) to the subject and <b>returns <tt>true</tt></b></li>
+
+<li>if the private state does not contain credentials and principals, it clears the state and <b>returns <tt>false</tt></b></li>
+</ul></div></div>
+<div class="section">
+<h2>External Login Module<a name="External_Login_Module"></a></h2>
+<div class="section">
+<h3>Overview<a name="Overview"></a></h3>
+<p>The purpose of the external login module is to provide a base implementation that allows easy integration of 3rd party authentication and identity systems, such as LDAP. The general mode of the external login module is to use the external system as authentication source and as a provider for users and groups.</p>
+<p>what it does:</p>
+
+<ul>
+
+<li>facilitate the use of a 3rd party system for authentication</li>
+
+<li>simplify populating the oak user manager with identities from a 3rd party system</li>
+</ul>
+<p>what it does not:</p>
+
+<ul>
+
+<li>provide a transparent oak user manager</li>
+
+<li>provide a transparent oak principal provider.</li>
+
+<li>offer services for background synchronization of users and groups</li>
+</ul></div>
+<div class="section">
+<h3>Structure<a name="Structure"></a></h3>
+<p>The external identity and login handling is split into 3 parts:</p>
+
+<ol style="list-style-type: decimal">
+
+<li>An external identity provider (IDP). This is a service implementing the <tt>ExternalIdentityProvider</tt> interface and is responsible to retrieve and authenticate identities towards an external system (e.g. LDAP).</li>
+
+<li>An synchronization handler. This is a service implementing the <tt>SyncHandler</tt> interface and is responsible to actually managing the external identities within the Oak user management. A very trivial implementation might just create users and groups for external ones on demand.</li>
+
+<li>The external login module (ExtLM). This is the connection between JAAS login mechanism, the external identity provider and the synchronization handler.</li>
+</ol>
+<p>This modularization allows to reuse the same external login module for different combinations of IDPs and synchronization handlers. Although in practice, systems usually have 1 of each. </p>
+<p>An example where multiple such entities come into play would be the case to use several LDAP servers for authentication. Here we would configure 2 LDAP IDPs, 1 Sync handler and 2 ExtLMs.</p>
+<div class="section">
+<h4>Authentication and subject population<a name="Authentication_and_subject_population"></a></h4>
+<p>The goal of the external login module is to provide a very simple way of using <i>“the users stored in an external system for authentication and authorization in the Oak content repository”</i>. So the easiest way of doing this is to import the users on-demand when they log in. </p></div></div>
+<div class="section">
+<h3>Behavior of the External Login Module<a name="Behavior_of_the_External_Login_Module"></a></h3>
+<div class="section">
+<h4>General<a name="General"></a></h4>
+<p>The external login module has 2 main tasks. one is to authenticate credentials against a 3rd party system, the other is to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager).</p>
+<p>If a user needs re-authentication (for example, if the cache validity expired or if the user is not yet present in the local system at all), the login module must check the credentials with the external system during the <tt>login()</tt> method. </p>
+<p><b>ExternalLoginModule</b></p>
+<p>Note:</p>
+
+<ul>
+
+<li>users (and groups) that are synced from the 3rd party system contain a <tt>rep:externalId</tt> property. This allows to identify the external users and distinguish them from others.</li>
+
+<li>to reduce expensive syncing, the synced users and groups have sync timestamp <tt>rep:lastSynced</tt> and are considered valid for a configurable time. if they expire, they need to be validated against the 3rd party system again.</li>
+</ul>
+<p>upon login():</p>
+
+<ul>
+
+<li>if the user exists in the repository and is not an externally synced, <b>return <tt>false</tt></b></li>
+
+<li>if the user exists in the 3rd party system but the credentials don’t match it <b>throws <tt>LoginException</tt></b></li>
+
+<li>if the user exists in the 3rd party system and the credentials match
+
+<ul>
+
+<li>put the credentials in the shared and private state</li>
+
+<li>possibly sync the user</li>
+
+<li>and <b>returns <tt>true</tt></b></li>
+ </ul></li>
+
+<li>if the user does not exist in the 3rd party system, checks if it needs to remove the user and then it <b>returns <tt>false</tt></b></li>
+</ul>
+<p>upon commit():</p>
+
+<ul>
+
+<li>if there is no credentials in the private state, it <b>returns <tt>false</tt></b></li>
+
+<li>if there are credentials in the private state propagate the subject and <b>return <tt>true</tt></b></li>
+</ul></div></div></div>
+<div class="section">
+<h2>User and Group Synchronization<a name="User_and_Group_Synchronization"></a></h2>
+<p>The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p>
+<div class="section">
+<h3>Configuration of the DefaultSyncHandler<a name="Configuration_of_the_DefaultSyncHandler"></a></h3>
+<p>Oak provides a default synchronization handler that is configured via <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html">org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfig</a>. The handler is configured either via OSGi or during manual <a href="../construct.html">Repository Construction</a>.</p>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Name </th>
+
+<th>Property </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>Sync Handler Name </td>
+
+<td><tt>handler.name</tt> </td>
+
+<td>Name of this sync configuration. This is used to reference this handler by the login modules. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User auto membership </td>
+
+<td><tt>user.autoMembership</tt> </td>
+
+<td>List of groups that a synced user is added to automatically </td>
+ </tr>
+
+<tr class="b">
+
+<td>User Expiration Time </td>
+
+<td><tt>user.expirationTime</tt> </td>
+
+<td>Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="a">
+
+<td>User Membership Expiration </td>
+
+<td><tt>user.membershipExpTime</tt> </td>
+
+<td>Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="b">
+
+<td>User membership nesting depth </td>
+
+<td><tt>user.membershipNestingDepth</tt> </td>
+
+<td>Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User Path Prefix </td>
+
+<td><tt>user.pathPrefix</tt> </td>
+
+<td>The path prefix used when creating new users. </td>
+ </tr>
+
+<tr class="b">
+
+<td>User property mapping </td>
+
+<td><tt>user.propertyMapping</tt> </td>
+
+<td>List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group auto membership </td>
+
+<td><tt>group.autoMembership</tt> </td>
+
+<td>List of groups that a synced group is added to automatically </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group Expiration Time </td>
+
+<td><tt>group.expirationTime</tt> </td>
+
+<td>Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group Path Prefix </td>
+
+<td><tt>group.pathPrefix</tt> </td>
+
+<td>The path prefix used when creating new groups. </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group property mapping </td>
+
+<td><tt>group.propertyMapping</tt> </td>
+
+<td>List mapping definition of local properties from external ones. </td>
+ </tr>
+
+<tr class="a">
+
+<td>                              </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+ </tbody>
+</table></div></div>
+<div class="section">
+<h2>LDAP Identity Provider<a name="LDAP_Identity_Provider"></a></h2>
+<p>Oak comes with a default implementation of an LDAP identity provider.</p>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The LDAP IPDs are configured through the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.html">org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig</a> which is populated either via OSGi or during manual <a href="../construct.html">Repository Construction</a>.</p>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Name </th>
+
+<th>Property </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>LDAP Provider Name </td>
+
+<td><tt>provider.name</tt> </td>
+
+<td>Name of this LDAP provider configuration. This is used to reference this provider by the login modules. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Bind DN </td>
+
+<td><tt>bind.dn</tt> </td>
+
+<td>DN of the user for authentication. Leave empty for anonymous bind. </td>
+ </tr>
+
+<tr class="b">
+
+<td>Bind Password </td>
+
+<td><tt>bind.password</tt> </td>
+
+<td>Password of the user for authentication. </td>
+ </tr>
+
+<tr class="a">
+
+<td>LDAP Server Hostname </td>
+
+<td><tt>host.name</tt> </td>
+
+<td>Hostname of the LDAP server </td>
+ </tr>
+
+<tr class="b">
+
+<td>Disable certificate checking </td>
+
+<td><tt>host.noCertCheck</tt> </td>
+
+<td>Indicates if server certificate validation should be disabled. </td>
+ </tr>
+
+<tr class="a">
+
+<td>LDAP Server Port </td>
+
+<td><tt>host.port</tt> </td>
+
+<td>Port of the LDAP server </td>
+ </tr>
+
+<tr class="b">
+
+<td>Use SSL </td>
+
+<td><tt>host.ssl</tt> </td>
+
+<td>Indicates if an SSL (LDAPs) connection should be used. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Use TLS </td>
+
+<td><tt>host.tls</tt> </td>
+
+<td>Indicates if TLS should be started on connections. </td>
+ </tr>
+
+<tr class="b">
+
+<td>Search Timeout </td>
+
+<td><tt>searchTimeout</tt> </td>
+
+<td>Time in until a search times out (eg: ‘1s’ or ‘1m 30s’). </td>
+ </tr>
+
+<tr class="a">
+
+<td>User base DN </td>
+
+<td><tt>user.baseDN</tt> </td>
+
+<td>The base DN for user searches. </td>
+ </tr>
+
+<tr class="b">
+
+<td>User extra filter </td>
+
+<td><tt>user.extraFilter</tt> </td>
+
+<td>Extra LDAP filter to use when searching for users. The final filter is formatted like: <tt>(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)</tt> </td>
+ </tr>
+
+<tr class="a">
+
+<td>User id attribute </td>
+
+<td><tt>user.idAttribute</tt> </td>
+
+<td>Name of the attribute that contains the user id. </td>
+ </tr>
+
+<tr class="b">
+
+<td>User DN paths </td>
+
+<td><tt>user.makeDnPath</tt> </td>
+
+<td>Controls if the DN should be used for calculating a portion of the intermediate path. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User object classes </td>
+
+<td><tt>user.objectclass</tt> </td>
+
+<td>The list of object classes an user entry must contain. </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group base DN </td>
+
+<td><tt>group.baseDN</tt> </td>
+
+<td>The base DN for group searches. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group extra filter </td>
+
+<td><tt>group.extraFilter</tt> </td>
+
+<td>Extra LDAP filter to use when searching for groups. The final filter is formatted like: <tt>(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)</tt> </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group DN paths </td>
+
+<td><tt>group.makeDnPath</tt> </td>
+
+<td>Controls if the DN should be used for calculating a portion of the intermediate path. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group member attribute </td>
+
+<td><tt>group.memberAttribute</tt> </td>
+
+<td>Group attribute that contains the member(s) of a group. </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group name attribute </td>
+
+<td><tt>group.nameAttribute</tt> </td>
+
+<td>Name of the attribute that contains the group name. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group object classes </td>
+
+<td><tt>group.objectclass</tt> </td>
+
+<td>The list of object classes a group entry must contain. </td>
+ </tr>
+
+<tr class="b">
+
+<td>                             </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+ </tbody>
+</table>
+<!-- references --></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Modified: jackrabbit/site/live/oak/docs/security/overview.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/overview.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/overview.html (original)
+++ jackrabbit/site/live/oak/docs/security/overview.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - The Oak Security Layer</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permissions</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/differences.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/differences.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permissions : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission/evaluation.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/evaluation.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/evaluation.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/evaluation.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permission Evaluation in Detail</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Added: jackrabbit/site/live/oak/docs/security/permission_eval.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission_eval.html?rev=1627294&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission_eval.html (added)
+++ jackrabbit/site/live/oak/docs/security/permission_eval.html Wed Sep 24 12:23:59 2014
@@ -0,0 +1,435 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-02-11
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140211" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - The Oak Security Layer</title>
+ <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="../css/site.css" />
+ <link rel="stylesheet" href="../css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="../license.html" title="License">License</a>
+</li>
+
+ <li> <a href="../downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="../from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="../nodestate.html" title="Understanding the node state model">Understanding the node state model</a>
+</li>
+
+ <li> <a href="../microkernel.html" title="Microkernel">Microkernel</a>
+</li>
+
+ <li> <a href="../query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="../blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="../known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="../dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="../when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="../apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-02-11</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.16-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="../index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="../downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="../from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="../overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="../nodestate.html" title="Understanding the node state model">
+ <i class="none"></i>
+ Understanding the node state model</a>
+ </li>
+
+ <li>
+
+ <a href="../microkernel.html" title="Microkernel">
+ <i class="none"></i>
+ Microkernel</a>
+ </li>
+
+ <li>
+
+ <a href="../query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="../blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="../use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="../known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="../dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="../when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="../dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="../apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><h1>The Oak Security Layer</h1>
+<div class="section">
+<h2>Internals of Permission Evaluation<a name="Internals_of_Permission_Evaluation"></a></h2>
+<div class="section">
+<h3>What happens on <tt>session.getNode("/foo").getProperty("jar:title").getString()</tt> in respect to access control?<a name="What_happens_on_session.getNodefoo.getPropertyjar:title.getString_in_respect_to_access_control"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>
+<p><tt>SessionImpl.getNode()</tt> internally calls <tt>SessionDelegate.getNode()</tt> which calls <tt>Root.getTree()</tt> which calls <tt>Tree.getTree()</tt> on the root tree. This creates a bunch of linked <tt>MutableTree</tt> objects.</p></li>
+
+<li>
+<p>The session delegate then checks if the tree really exists, by calling <tt>Tree.exists()</tt> which then calls <tt>NodeBuilder.exists()</tt>.</p></li>
+
+<li>
+<p>If the session performing the operation is an <i>admin</i> session, then the node builder from the persistence layer is directly used. In all other cases, the original node builder is wrapped by a <tt>SecureNodeBuilder</tt>. The <tt>SecureNodeBuilder</tt> performs access control checks before delegating the calls to the delegated builder.</p></li>
+
+<li>
+<p>For non <i>admin</i> sessions the <tt>SecureNodeBuilder</tt> fetches its <i>tree permissions</i> via <tt>getTreePermissions()</tt> (See <a href="#getTreePermissions">below</a> of how this works) and then calls <tt>TreePermission.canRead()</tt>. This method (signature with no arguments) checks the <tt>READ_NODE</tt> permission for normal trees (as in this example) or the <tt>READ_ACCESS_CONTROL</tt> permission on <i>AC trees</i> [^1] and stores the result in the <tt>ReadStatus</tt>.</p>
+<p>For that an iterator of the <i>permission entries</i> is <a href="#getEntrtyIterator">retrieved</a> which provides all the relevant permission entries needed to be evaluated for this tree (and <i>subject</i>). </p></li>
+
+<li>
+<p>The <i>permission entries</i> are analyzed if they include the respective permission and if so, the read status is set accordingly. Note that the sequence of the permission entries from the iterator is already in the correct order for this kind of evaluation. this is ensured by the way how they are stored in the <a href="#permissionStore">permission store</a> and how they are feed into the iterator.</p>
+<p>The iteration also detects if the evaluated permission entries cover <i>this</i> node and all its properties. If this is the case, subsequent calls that evaluate the property read permissions would then not need to do the same iteration again. In order to detect this, the iteration checks if a non-matching permission entry or privilege was skipped and eventually sets the respective flag in the <tt>ReadStatus</tt>. This flag indicates if the present permission entries are sufficient to tell if the session is allowed to read <i>this</i> node and all its properties. If there are more entries present than the ones needed for evaluating the <tt>READ_NODE</tt> permission, then it’s ambiguous to determine if all properties can be read. </p></li>
+
+<li>
+<p>Once the <tt>ReadStatus</tt> is calculated (or was calculated earlier) the <tt>canRead()</tt> method returns <tt>ReadStatus.allowsThis()</tt> which specifies if <i>this</i> node is allowed to be read.</p></li>
+
+<li>
+<p>next up: getProperty() (WIP)</p></li>
+</ol>
+<p>[^1]: AC trees are usually the <tt>rep:policy</tt> subtrees of access controlled nodes.</p></div>
+<div class="section">
+<h3>A Shortcut for evaluating read access: <i>readable tree configuration</i><a name="A_Shortcut_for_evaluating_read_access:_readable_tree_configuration"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>….</li>
+</ol></div>
+<div class="section">
+<h3><a name="getTreePermissions"></a> How does the <tt>SecureNodeBuilder</tt> obtain his <i>tree permissions</i> ?<a name="How_does_the_SecureNodeBuilder_obtain_his_tree_permissions_"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>…</li>
+</ol></div>
+<div class="section">
+<h3><a name="getEntryIterator"></a> How does the <tt>TreePermission</tt> obtain the permission entry iterator?<a name="How_does_the_TreePermission_obtain_the_permission_entry_iterator"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>…</li>
+</ol></div>
+<div class="section">
+<h3><a name="permissionStore"></a> How are the access control entries preprocessed and stored in the permission store?<a name="How_are_the_access_control_entries_preprocessed_and_stored_in_the_permission_store"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>….</li>
+</ol></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Modified: jackrabbit/site/live/oak/docs/security/principal.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/principal.html (original)
+++ jackrabbit/site/live/oak/docs/security/principal.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Principal Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/principal/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal/differences.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/principal/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/principal/differences.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Principal Management : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/privilege.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Privilege Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/privilege/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/differences.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/differences.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Privilege Management : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user.html (original)
+++ jackrabbit/site/live/oak/docs/security/user.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - User Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/user/authorizableaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizableaction.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizableaction.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizableaction.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Authorizable Actions</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/user/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/differences.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/differences.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - User Management : Differences to Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/user/membership.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/membership.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/membership.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/membership.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Group Membership</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/user/query.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/query.html?rev=1627294&r1=1627293&r2=1627294&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/query.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/query.html Wed Sep 24 12:23:59 2014
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2014-09-22
+ | Generated by Apache Maven Doxia at 2014-09-24
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20140922" />
+ <meta name="Date-Revision-yyyymmdd" content="20140924" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Searching Users and Groups</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -182,7 +182,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2014-09-22</li>
+ <li id="publishDate">Last Published: 2014-09-24</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.1-SNAPSHOT</li>