You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by ju...@apache.org on 2013/11/22 16:05:54 UTC
svn commit: r1544566 [3/3] - in /jackrabbit/site/live/oak/docs: ./ css/ js/
security/
Modified: jackrabbit/site/live/oak/docs/mongomk.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/mongomk.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/mongomk.html (original)
+++ jackrabbit/site/live/oak/docs/mongomk.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/nodestate.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/nodestate.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/nodestate.html (original)
+++ jackrabbit/site/live/oak/docs/nodestate.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/overview.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/overview.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/overview.html (original)
+++ jackrabbit/site/live/oak/docs/overview.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/participating.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/participating.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/participating.html (original)
+++ jackrabbit/site/live/oak/docs/participating.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/query.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/query.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/query.html (original)
+++ jackrabbit/site/live/oak/docs/query.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission_eval.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission_eval.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission_eval.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission_eval.html Fri Nov 22 15:05:54 2013
@@ -1,435 +1,435 @@
-<!DOCTYPE html>
-<!--
- | Generated by Apache Maven Doxia at 2013-11-20
- | Rendered using Apache Maven Fluido Skin 1.3.0
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
- <head>
- <meta charset="UTF-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
- <meta http-equiv="Content-Language" content="en" />
- <title>Jackrabbit Oak - </title>
- <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
- <link rel="stylesheet" href="../css/site.css" />
- <link rel="stylesheet" href="../css/print.css" media="print" />
-
-
- <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
-
-
- </head>
- <body class="topBarEnabled">
-
-
-
-
-
-
- <a href="http://github.com/apache/jackrabbit-oak">
- <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
- src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
- alt="Fork me on GitHub">
- </a>
-
-
-
-
-
- <div id="topbar" class="navbar navbar-fixed-top ">
- <div class="navbar-inner">
- <div class="container-fluid">
- <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- </a>
-
- <ul class="nav">
- <li class="dropdown">
- <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
- <ul class="dropdown-menu">
-
- <li> <a href="../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
-</li>
-
- <li> <a href="../license.html" title="License">License</a>
-</li>
-
- <li> <a href="../downloads.html" title="Downloads">Downloads</a>
-</li>
-
- <li> <a href="../from_here.html" title="From here">From here</a>
-</li>
- </ul>
- </li>
- <li class="dropdown">
- <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
- <ul class="dropdown-menu">
-
- <li> <a href="../overview.html" title="Overview">Overview</a>
-</li>
-
- <li> <a href="../nodestate.html" title="Understanding the node state model">Understanding the node state model</a>
-</li>
-
- <li> <a href="../microkernel.html" title="Microkernel">Microkernel</a>
-</li>
-
- <li> <a href="../query.html" title="Query">Query</a>
-</li>
-
- <li> <a href="../blobstore.html" title="BlobStore">BlobStore</a>
-</li>
- </ul>
- </li>
- <li class="dropdown">
- <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
- <ul class="dropdown-menu">
-
- <li> <a href="../use_getting_started.html" title="Getting Started">Getting Started</a>
-</li>
-
- <li> <a href="../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
-</li>
-
- <li> <a href="../known_issues.html" title="Known Issues">Known Issues</a>
-</li>
-
- <li> <a href="../dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
-</li>
-
- <li> <a href="../when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
-</li>
- </ul>
- </li>
- <li class="dropdown">
- <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
- <ul class="dropdown-menu">
-
- <li> <a href="../dev_getting_started.html" title="Getting Started">Getting Started</a>
-</li>
-
- <li> <a href="../participating.html" title="Participating">Participating</a>
-</li>
-
- <li> <a href="../apidocs/index.html" title="API docs">API docs</a>
-</li>
- </ul>
- </li>
- <li class="dropdown">
- <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
- <ul class="dropdown-menu">
-
- <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
-</li>
-
- <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
-</li>
- </ul>
- </li>
- </ul>
-
-
-
-
- </div>
-
- </div>
- </div>
- </div>
-
- <div class="container-fluid">
- <div id="banner">
- <div class="pull-left">
- <div id="bannerLeft">
- <h2>Oak Documentation</h2>
- </div>
- </div>
- <div class="pull-right"> </div>
- <div class="clear"><hr/></div>
- </div>
-
- <div id="breadcrumbs">
- <ul class="breadcrumb">
-
-
- <li id="publishDate">Last Published: 2013-11-20</li>
- <li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
-
-
-
-
- </ul>
- </div>
-
-
- <div class="row-fluid">
- <div id="leftColumn" class="span3">
- <div class="well sidebar-nav">
-
-
- <ul class="nav nav-list">
- <li class="nav-header">Overview</li>
-
- <li>
-
- <a href="../index.html" title="Jackrabbit Oak">
- <i class="none"></i>
- Jackrabbit Oak</a>
- </li>
-
- <li>
-
- <a href="../license.html" title="License">
- <i class="none"></i>
- License</a>
- </li>
-
- <li>
-
- <a href="../downloads.html" title="Downloads">
- <i class="none"></i>
- Downloads</a>
- </li>
-
- <li>
-
- <a href="../from_here.html" title="From here">
- <i class="none"></i>
- From here</a>
- </li>
- <li class="nav-header">Concepts and architecture</li>
-
- <li>
-
- <a href="../overview.html" title="Overview">
- <i class="none"></i>
- Overview</a>
- </li>
-
- <li>
-
- <a href="../nodestate.html" title="Understanding the node state model">
- <i class="none"></i>
- Understanding the node state model</a>
- </li>
-
- <li>
-
- <a href="../microkernel.html" title="Microkernel">
- <i class="none"></i>
- Microkernel</a>
- </li>
-
- <li>
-
- <a href="../query.html" title="Query">
- <i class="none"></i>
- Query</a>
- </li>
-
- <li>
-
- <a href="../blobstore.html" title="BlobStore">
- <i class="none"></i>
- BlobStore</a>
- </li>
- <li class="nav-header">Using Oak</li>
-
- <li>
-
- <a href="../use_getting_started.html" title="Getting Started">
- <i class="none"></i>
- Getting Started</a>
- </li>
-
- <li>
-
- <a href="../differences.html" title="Differences to Jackrabbit 2">
- <i class="none"></i>
- Differences to Jackrabbit 2</a>
- </li>
-
- <li>
-
- <a href="../known_issues.html" title="Known Issues">
- <i class="none"></i>
- Known Issues</a>
- </li>
-
- <li>
-
- <a href="../dos_and_donts.html" title="Dos and don'ts">
- <i class="none"></i>
- Dos and don'ts</a>
- </li>
-
- <li>
-
- <a href="../when_things_go_wrong.html" title="When things go wrong">
- <i class="none"></i>
- When things go wrong</a>
- </li>
- <li class="nav-header">Developing Oak</li>
-
- <li>
-
- <a href="../dev_getting_started.html" title="Getting Started">
- <i class="none"></i>
- Getting Started</a>
- </li>
-
- <li>
-
- <a href="../participating.html" title="Participating">
- <i class="none"></i>
- Participating</a>
- </li>
-
- <li>
-
- <a href="../apidocs/index.html" title="API docs">
- <i class="none"></i>
- API docs</a>
- </li>
- <li class="nav-header">Links</li>
-
- <li>
-
- <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
- <i class="none"></i>
- Apache Jackrabbit Oak</a>
- </li>
-
- <li>
-
- <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
- <i class="none"></i>
- Apache Jackrabbit</a>
- </li>
- </ul>
-
-
-
- <hr class="divider" />
-
- <div id="poweredBy">
-
- <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
-
-
- <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
-
- <div class="clear"></div>
- <div class="clear"></div>
- <div class="clear"></div>
- <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
- <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
- </a>
- </div>
- </div>
- </div>
-
-
- <div id="bodyColumn" class="span9" >
-
- <!-- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License. --><h1>The Oak Security Layer</h1>
-<div class="section">
-<h2>Internals of Permission Evaluation<a name="Internals_of_Permission_Evaluation"></a></h2>
-<div class="section">
-<h3>What happens on <tt>session.getNode("/foo").getProperty("jar:title").getString()</tt> in respect to access control?<a name="What_happens_on_session.getNodefoo.getPropertyjar:title.getString_in_respect_to_access_control"></a></h3>
-
-<ol style="list-style-type: decimal">
-
-<li>
-<p><tt>SessionImpl.getNode()</tt> internally calls <tt>SessionDelegate.getNode()</tt> which calls <tt>Root.getTree()</tt> which calls <tt>Tree.getTree()</tt> on the root tree. This creates a bunch of linked <tt>MutableTree</tt> objects.</p></li>
-
-<li>
-<p>The session delegate then checks if the tree really exists, by calling <tt>Tree.exists()</tt> which then calls <tt>NodeBuilder.exists()</tt>.</p></li>
-
-<li>
-<p>If the session performing the operation is an <i>admin</i> session, then the node builder from the persistence layer is directly used. In all other cases, the original node builder is wrapped by a <tt>SecureNodeBuilder</tt>. The <tt>SecureNodeBuilder</tt> performs access control checks before delegating the calls to the delegated builder.</p></li>
-
-<li>
-<p>For non <i>admin</i> sessions the <tt>SecureNodeBuilder</tt> fetches its <i>tree permissions</i> via <tt>getTreePermissions()</tt> (See <a href="#getTreePermissions">below</a> of how this works) and then calls <tt>TreePermission.canRead()</tt>. This method (signature with no arguments) checks the <tt>READ_NODE</tt> permission for normal trees (as in this example) or the <tt>READ_ACCESS_CONTROL</tt> permission on <i>AC trees</i> [^1] and stores the result in the <tt>ReadStatus</tt>.</p>
-<p>For that an iterator of the <i>permission entries</i> is <a href="#getEntrtyIterator">retrieved</a> which provides all the relevant permission entries needed to be evaluated for this tree (and <i>subject</i>). </p></li>
-
-<li>
-<p>The <i>permission entries</i> are analyzed if they include the respective permission and if so, the read status is set accordingly. Note that the sequence of the permission entries from the iterator is already in the correct order for this kind of evaluation. this is ensured by the way how they are stored in the <a href="#permissionStore">permission store</a> and how they are feed into the iterator.</p>
-<p>The iteration also detects if the evaluated permission entries cover <i>this</i> node and all its properties. If this is the case, subsequent calls that evaluate the property read permissions would then not need to do the same iteration again. In order to detect this, the iteration checks if a non-matching permission entry or privilege was skipped and eventually sets the respective flag in the <tt>ReadStatus</tt>. This flag indicates if the present permission entries are sufficient to tell if the session is allowed to read <i>this</i> node and all its properties. If there are more entries present than the ones needed for evaluating the <tt>READ_NODE</tt> permission, then it’s ambiguous to determine if all properties can be read. </p></li>
-
-<li>
-<p>Once the <tt>ReadStatus</tt> is calculated (or was calculated earlier) the <tt>canRead()</tt> method returns <tt>ReadStatus.allowsThis()</tt> which specifies if <i>this</i> node is allowed to be read.</p></li>
-
-<li>
-<p>next up: getProperty() (WIP)</p></li>
-</ol>
-<p>[^1]: AC trees are usually the <tt>rep:policy</tt> subtrees of access controlled nodes.</p></div>
-<div class="section">
-<h3>A Shortcut for evaluating read access: <i>readable tree configuration</i><a name="A_Shortcut_for_evaluating_read_access:_readable_tree_configuration"></a></h3>
-
-<ol style="list-style-type: decimal">
-
-<li>….</li>
-</ol></div>
-<div class="section">
-<h3><a name="getTreePermissions"></a> How does the <tt>SecureNodeBuilder</tt> obtain his <i>tree permissions</i> ?<a name="How_does_the_SecureNodeBuilder_obtain_his_tree_permissions_"></a></h3>
-
-<ol style="list-style-type: decimal">
-
-<li>…</li>
-</ol></div>
-<div class="section">
-<h3><a name="getEntryIterator"></a> How does the <tt>TreePermission</tt> obtain the permission entry iterator?<a name="How_does_the_TreePermission_obtain_the_permission_entry_iterator"></a></h3>
-
-<ol style="list-style-type: decimal">
-
-<li>…</li>
-</ol></div>
-<div class="section">
-<h3><a name="permissionStore"></a> How are the access control entries preprocessed and stored in the permission store?<a name="How_are_the_access_control_entries_preprocessed_and_stored_in_the_permission_store"></a></h3>
-
-<ol style="list-style-type: decimal">
-
-<li>….</li>
-</ol></div></div>
- </div>
- </div>
- </div>
-
- <hr/>
-
- <footer>
- <div class="container-fluid">
- <div class="row span12">Copyright © 2012-2013
- <a href="http://www.apache.org/">The Apache Software Foundation</a>.
- All Rights Reserved.
-
- </div>
-
-
-
-
-
-
- <div id="ohloh" class="pull-right">
- <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
- </div>
- </div>
- </footer>
- </body>
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2013-11-22
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - </title>
+ <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="../css/site.css" />
+ <link rel="stylesheet" href="../css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="../license.html" title="License">License</a>
+</li>
+
+ <li> <a href="../downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="../from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="../nodestate.html" title="Understanding the node state model">Understanding the node state model</a>
+</li>
+
+ <li> <a href="../microkernel.html" title="Microkernel">Microkernel</a>
+</li>
+
+ <li> <a href="../query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="../blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="../known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="../dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="../when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="../apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2013-11-22</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="../index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="../downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="../from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="../overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="../nodestate.html" title="Understanding the node state model">
+ <i class="none"></i>
+ Understanding the node state model</a>
+ </li>
+
+ <li>
+
+ <a href="../microkernel.html" title="Microkernel">
+ <i class="none"></i>
+ Microkernel</a>
+ </li>
+
+ <li>
+
+ <a href="../query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="../blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="../use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="../known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="../dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="../when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="../dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="../apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><h1>The Oak Security Layer</h1>
+<div class="section">
+<h2>Internals of Permission Evaluation<a name="Internals_of_Permission_Evaluation"></a></h2>
+<div class="section">
+<h3>What happens on <tt>session.getNode("/foo").getProperty("jar:title").getString()</tt> in respect to access control?<a name="What_happens_on_session.getNodefoo.getPropertyjar:title.getString_in_respect_to_access_control"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>
+<p><tt>SessionImpl.getNode()</tt> internally calls <tt>SessionDelegate.getNode()</tt> which calls <tt>Root.getTree()</tt> which calls <tt>Tree.getTree()</tt> on the root tree. This creates a bunch of linked <tt>MutableTree</tt> objects.</p></li>
+
+<li>
+<p>The session delegate then checks if the tree really exists, by calling <tt>Tree.exists()</tt> which then calls <tt>NodeBuilder.exists()</tt>.</p></li>
+
+<li>
+<p>If the session performing the operation is an <i>admin</i> session, then the node builder from the persistence layer is directly used. In all other cases, the original node builder is wrapped by a <tt>SecureNodeBuilder</tt>. The <tt>SecureNodeBuilder</tt> performs access control checks before delegating the calls to the delegated builder.</p></li>
+
+<li>
+<p>For non <i>admin</i> sessions the <tt>SecureNodeBuilder</tt> fetches its <i>tree permissions</i> via <tt>getTreePermissions()</tt> (See <a href="#getTreePermissions">below</a> of how this works) and then calls <tt>TreePermission.canRead()</tt>. This method (signature with no arguments) checks the <tt>READ_NODE</tt> permission for normal trees (as in this example) or the <tt>READ_ACCESS_CONTROL</tt> permission on <i>AC trees</i> [^1] and stores the result in the <tt>ReadStatus</tt>.</p>
+<p>For that an iterator of the <i>permission entries</i> is <a href="#getEntrtyIterator">retrieved</a> which provides all the relevant permission entries needed to be evaluated for this tree (and <i>subject</i>). </p></li>
+
+<li>
+<p>The <i>permission entries</i> are analyzed if they include the respective permission and if so, the read status is set accordingly. Note that the sequence of the permission entries from the iterator is already in the correct order for this kind of evaluation. this is ensured by the way how they are stored in the <a href="#permissionStore">permission store</a> and how they are feed into the iterator.</p>
+<p>The iteration also detects if the evaluated permission entries cover <i>this</i> node and all its properties. If this is the case, subsequent calls that evaluate the property read permissions would then not need to do the same iteration again. In order to detect this, the iteration checks if a non-matching permission entry or privilege was skipped and eventually sets the respective flag in the <tt>ReadStatus</tt>. This flag indicates if the present permission entries are sufficient to tell if the session is allowed to read <i>this</i> node and all its properties. If there are more entries present than the ones needed for evaluating the <tt>READ_NODE</tt> permission, then it’s ambiguous to determine if all properties can be read. </p></li>
+
+<li>
+<p>Once the <tt>ReadStatus</tt> is calculated (or was calculated earlier) the <tt>canRead()</tt> method returns <tt>ReadStatus.allowsThis()</tt> which specifies if <i>this</i> node is allowed to be read.</p></li>
+
+<li>
+<p>next up: getProperty() (WIP)</p></li>
+</ol>
+<p>[^1]: AC trees are usually the <tt>rep:policy</tt> subtrees of access controlled nodes.</p></div>
+<div class="section">
+<h3>A Shortcut for evaluating read access: <i>readable tree configuration</i><a name="A_Shortcut_for_evaluating_read_access:_readable_tree_configuration"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>….</li>
+</ol></div>
+<div class="section">
+<h3><a name="getTreePermissions"></a> How does the <tt>SecureNodeBuilder</tt> obtain his <i>tree permissions</i> ?<a name="How_does_the_SecureNodeBuilder_obtain_his_tree_permissions_"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>…</li>
+</ol></div>
+<div class="section">
+<h3><a name="getEntryIterator"></a> How does the <tt>TreePermission</tt> obtain the permission entry iterator?<a name="How_does_the_TreePermission_obtain_the_permission_entry_iterator"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>…</li>
+</ol></div>
+<div class="section">
+<h3><a name="permissionStore"></a> How are the access control entries preprocessed and stored in the permission store?<a name="How_are_the_access_control_entries_preprocessed_and_stored_in_the_permission_store"></a></h3>
+
+<ol style="list-style-type: decimal">
+
+<li>….</li>
+</ol></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2013
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
</html>
\ No newline at end of file
Modified: jackrabbit/site/live/oak/docs/segmentmk.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/segmentmk.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/segmentmk.html (original)
+++ jackrabbit/site/live/oak/docs/segmentmk.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/use_getting_started.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/use_getting_started.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/use_getting_started.html (original)
+++ jackrabbit/site/live/oak/docs/use_getting_started.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/when_things_go_wrong.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/when_things_go_wrong.html?rev=1544566&r1=1544565&r2=1544566&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/when_things_go_wrong.html (original)
+++ jackrabbit/site/live/oak/docs/when_things_go_wrong.html Fri Nov 22 15:05:54 2013
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2013-11-20
+ | Generated by Apache Maven Doxia at 2013-11-22
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20131120" />
+ <meta name="Date-Revision-yyyymmdd" content="20131122" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - </title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -154,7 +154,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2013-11-20</li>
+ <li id="publishDate">Last Published: 2013-11-22</li>
<li class="divider">|</li> <li id="projectVersion">Version: 0.12-SNAPSHOT</li>