You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by mr...@apache.org on 2018/07/09 08:53:19 UTC
svn commit: r1835390 [17/23] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication with External Login Module : Examples</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,144 +240,125 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Authentication_with_External_Login_Module_:_Examples"></a>Authentication with External Login Module : Examples</h2>
-
<ul>
-
+
<li><a href="#standard">Integration with Standard Oak Authentication</a></li>
-
<li><a href="#preauth">Integration with Pre-Authentication and Login Module Chain</a></li>
</ul>
-<p><a name="standard"></a></p>
+<a name="standard"></a>
+### Integration with Standard Oak Authentication
+
<div class="section">
-<h3><a name="Integration_with_Standard_Oak_Authentication"></a>Integration with Standard Oak Authentication</h3>
<div class="section">
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
-<div class="source">
-<div class="source"><pre class="prettyprint"> Example {
+<div>
+<div>
+<pre class="source"> Example {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
sync.handlerName="your-synchandler_name"
idp.name="your_idp_name";
};
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4>
<div class="section">
<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
-
<ul>
-
+
<li>
-<p>The <tt>TokenLoginModule</tt> is in charge of handling repository authentication request with <tt>TokenCredentials</tt>:</p>
-
+
+<p>The <tt>TokenLoginModule</tt> is in charge of handling repository authentication request with <tt>TokenCredentials</tt>:</p>
<ul>
-
+
<li><i>Login Success</i>: If token-login succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list. This means that it will not hit the <tt>ExternalIdentityProvider</tt> and will not re-sync an external user as long as the login token is valid.</li>
-
<li><i>Login Failure</i>: If it fails (e.g. other type of <tt>Credentials</tt>) the authentication will proceed down the <tt>LoginModule</tt> list.</li>
-
<li><i>Commit</i>: If the login failed the login module will test if the <tt>Credentials</tt> passed to the login ask for generation of a new login token. If this login succeeded it will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul>
+</ul>
<p>NOTE: In this setup the <tt>TokenLoginModule</tt> is expected to only handle subsequent authentication request after having issued a login token. The latter is achieved by providing <tt>Credentials</tt> attributes that force the <tt>TokenLoginModule</tt> to generate a new login token in the <i>commit</i> phase. The application should then use that login toke for subsequent requests.</p>
-<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for details and for a description of the default implementation.</p></li>
-
+<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for details and for a description of the default implementation.</p>
+</li>
<li>
-<p>The <tt>LoginModuleImpl</tt> is in charge of handling authentication request for users managed and created through the repository’s user management API; i.e. users that are not defined by an <tt>ExternalIdentityProvider</tt>. This includes built-in system users like the administrator, the guest-user (aka anonymous) or <tt>SystemUsers</tt>. It also handles impersonation logins.</p>
-
+
+<p>The <tt>LoginModuleImpl</tt> is in charge of handling authentication request for users managed and created through the repository’s user management API; i.e. users that are not defined by an <tt>ExternalIdentityProvider</tt>. This includes built-in system users like the administrator, the guest-user (aka anonymous) or <tt>SystemUsers</tt>. It also handles impersonation logins.</p>
<ul>
-
-<li><i>Login Success</i>: If regular user authentication (or impersonation) succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list i.e. omits unnecessarily trying to authenticate a local user against the external IDP.</li>
-
-<li><i>Login Failure</i>: If the authentication fails (e.g. no local user that could have uid/pw matching the passed <tt>Credentials</tt>), it will continue down the <tt>LoginModule</tt> list.</li>
-
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul>
-<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>local</i> users will end up being handled by this module or fail.</p></li>
-
+
+<li><i>Login Success</i>: If regular user authentication (or impersonation) succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list i.e. omits unnecessarily trying to authenticate a local user against the external IDP.</li>
+<li><i>Login Failure</i>: If the authentication fails (e.g. no local user that could have uid/pw matching the passed <tt>Credentials</tt>), it will continue down the <tt>LoginModule</tt> list.</li>
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+</ul>
+<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>local</i> users will end up being handled by this module or fail.</p>
+</li>
<li>
-<p>The <tt>ExternalLoginModule</tt> is in charge of handling authentication request for users managed by an <tt>ExternalIdentityProvider</tt>.</p>
-
+
+<p>The <tt>ExternalLoginModule</tt> is in charge of handling authentication request for users managed by an <tt>ExternalIdentityProvider</tt>.</p>
<ul>
-
-<li><i>Login Success</i>: If user authentication against the IDP succeeds the module synchronizes the external user into the repository according to the logic defined in the configure <tt>SyncHandler</tt>. If the user has been synced before it might be updated. If and how often a user gets re-synced is an implementation detail of the <tt>SyncHandler</tt>.</li>
-
-<li><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid <tt>Credentials</tt>), the whole login will fail because the <tt>ExternalLoginModule</tt> is configured to be <i>required</i> and the last module in the chain.</li>
-
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul>
-<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>external</i> users will end up being handled by this module (including connection to the IDP) or fail.</p></li>
+
+<li><i>Login Success</i>: If user authentication against the IDP succeeds the module synchronizes the external user into the repository according to the logic defined in the configure <tt>SyncHandler</tt>. If the user has been synced before it might be updated. If and how often a user gets re-synced is an implementation detail of the <tt>SyncHandler</tt>.</li>
+<li><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid <tt>Credentials</tt>), the whole login will fail because the <tt>ExternalLoginModule</tt> is configured to be <i>required</i> and the last module in the chain.</li>
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+</ul>
+<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>external</i> users will end up being handled by this module (including connection to the IDP) or fail.</p>
+</li>
</ul></div>
<div class="section">
<h5><a name="Login_with_Different_Credentials"></a>Login with Different Credentials</h5>
<div class="section">
<h6><a name="GuestCredentials"></a>GuestCredentials</h6>
-
<ul>
-
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="SimpleCredentials"></a>SimpleCredentials</h6>
-
<ul>
-
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user. It is not expected to succeed for synced external users,which should not have their password synced. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-
-<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authenticating an external against the external IDP including sync is successful. If none of the other modules succeeded the <tt>ExternalLoginModule</tt> is required to succeed.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user. It is not expected to succeed for synced external users,which should not have their password synced. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authenticating an external against the external IDP including sync is successful. If none of the other modules succeeded the <tt>ExternalLoginModule</tt> is required to succeed.</li>
</ul></div>
<div class="section">
<h6><a name="TokenCredentials"></a>TokenCredentials</h6>
-
<ul>
-
-<li><tt>TokenLoginModule</tt> supports <tt>TokenCredentials</tt> and will succeed if the credentials are valid. If it succeeds authentication doesn’t move down the module list. If it fails overall authentication is expected to fail as the subsequent modules are not expected to support <tt>TokenCredentials</tt>.</li>
-
-<li><tt>LoginModuleImpl</tt> does not support <tt>TokenCredentials</tt> and will fail.</li>
-
-<li><tt>ExternalLoginModule</tt> is not expected to support <tt>TokenCredentials</tt> and thus overall authentication is expected to fail if <tt>TokenLoginModule</tt> failed.</li>
+
+<li><tt>TokenLoginModule</tt> supports <tt>TokenCredentials</tt> and will succeed if the credentials are valid. If it succeeds authentication doesn’t move down the module list. If it fails overall authentication is expected to fail as the subsequent modules are not expected to support <tt>TokenCredentials</tt>.</li>
+<li><tt>LoginModuleImpl</tt> does not support <tt>TokenCredentials</tt> and will fail.</li>
+<li><tt>ExternalLoginModule</tt> is not expected to support <tt>TokenCredentials</tt> and thus overall authentication is expected to fail if <tt>TokenLoginModule</tt> failed.</li>
</ul></div>
<div class="section">
<h6><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h6>
-
<ul>
-
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="Other_Credentials"></a>Other Credentials</h6>
-
<ul>
-
+
<li>Overall login success only if the <tt>ExternalLoginModule</tt> supports these credentials</li>
-
<li><tt>TokenLoginModule</tt> will ignore</li>
-
<li><tt>LoginModuleImpl</tt> will ignore</li>
-
-<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
+<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
</ul>
-<p><a name="preauth"></a></p></div></div></div></div>
-<div class="section">
-<h3><a name="Integration_with_Pre-Authentication_and_Login_Module_Chain"></a>Integration with Pre-Authentication and Login Module Chain</h3>
+<a name="preauth"></a>
+### Integration with Pre-Authentication and Login Module Chain
+</div></div></div>
<div class="section">
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
-<div class="source">
-<div class="source"><pre class="prettyprint"> Example {
+<div>
+<div>
+<pre class="source"> Example {
your.org.PreAuthenticationLoginModule optional;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl optional;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule sufficient
@@ -385,131 +366,105 @@
idp.name="your_idp_name";
};
</pre></div></div>
+
<p>See <a href="../preauthentication.html#withloginchain">Pre-Authenticated Login</a> for an example <tt>LoginModule</tt> that illustrates how the pre-authentication is being pushed to the shared stated.</p>
<p><i>Note:</i> This configuration has been slightly adjusted from the example in <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3508">OAK-3508</a> marking the pre-auth login to be <i>optional</i>. This highlights the fact that subsequent <tt>LoginModule</tt>s are in charge of respecting the <tt>PreAuthenticatedLogin</tt> marker and properly populating the <tt>Subject</tt> in the second <i>commit</i> phase.</p>
-<p>Also, in the example implementation the login never succeeds (in which case <i>sufficient</i> would actually work as well). However, if it ever succeeded the <tt>PreAuthenticatedLogin</tt> marker would be meaningless and the pre-auth module in fact would have to populate the <tt>Subject</tt> i.e. relying on details defined and handled by other <tt>LoginModule</tt>s. </p></div>
+<p>Also, in the example implementation the login never succeeds (in which case <i>sufficient</i> would actually work as well). However, if it ever succeeded the <tt>PreAuthenticatedLogin</tt> marker would be meaningless and the pre-auth module in fact would have to populate the <tt>Subject</tt> i.e. relying on details defined and handled by other <tt>LoginModule</tt>s.</p></div>
<div class="section">
<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4>
<div class="section">
<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
-
<ul>
-
+
<li>
-<p>The custom pre-auth module is in charge of handling custom pre-auth <tt>Credentials</tt> shared between the code performing the authentication outside of the scope of the repository and this module. It’s only task is to create the <tt>PreAuthenticatedLogin</tt> marker and push it to the shared stated to inform subsequent modules, which will always be consulted due to the <i>optional</i> flag.</p>
-
+
+<p>The custom pre-auth module is in charge of handling custom pre-auth <tt>Credentials</tt> shared between the code performing the authentication outside of the scope of the repository and this module. It’s only task is to create the <tt>PreAuthenticatedLogin</tt> marker and push it to the shared stated to inform subsequent modules, which will always be consulted due to the <i>optional</i> flag.</p>
<ul>
-
-<li><i>Login Success</i>: not desired as we want subsequent modules to verify if there is a matching identity for the <tt>PreAuthenticatedLogin</tt> and later on populate the subject.</li>
-
-<li><i>Login Failure</i>: the default passing over the responsibility the other modules in the chain.</li>
-
+
+<li><i>Login Success</i>: not desired as we want subsequent modules to verify if there is a matching identity for the <tt>PreAuthenticatedLogin</tt> and later on populate the subject.</li>
+<li><i>Login Failure</i>: the default passing over the responsibility the other modules in the chain.</li>
<li><i>Commit</i>: Nothing to do.</li>
- </ul></li>
-
+</ul>
+</li>
<li>
-<p>The <tt>LoginModuleImpl</tt> will try to resolve the repository user associated with the <tt>PreAuthenticatedLogin</tt> or perform regular login with the login <tt>Credentials</tt> if no <tt>PreAuthenticatedLogin</tt> is present. </p>
-
+
+<p>The <tt>LoginModuleImpl</tt> will try to resolve the repository user associated with the <tt>PreAuthenticatedLogin</tt> or perform regular login with the login <tt>Credentials</tt> if no <tt>PreAuthenticatedLogin</tt> is present.</p>
<ul>
-
-<li><i>Login Success</i>: If there exists a valid user for the given <tt>PreAuthenticatedLogin</tt> or <tt>Credentials</tt> login will always succeed in case of a pre-auth login. Otherwise credentials are regularly evaluated (e.g. password validation). The authentication will continue down the chain due to the <i>optional</i> flag.</li>
-
-<li><i>Login Failure</i>: If no matching user exists or if the user is not valid (e.g. disabled). In case of regular authentication it will fail if the <tt>Credentials</tt> cannot be validated. Then authentication it will again continue down the <tt>LoginModule</tt> list.</li>
-
+
+<li><i>Login Success</i>: If there exists a valid user for the given <tt>PreAuthenticatedLogin</tt> or <tt>Credentials</tt> login will always succeed in case of a pre-auth login. Otherwise credentials are regularly evaluated (e.g. password validation). The authentication will continue down the chain due to the <i>optional</i> flag.</li>
+<li><i>Login Failure</i>: If no matching user exists or if the user is not valid (e.g. disabled). In case of regular authentication it will fail if the <tt>Credentials</tt> cannot be validated. Then authentication it will again continue down the <tt>LoginModule</tt> list.</li>
<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul></li>
-
+</ul>
+</li>
<li>
-<p>The <tt>ExternalLoginModule</tt> will try to resolve the <tt>PreAuthenticatedLogin</tt> or alternatively the <tt>Credentials</tt> to a <tt>SyncedIdentity</tt>.</p>
-
+
+<p>The <tt>ExternalLoginModule</tt> will try to resolve the <tt>PreAuthenticatedLogin</tt> or alternatively the <tt>Credentials</tt> to a <tt>SyncedIdentity</tt>.</p>
<ul>
-
-<li>If no <tt>SyncedIdentity</tt> exists the user is retrieved from external IDP and eventually synced into the repository. In case no <tt>PreAuthenticatedLogin</tt> is present retrieving identity additionally includes credentials validation.</li>
-
-<li>If there exists a <tt>SyncedIdentity</tt> the module will validate it. In case of <tt>PreAuthenticatedLogin</tt> it checks if the identity needs to be synced again.</li>
-
-<li><i>Login Success</i>: If there exists a valid external identity on the IDP and it has be synced with the repository.</li>
-
-<li><i>Login Failure</i>: If no matching/valid identity exists on the IDP or if there exists a <tt>SyncedIdentity</tt> that doesn’t belong to the IDP or we have a <tt>PreAuthenticatedLogin</tt> marker and the <tt>SyncedIdentity</tt> doesn’t need a re-sync.</li>
-
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul></li>
+
+<li>If no <tt>SyncedIdentity</tt> exists the user is retrieved from external IDP and eventually synced into the repository. In case no <tt>PreAuthenticatedLogin</tt> is present retrieving identity additionally includes credentials validation.</li>
+<li>If there exists a <tt>SyncedIdentity</tt> the module will validate it. In case of <tt>PreAuthenticatedLogin</tt> it checks if the identity needs to be synced again.</li>
+<li><i>Login Success</i>: If there exists a valid external identity on the IDP and it has be synced with the repository.</li>
+<li><i>Login Failure</i>: If no matching/valid identity exists on the IDP or if there exists a <tt>SyncedIdentity</tt> that doesn’t belong to the IDP or we have a <tt>PreAuthenticatedLogin</tt> marker and the <tt>SyncedIdentity</tt> doesn’t need a re-sync.</li>
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+</ul>
+</li>
</ul></div>
<div class="section">
<h5><a name="Login_with_Different_Credentials"></a>Login with Different Credentials</h5>
<div class="section">
<h6><a name="Custom_Pre-Auth_Credentials"></a>Custom Pre-Auth Credentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will push <tt>PreAuthenticatedLogin</tt> on the shared state</li>
-
-<li>Overall login suceeds if any of the subsequent modules is able to deal with the <tt>PreAuthenticatedLogin</tt>.</li>
+<li>Overall login suceeds if any of the subsequent modules is able to deal with the <tt>PreAuthenticatedLogin</tt>.</li>
</ul></div>
<div class="section">
<h6><a name="GuestCredentials"></a>GuestCredentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will ignore</li>
-
<li>Overall login success if the subsequent modules allow for login with <tt>GuestCredentials</tt></li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="SimpleCredentials"></a>SimpleCredentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will ignore</li>
-
<li>Overall login success if the subsequent modules allow for login with <tt>SimpleCredentials</tt></li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user.</li>
-
-<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authentication against the external IDP including sync is successful.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user.</li>
+<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authentication against the external IDP including sync is successful.</li>
</ul></div>
<div class="section">
<h6><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will ignore</li>
-
<li>Overall login success if the subsequent modules allow for login with <tt>ImpersonationCredentials</tt></li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="Other_Credentials"></a>Other Credentials</h6>
-
<ul>
-
+
<li>Overall login success only if the <tt>ExternalLoginModule</tt> supports these credentials</li>
-
<li>Custom pre-auth module will ignore</li>
-
<li><tt>LoginModuleImpl</tt> will ignore</li>
-
-<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
+<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
</ul></div></div>
<div class="section">
<h5><a name="FAQ"></a>FAQ</h5>
<div class="section">
<h6><a name="Why_are_the_custom_PreAuthCredentials_not_public"></a>Why are the custom ‘PreAuthCredentials’ not public?</h6>
-<p>The custom <tt>Credentials</tt> shared between the code performing the authentication (outside of the repository) and the custom <i>PreAuthenticationLoginModule</i> implementation must neither be public nor shared with other implementations in order to prevent un-authenticated login.</p></div>
+<p>The custom <tt>Credentials</tt> shared between the code performing the authentication (outside of the repository) and the custom <i>PreAuthenticationLoginModule</i> implementation must neither be public nor shared with other implementations in order to prevent un-authenticated login.</p></div>
<div class="section">
<h6><a name="Why_is_the_LoginModuleImpl_not_flagged_SUFFICIENT"></a>Why is the ‘LoginModuleImpl’ not flagged SUFFICIENT?</h6>
<p>If <tt>LoginModuleImpl</tt> was defined to be <i>sufficient</i> external identities would never be synced again if the <tt>PreAuthenticatedLogin</tt> marker is present in the shared state.</p></div>
<div class="section">
<h6><a name="Why_is_the_ExternalLoginModule_not_flagged_REQUIRED"></a>Why is the ‘ExternalLoginModule’ not flagged REQUIRED?</h6>
-<p>If <tt>ExternalLoginModule</tt> was required to succeed, login for <i>local</i> users was no longer possible. It also would mean that pre-authenticated login for a <tt>SyncedIdentity</tt> that doesn’t needs a re-sync would not longer be possible and would ultimately fail the repository authentication.</p>
-<!-- references --></div></div></div></div></div>
+<p>If <tt>ExternalLoginModule</tt> was required to succeed, login for <i>local</i> users was no longer possible. It also would mean that pre-authenticated login for a <tt>SyncedIdentity</tt> that doesn’t needs a re-sync would not longer be possible and would ultimately fail the repository authentication.</p><!-- references --></div></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/faq.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/faq.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/faq.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/faq.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – External Authentication : FAQ</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,41 +240,27 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="External_Authentication_:_FAQ"></a>External Authentication : FAQ</h2>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Question </th>
-
-<th>Answer </th>
-
-<th>References </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Question </th>
+<th> Answer </th>
+<th> References </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>Why am I no longer able to change the <tt>rep:externalId</tt>? </td>
-
-<td>Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property <tt>rep:externalId</tt> which is used to link a given synced user/group account to the corresponding entry on the external IDP. </td>
-
-<td>See <a href="defaultusersync.html">documentation</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> </td>
- </tr>
-
+<td> Why am I no longer able to change the <tt>rep:externalId</tt>? </td>
+<td> Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property <tt>rep:externalId</tt> which is used to link a given synced user/group account to the corresponding entry on the external IDP. </td>
+<td> See <a href="defaultusersync.html">documentation</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> </td></tr>
<tr class="a">
-
-<td>Why does a User or Group created with a content package not get synced with the IDP? </td>
-
-<td>Only users/groups with a <tt>rep:externalId</tt> linking them to the external IDP will be respected during the default sync mechanism. </td>
-
-<td>See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5304">OAK-5304</a> </td>
- </tr>
- </tbody>
+<td> Why does a User or Group created with a content package not get synced with the IDP? </td>
+<td> Only users/groups with a <tt>rep:externalId</tt> linking them to the external IDP will be respected during the default sync mechanism. </td>
+<td> See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5304">OAK-5304</a> </td></tr>
+</tbody>
</table></div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication with the External Login Module</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,40 +240,33 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Authentication_with_the_External_Login_Module"></a>Authentication with the External Login Module</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>The purpose of the external login module is to provide a base implementation that allows easy integration of 3rd party authentication and identity systems, such as <a href="ldap.html">LDAP</a>. The general mode of the external login module is to use the external system as authentication source and as a provider for users and groups that may also be synchronized into the repository.</p>
<p>what it does:</p>
-
<ul>
-
+
<li>facilitate the use of a 3rd party system for authentication</li>
-
<li>simplify populating the oak user manager with identities from a 3rd party system</li>
</ul>
<p>what it does not:</p>
-
<ul>
-
+
<li>provide a transparent oak user manager</li>
-
<li>provide a transparent oak principal provider.</li>
-
<li>offer services for background synchronization of users and groups</li>
</ul>
-<p><a name="details"></a></p></div>
-<div class="section">
-<h3><a name="Implementation_Details"></a>Implementation Details</h3>
-<p>The external identity and login handling is split into 3 parts:</p>
+<a name="details"></a>
+### Implementation Details
+The external identity and login handling is split into 3 parts:
<ul>
-
+
<li><b>External Login Module</b>: LoginModule implementation that represents the connection between JAAS login mechanism, the external identity provider and the synchronization handler.</li>
-
<li><b>External Identity Provider</b> (IDP): This is a service implementing the <tt>ExternalIdentityProvider</tt> interface and is responsible to retrieve and authenticate identities towards an external system (e.g. LDAP).</li>
-
<li><b>User and Group Synchronization</b>: This is a service implementing the <tt>SyncHandler</tt> interface and is responsible to actually managing the external identities within the Oak user management. A very trivial implementation might just create users and groups for external ones on demand.</li>
</ul>
<p>This modularization allows to reuse the same external login module for different combinations of IDPs and synchronization handlers. Although in practice, systems usually have 1 of each.</p>
@@ -293,41 +286,31 @@
<h5><a name="Authentication_in_Detail"></a>Authentication in Detail</h5>
<p>The details of the external authentication are as follows:</p>
<p><i>Phase 1: Login</i></p>
-
<ul>
-
+
<li>if the user exists in the repository and any of the following conditions is met <b>return <tt>false</tt></b>
-
<ul>
-
+
<li>user is not an externally synced <i>or</i></li>
-
<li>user belongs to a different IDP than configured for the <tt>ExternalLoginModule</tt> <i>or</i></li>
-
<li><a href="preauthentication.html"><tt>PreAuthenticatedLogin</tt></a> is present on the shared state <i>and</i> the external user doesn’t require an updating sync (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3508">OAK-3508</a>)</li>
- </ul></li>
-
+</ul>
+</li>
<li>if the user exists in the 3rd party system but the credentials don’t match it <b>throws <tt>LoginException</tt></b></li>
-
<li>if the user exists in the 3rd party system and the credentials match
-
<ul>
-
+
<li>put the credentials in the shared and private state</li>
-
<li>possibly sync the user</li>
-
<li>and <b>returns <tt>true</tt></b></li>
- </ul></li>
-
+</ul>
+</li>
<li>if the user does not exist in the 3rd party system, checks if it needs to remove the user and then it <b>returns <tt>false</tt></b></li>
</ul>
<p><i>Phase 2: Commit</i></p>
-
<ul>
-
+
<li>if there is no credentials in the private state, it <b>returns <tt>false</tt></b></li>
-
<li>if there are credentials in the private state propagate the subject and <b>return <tt>true</tt></b></li>
</ul>
<p>See section <a href="external/externallogin_examples.html">Example Configurations</a> for some common setup scenarios.</p></div></div>
@@ -339,106 +322,58 @@
<h4><a name="User_and_Group_Synchronization"></a>User and Group Synchronization</h4>
<p>The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p>
<p>See section <a href="usersync.html">User Synchronization</a> for further details and a description of the default implementation.</p>
-<p><a name="configuration"></a></p></div></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
+<a name="configuration"></a>
+### Configuration
+</div>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The external authentication module comes with the following configuration parameters for the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.html">ExternalLoginModuleFactory</a>/[ExternalLoginModule].</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th>
+<th> Description </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td><tt>PARAM_IDP_NAME</tt> </td>
-
-<td>String </td>
-
-<td>- </td>
-
-<td>Name of the external IDP to be retrieved from the <tt>ExternalIdentityProviderManager</tt> </td>
- </tr>
-
+<td> <tt>PARAM_IDP_NAME</tt> </td>
+<td> String </td>
+<td> - </td>
+<td> Name of the external IDP to be retrieved from the <tt>ExternalIdentityProviderManager</tt> </td></tr>
<tr class="a">
-
-<td><tt>PARAM_SYNC_HANDLER_NAME</tt> </td>
-
-<td>String </td>
-
-<td>- </td>
-
-<td>Name of the sync handler to be retrieved from the <tt>SyncManager</tt> </td>
- </tr>
-
+<td> <tt>PARAM_SYNC_HANDLER_NAME</tt> </td>
+<td> String </td>
+<td> - </td>
+<td> Name of the sync handler to be retrieved from the <tt>SyncManager</tt> </td></tr>
<tr class="b">
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
-
+<td> </td>
+<td> </td>
+<td> </td>
+<td> </td></tr>
<tr class="a">
-
-<td><i>Optional (OSGi-setup)</i> </td>
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
-
+<td> <i>Optional (OSGi-setup)</i> </td>
+<td> </td>
+<td> </td>
+<td> </td></tr>
<tr class="b">
-
-<td><tt>JAAS_RANKING</tt> </td>
-
-<td>int </td>
-
-<td>50 </td>
-
-<td>Ranking of the <tt>ExternalLoginModule</tt> in the JAAS configuration, see <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td>
- </tr>
-
+<td> <tt>JAAS_RANKING</tt> </td>
+<td> int </td>
+<td> 50 </td>
+<td> Ranking of the <tt>ExternalLoginModule</tt> in the JAAS configuration, see <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td></tr>
<tr class="a">
-
-<td><tt>JAAS_CONTROL_FLAG</tt> </td>
-
-<td>String </td>
-
-<td>SUFFICIENT </td>
-
-<td>See <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">LoginModuleControlFlag</a> for supported values. </td>
- </tr>
-
+<td> <tt>JAAS_CONTROL_FLAG</tt> </td>
+<td> String </td>
+<td> SUFFICIENT </td>
+<td> See <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">LoginModuleControlFlag</a> for supported values. </td></tr>
<tr class="b">
-
-<td><tt>JAAS_REALM_NAME</tt> </td>
-
-<td>String </td>
-
-<td>- </td>
-
-<td>See <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td>
- </tr>
- </tbody>
+<td> <tt>JAAS_REALM_NAME</tt> </td>
+<td> String </td>
+<td> - </td>
+<td> See <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td></tr>
+</tbody>
</table>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
@@ -446,8 +381,9 @@
<h6><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h6>
<p>The following JAAS configuration shows how the <tt>ExternalLoginModule</tt> could be used in a setup that not solely uses third party login (Note: JAAS configuration equivalents of the parameters defined by <tt>org.apache.felix.jaas.LoginModuleFactory</tt> are omitted):</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">jackrabbit.oak {
+<div>
+<div>
+<pre class="source">jackrabbit.oak {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
@@ -455,25 +391,22 @@
idp.name="ldap";
};
</pre></div></div>
-<p><a name="pluggability"></a></p></div></div></div></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
-<p>The design of the <tt>ExternalLoginModule</tt> allows for customization of the key features associated with third party authentication. In an OSGi-based setup these are covered by references within the <tt>ExternalLoginModuleFactory</tt>:</p>
+<a name="pluggability"></a>
+### Pluggability
+<p>The design of the <tt>ExternalLoginModule</tt> allows for customization of the key features associated with third party authentication. In an OSGi-based setup these are covered by references within the <tt>ExternalLoginModuleFactory</tt>:</p>
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>: Mandatory, unary reference for the <tt>ExternalIdentityProvider</tt> lookup; see <a href="identitymanagement.html">External Identity Management</a> for details.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncManager.html">SyncManager</a>: Mandatory, unary reference for the <tt>SyncHandler</tt> lookup; see <a href="usersync.html">User/Group Synchronization</a> for details.</li>
</ul>
<p>The default implementations (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalIDPManagerImpl.html">ExternalIDPManagerImpl</a> and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/SyncManagerImpl.html">SyncManagerImpl</a>) extend <tt>AbstractServiceTracker</tt> and will automatically keep track of new <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a> services, respectively.</p>
-<p>Since Oak 1.5.1 support for different or multiple types of <tt>Credentials</tt> can easily be plugged by providing an <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> that additionally implements <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>. This is an optional extension point for each IDP; if missing the <tt>ExternalLoginModule</tt> will fall back to a default implementation and assume the IDP only supports <tt>SimpleCredentials</tt>. See details below.</p>
+<p>Since Oak 1.5.1 support for different or multiple types of <tt>Credentials</tt> can easily be plugged by providing an <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> that additionally implements <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>. This is an optional extension point for each IDP; if missing the <tt>ExternalLoginModule</tt> will fall back to a default implementation and assume the IDP only supports <tt>SimpleCredentials</tt>. See details below.</p></div></div></div>
<div class="section">
<h4><a name="Supported_Credentials"></a>Supported Credentials</h4>
<p>The following steps are required in order to change or extend the set credential classes supported by the <tt>ExternalLoginModule</tt>:</p>
-
<ul>
-
+
<li>Extend your <tt>ExternalIdentityProvider</tt> to additionally implement the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface.</li>
</ul>
<p>Don’t forget to make sure that <tt>ExternalIdentityProvider.authenticate(Credentials)</tt> handles the same set of supported credentials!</p>
@@ -482,8 +415,9 @@
<div class="section">
<h6><a name="Example_CredentialsSupport"></a>Example CredentialsSupport</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint"> @Component()
+<div>
+<div>
+<pre class="source"> @Component()
@Service(ExternalIdentityProvider.class, CredentialsSupport.class)
public class MyIdentityProvider implements ExternalIdentityProvider, CredentialsSupport {
@@ -512,9 +446,9 @@
// our credentials never contain additional attributes
return ImmutableMap.of();
}
-
+
//-------------------------------------< ExternalIdentityProvider >---
-
+
@CheckForNull
@Override
public ExternalUser authenticate(@Nonnull Credentials credentials) {
@@ -531,7 +465,7 @@
}
[...]
-
+
//----------------------------------------------< SCR Integration >---
@Activate
private void activate() {
Modified: jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – External Identity Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,31 +240,26 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="External_Identity_Management"></a>External Identity Management</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
<p>Jackrabbit Oak provides interfaces and some base classes to ease custom implementation of the external authentication with optional user/group synchronization to the repository.</p></div>
<div class="section">
<h3><a name="Identity_Management_API"></a>Identity Management API</h3>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>: factory for the <tt>ExternalIdentityProvider</tt></li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>: used to authenticate against the third party system. Additionally provides method to obtain information about external user/group accounts such as needed for the <a href="usersync.html">synchronization</a> into the repository.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentity.html">ExternalIdentity</a>: base interface for an external user/group
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalUser.html">ExternalUser</a></li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalGroup.html">ExternalGroup</a></li>
- </ul></li>
-
+</ul>
+</li>
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>: reference to an external user/group consisting of id and provider name.</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/PrincipalNameResolver.html">PrincipalNameResolver</a>: optimized lookup of principal name from <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>; see section <a href="external/dynamic.html">Dynamic Membership</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5210">OAK-5210</a> for details)</li>
</ul></div>
<div class="section">
@@ -276,13 +271,10 @@
<div class="section">
<h4><a name="Custom_External_Identity_Management"></a>Custom External Identity Management</h4>
<p>In order to plug a custom implementation of the external identity management the following steps are required:</p>
-
<ul>
-
-<li>Write your own implementation <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> including your implementations of the external identities. <i>Note:</i> If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>.</li>
-
-<li>Deploy the bundle containing your implementation such that the IDP gets tracked by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>. In an non-OSGi environment you have to register it manually</li>
-
+
+<li>Write your own implementation <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> including your implementations of the external identities. <i>Note:</i> If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>.</li>
+<li>Deploy the bundle containing your implementation such that the IDP gets tracked by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>. In an non-OSGi environment you have to register it manually</li>
<li>Link your identity provider to the <tt>ExternalLoginModule</tt> by configuring the IDP name accordingly (see section <a href="externalloginmodule.html#configuration">Configuration</a>)</li>
</ul>
<div class="section">
@@ -290,9 +282,8 @@
<p>See <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authentication/external/CustomExternalIdentityProvider.java">CustomExternalIdentityProvider</a> in the <tt>oak-exercise</tt> module for a very simplistic implementation for an OSGi-based Oak setup.</p></div></div>
<div class="section">
<h4><a name="Custom_ExternalIdentityProviderManager"></a>Custom ExternalIdentityProviderManager</h4>
-<p>Since <tt>oak-auth-external</tt> provides a default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> a custom identity management doesn’t need provide a separate implementation of this interface. </p>
-<p>If you wish to provider your own <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> in an OSGi environment, please make sure it gets properly referenced by the <tt>ExternalLoginModuleFactory</tt>.</p>
-<!-- references --></div></div></div>
+<p>Since <tt>oak-auth-external</tt> provides a default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> a custom identity management doesn’t need provide a separate implementation of this interface.</p>
+<p>If you wish to provider your own <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> in an OSGi environment, please make sure it gets properly referenced by the <tt>ExternalLoginModuleFactory</tt>.</p><!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/ldap.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/ldap.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/ldap.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/ldap.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – LDAP Integration</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,20 +240,18 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="LDAP_Integration"></a>LDAP Integration</h2>
<p>Oak comes with a default implementation of an LDAP identity provider that allows perform external authentication against an existing LDAP in combination with user synchronization.</p>
<p>See section <a href="externalloginmodule.html">External Login Module and User Synchronization</a> for a general overview of the <tt>ExternalLoginModule</tt> and how it can be used in combination with custom identity providers and synchronization handlers.</p>
<div class="section">
<h3><a name="Default_Setup"></a>Default Setup</h3>
<p>Out of the box Oak comes with the following LDAP integration setup:</p>
-
<ul>
-
+
<li><tt>LdapIdentityProvider</tt>: LDAP specific implementation of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> interface.</li>
-
<li><tt>DefaultSyncHandler</tt>: Default implementation of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a> interface.</li>
-
<li><tt>ExternalLoginModule</tt>: Login module implementation that allows for third party authentication as specified by the configured identity provider(s).</li>
</ul></div>
<div class="section">
@@ -272,279 +270,136 @@
<div class="section">
<h4><a name="Configure_LDAP_Integration"></a>Configure LDAP Integration</h4>
<p>The following steps are required in order to configure LDAP integration with the Oak repository:</p>
-
<ul>
-
+
<li>ensure ExternalLoginModule forms part of the systems JAAS Configuration</li>
-
<li>enable the LDAP IdentityProvider and make sure it’s properly configured (see section <i>LDAP Configuration</i> below)</li>
</ul></div>
<div class="section">
<h4><a name="LDAP_Configuration"></a>LDAP Configuration</h4>
<p>The LDAP IPDs are configured through the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.html">org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig</a> which is populated either via OSGi or during manual <a href="../../construct.html">Repository Construction</a>.</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Name </th>
-
-<th>Property </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>LDAP Provider Name </td>
-
-<td><tt>provider.name</tt> </td>
-
-<td>Name of this LDAP provider configuration. This is used to reference this provider by the login modules. </td>
- </tr>
-
-<tr class="a">
-
-<td>Bind DN </td>
-
-<td><tt>bind.dn</tt> </td>
-
-<td>DN of the user for authentication. Leave empty for anonymous bind. </td>
- </tr>
-
-<tr class="b">
-
-<td>Bind Password </td>
-
-<td><tt>bind.password</tt> </td>
-
-<td>Password of the user for authentication. </td>
- </tr>
-
-<tr class="a">
-
-<td>LDAP Server Hostname </td>
-
-<td><tt>host.name</tt> </td>
-
-<td>Hostname of the LDAP server </td>
- </tr>
-
-<tr class="b">
-
-<td>Disable certificate checking </td>
-
-<td><tt>host.noCertCheck</tt> </td>
-
-<td>Indicates if server certificate validation should be disabled. </td>
- </tr>
-
-<tr class="a">
-
-<td>LDAP Server Port </td>
-
-<td><tt>host.port</tt> </td>
-
-<td>Port of the LDAP server </td>
- </tr>
-
-<tr class="b">
-
-<td>Use SSL </td>
-
-<td><tt>host.ssl</tt> </td>
-
-<td>Indicates if an SSL (LDAPs) connection should be used. </td>
- </tr>
-
-<tr class="a">
-
-<td>Use TLS </td>
-
-<td><tt>host.tls</tt> </td>
-
-<td>Indicates if TLS should be started on connections. </td>
- </tr>
-
-<tr class="b">
-
-<td>Search Timeout </td>
-
-<td><tt>searchTimeout</tt> </td>
-
-<td>Time in until a search times out (eg: ‘1s’ or ‘1m 30s’). </td>
- </tr>
-
-<tr class="a">
-
-<td>Admin pool max active </td>
-
-<td><tt>adminPool.maxActive</tt> </td>
-
-<td>The max active size of the admin connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. </td>
- </tr>
-
-<tr class="b">
-
-<td>Admin pool lookup on validate </td>
-
-<td><tt>adminPool.lookupOnValidate</tt> </td>
-
-<td>Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the admin pool. </td>
- </tr>
-
-<tr class="a">
-
-<td>User pool max active </td>
-
-<td><tt>userPool.maxActive</tt> </td>
-
-<td>The max active size of the user connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. </td>
- </tr>
-
-<tr class="b">
-
-<td>User pool lookup on validate </td>
-
-<td><tt>userPool.lookupOnValidate</tt> </td>
-
-<td>Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the user pool. </td>
- </tr>
-
-<tr class="a">
-
-<td>User base DN </td>
-
-<td><tt>user.baseDN</tt> </td>
-
-<td>The base DN for user searches. </td>
- </tr>
-
-<tr class="b">
-
-<td>User extra filter </td>
-
-<td><tt>user.extraFilter</tt> </td>
-
-<td>Extra LDAP filter to use when searching for users. The final filter is formatted like: <tt>(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)</tt> </td>
- </tr>
-
-<tr class="a">
-
-<td>User id attribute </td>
-
-<td><tt>user.idAttribute</tt> </td>
-
-<td>Name of the attribute that contains the user id. </td>
- </tr>
-
-<tr class="b">
-
-<td>User DN paths </td>
-
-<td><tt>user.makeDnPath</tt> </td>
-
-<td>Controls if the DN should be used for calculating a portion of the intermediate path. </td>
- </tr>
-
-<tr class="a">
-
-<td>User object classes </td>
-
-<td><tt>user.objectclass</tt> </td>
-
-<td>The list of object classes an user entry must contain. </td>
- </tr>
-
-<tr class="b">
-
-<td>Group base DN </td>
-
-<td><tt>group.baseDN</tt> </td>
-
-<td>The base DN for group searches. </td>
- </tr>
-
-<tr class="a">
-
-<td>Group extra filter </td>
-
-<td><tt>group.extraFilter</tt> </td>
-
-<td>Extra LDAP filter to use when searching for groups. The final filter is formatted like: <tt>(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)</tt> </td>
- </tr>
-
-<tr class="b">
-
-<td>Group DN paths </td>
-
-<td><tt>group.makeDnPath</tt> </td>
-
-<td>Controls if the DN should be used for calculating a portion of the intermediate path. </td>
- </tr>
-
-<tr class="a">
-
-<td>Group member attribute </td>
-
-<td><tt>group.memberAttribute</tt> </td>
-
-<td>Group attribute that contains the member(s) of a group. </td>
- </tr>
-
-<tr class="b">
-
-<td>Group name attribute </td>
-
-<td><tt>group.nameAttribute</tt> </td>
-
-<td>Name of the attribute that contains the group name. </td>
- </tr>
-
-<tr class="a">
-
-<td>Group object classes </td>
-
-<td><tt>group.objectclass</tt> </td>
-
-<td>The list of object classes a group entry must contain. </td>
- </tr>
-
-<tr class="b">
-
-<td>Use user id for external ids </td>
-
-<td><tt>useUidForExtId</tt> </td>
-
-<td>If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. </td>
- </tr>
-
-<tr class="a">
-
-<td>Custom Attributes </td>
-
-<td><tt>customattributes</tt> </td>
-
-<td>Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. </td>
- </tr>
-
+<th> Name </th>
+<th> Property </th>
+<th> Description </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> LDAP Provider Name </td>
+<td> <tt>provider.name</tt> </td>
+<td> Name of this LDAP provider configuration. This is used to reference this provider by the login modules. </td></tr>
+<tr class="a">
+<td> Bind DN </td>
+<td> <tt>bind.dn</tt> </td>
+<td> DN of the user for authentication. Leave empty for anonymous bind. </td></tr>
+<tr class="b">
+<td> Bind Password </td>
+<td> <tt>bind.password</tt> </td>
+<td> Password of the user for authentication. </td></tr>
+<tr class="a">
+<td> LDAP Server Hostname </td>
+<td> <tt>host.name</tt> </td>
+<td> Hostname of the LDAP server </td></tr>
+<tr class="b">
+<td> Disable certificate checking </td>
+<td> <tt>host.noCertCheck</tt> </td>
+<td> Indicates if server certificate validation should be disabled. </td></tr>
+<tr class="a">
+<td> LDAP Server Port </td>
+<td> <tt>host.port</tt> </td>
+<td> Port of the LDAP server </td></tr>
+<tr class="b">
+<td> Use SSL </td>
+<td> <tt>host.ssl</tt> </td>
+<td> Indicates if an SSL (LDAPs) connection should be used. </td></tr>
+<tr class="a">
+<td> Use TLS </td>
+<td> <tt>host.tls</tt> </td>
+<td> Indicates if TLS should be started on connections. </td></tr>
+<tr class="b">
+<td> Search Timeout </td>
+<td> <tt>searchTimeout</tt> </td>
+<td> Time in until a search times out (eg: ‘1s’ or ‘1m 30s’). </td></tr>
+<tr class="a">
+<td> Admin pool max active </td>
+<td> <tt>adminPool.maxActive</tt> </td>
+<td> The max active size of the admin connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. </td></tr>
+<tr class="b">
+<td> Admin pool lookup on validate </td>
+<td> <tt>adminPool.lookupOnValidate</tt> </td>
+<td> Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the admin pool. </td></tr>
+<tr class="a">
+<td> User pool max active </td>
+<td> <tt>userPool.maxActive</tt> </td>
+<td> The max active size of the user connection pool. When non-positive, there is no limit to the number of objects that can be managed by the pool at one time. A value of 0 disables this pool. </td></tr>
+<tr class="b">
+<td> User pool lookup on validate </td>
+<td> <tt>userPool.lookupOnValidate</tt> </td>
+<td> Indicates an ROOT DSE lookup is performed to test if the connection is still valid when taking it out of the user pool. </td></tr>
+<tr class="a">
+<td> User base DN </td>
+<td> <tt>user.baseDN</tt> </td>
+<td> The base DN for user searches. </td></tr>
+<tr class="b">
+<td> User extra filter </td>
+<td> <tt>user.extraFilter</tt> </td>
+<td> Extra LDAP filter to use when searching for users. The final filter is formatted like: <tt>(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)</tt> </td></tr>
+<tr class="a">
+<td> User id attribute </td>
+<td> <tt>user.idAttribute</tt> </td>
+<td> Name of the attribute that contains the user id. </td></tr>
+<tr class="b">
+<td> User DN paths </td>
+<td> <tt>user.makeDnPath</tt> </td>
+<td> Controls if the DN should be used for calculating a portion of the intermediate path. </td></tr>
+<tr class="a">
+<td> User object classes </td>
+<td> <tt>user.objectclass</tt> </td>
+<td> The list of object classes an user entry must contain. </td></tr>
+<tr class="b">
+<td> Group base DN </td>
+<td> <tt>group.baseDN</tt> </td>
+<td> The base DN for group searches. </td></tr>
+<tr class="a">
+<td> Group extra filter </td>
+<td> <tt>group.extraFilter</tt> </td>
+<td> Extra LDAP filter to use when searching for groups. The final filter is formatted like: <tt>(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)</tt> </td></tr>
+<tr class="b">
+<td> Group DN paths </td>
+<td> <tt>group.makeDnPath</tt> </td>
+<td> Controls if the DN should be used for calculating a portion of the intermediate path. </td></tr>
+<tr class="a">
+<td> Group member attribute </td>
+<td> <tt>group.memberAttribute</tt> </td>
+<td> Group attribute that contains the member(s) of a group. </td></tr>
+<tr class="b">
+<td> Group name attribute </td>
+<td> <tt>group.nameAttribute</tt> </td>
+<td> Name of the attribute that contains the group name. </td></tr>
+<tr class="a">
+<td> Group object classes </td>
+<td> <tt>group.objectclass</tt> </td>
+<td> The list of object classes a group entry must contain. </td></tr>
+<tr class="b">
+<td> Use user id for external ids </td>
+<td> <tt>useUidForExtId</tt> </td>
+<td> If enabled, the value of the user id (resp. group name) attribute will be used to create external identifiers. Leave disabled to use the DN instead. </td></tr>
+<tr class="a">
+<td> Custom Attributes </td>
+<td> <tt>customattributes</tt> </td>
+<td> Attributes retrieved when looking up LDAP entries. Leave empty to retrieve all attributes. </td></tr>
<tr class="b">
-
-<td> </td>
-
<td> </td>
-
<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table></div>
<div class="section">
<h4><a name="SyncHandler_and_External_Login_Module"></a>SyncHandler and External Login Module</h4>
-<p>See <a href="externalloginmodule.html">External Login Module and User Synchronization</a> for details about the external login module and configuration options for the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html">DefaultSyncHandler</a>.</p>
-<!-- references --></div></div></div>
+<p>See <a href="externalloginmodule.html">External Login Module and User Synchronization</a> for details about the external login module and configuration options for the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html">DefaultSyncHandler</a>.</p><!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Pre-Authenticated Login</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,42 +240,39 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Pre-Authenticated_Login"></a>Pre-Authenticated Login</h2>
<p>Oak provides two different mechanisms to create pre-authentication that doesn’t involve the repositories internal authentication mechanism for credentials validation.</p>
-
<ul>
-
+
<li><a href="#withloginchain">Pre-Authentication combined with Login Module Chain</a></li>
-
<li><a href="#withoutrepository">Pre-Authentication without Repository Involvement</a></li>
</ul>
-<p><a name="withloginchain"></a></p>
-<div class="section">
-<h3><a name="Pre-Authentication_combined_with_Login_Module_Chain"></a>Pre-Authentication combined with Login Module Chain</h3>
+<a name="withloginchain"></a>
+### Pre-Authentication combined with Login Module Chain
+
<p>This first variant allows to support 3rd party login modules that wish to provide the login context with pre authenticated login names, but still want to rely on the rest of the Oak’s login module chain. For example an external SSO login module can extract the userid from a servlet request and use it to authenticate against the repository. But instead of re-implementing the user lookup and subject population (and possible external user synchronization) it just informs any subsequent login modules that the credential validation was already successful.</p>
<p>The key to understand this mechanism is the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html">PreAuthenticatedLogin</a> marker class, which is pushed to the shared state of the login context and which indicates to any subsequent LoginModule that the credentials present in the state already have been verified and thus can be trusted.</p>
<p>This setup is particularly recommended in a OSGi setup that includes Apache Sling on top of the Oak repository but still requires user information to be synchronized into the repository.</p>
<div class="section">
+<div class="section">
<h4><a name="How_it_works"></a>How it works</h4>
<p>The basic steps of the pre-authentication in combination with regular JAAS login module chain are outlined as follows:</p>
-
<ol style="list-style-type: decimal">
-
+
<li>verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling Authentication Handler)</li>
-
<li>pass a custom, non-public Credentials implementation to the repository login</li>
-
-<li>create a custom login module that only supports these dedicated credentials and pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information required and processed by subsequent login modules (e.g. credentials and user name).</li>
-
-<li>make sure the subsequent login modules in the JAAS configuration are capable to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and will properly populate the subject and optionally synchronize user information or create login tokens.</li>
+<li>create a custom login module that only supports these dedicated credentials and pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information required and processed by subsequent login modules (e.g. credentials and user name).</li>
+<li>make sure the subsequent login modules in the JAAS configuration are capable to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and will properly populate the subject and optionally synchronize user information or create login tokens.</li>
</ol>
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>Example implementation of <tt>LoginModule#login</tt> that pushes the <tt>PreAuthenticatedLogin</tt> marker to the shared state:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">public class PreAuthLoginModule extends AbstractLoginModule {
+<div>
+<div>
+<pre class="source">public class PreAuthLoginModule extends AbstractLoginModule {
[...]
@@ -295,11 +292,11 @@
}
[...]
-
+
// subsequent login modules need to succeed and process the 'PreAuthenticatedLogin'
return false;
}
-
+
@Overwrite
public boolean commit() {
// this module leaves subject population to the subsequent modules
@@ -308,29 +305,27 @@
}
}
</pre></div></div>
-<p><a name="withoutrepository"></a></p></div></div></div>
-<div class="section">
-<h3><a name="Pre-Authentication_without_Repository_Involvement"></a>Pre-Authentication without Repository Involvement</h3>
+<a name="withoutrepository"></a>
+### Pre-Authentication without Repository Involvement
+
<p>Like in Jackrabbit-core the repository internal authentication verification can be skipped by calling <tt>Repository#login()</tt> or <tt>Repository#login(null, wspName)</tt>. In this case the repository implementation expects the verification to be performed prior to the login call.</p>
-<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p>
+<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p></div></div>
<div class="section">
<h4><a name="Options_to_modify_the_default_behavior"></a>Options to modify the default behavior</h4>
<p>Since the <tt>LoginContextProvider</tt> is a configurable with the authentication setup OAK users also have the following options by providing a custom <tt>LoginContextProvider</tt>:</p>
-
<ul>
-
+
<li>Disable pre-authentication by not trying to retrieve a pre-authenticated <tt>Subject</tt>.</li>
-
<li>Add support for extending the pre-authenticated subject by always passing writable subjects to the <tt>JaasLoginContext</tt></li>
-
-<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
+<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
</ul>
<div class="section">
<h5><a name="Example"></a>Example</h5>
<p>Example how to use this type of pre-authentication:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">String userId = "test";
+<div>
+<div>
+<pre class="source">String userId = "test";
/**
* Retrive valid principals e.g. by using Jackrabbit or Oak API:
* - PrincipalManager#getPrincipal and/or #getGroupMembership