You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2014/05/13 12:04:19 UTC
svn commit: r1594180 - in
/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: accesscontrol.md
authentication.md authentication/externalloginmodule.md
authentication/tokenmanagement.md privilege.md user.md
Author: angela
Date: Tue May 13 10:04:19 2014
New Revision: 1594180
URL: http://svn.apache.org/r1594180
Log:
OAK-301 : oak docu
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Tue May 13 10:04:19 2014
@@ -168,6 +168,10 @@ Differences to Jackrabbit 2.x:
- The "omit-default-permission" configuration option present with the Jackrabbit's AccessControlProvider implementations is no longer supported with Oak.
- As of OAK no extra access control content is installed by default which renders that flag superfluous.
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](accesscontrol/differences.html)
+- [Restriction Management](accesscontrol/restriction.html)
<!-- hidden references -->
[1]: http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Tue May 13 10:04:19 2014
@@ -353,9 +353,7 @@ _todo_ [Synchronization](authentication/
Oak in addition provides interfaces to ease custom implementation of the external
authentication with optional user/group synchronization to the repository.
-See section [identity management](authentication/identitymanagement.html) and
-[External Login Module and User Synchronization](authentication/externalloginmodule.html) for details.
-
+See section [identity management](authentication/identitymanagement.html) for details.
### Configuration
@@ -367,13 +365,20 @@ There also exists a utility class that a
`javax.security.auth.login.Configuration` for the most common setup [11]:
- `ConfigurationUtil#getDefaultConfiguration`: default OAK configuration supporting uid/pw login configures `LoginModuleImpl` only
-
- `ConfigurationUtil#getJackrabbit2Configuration`: backwards compatible configuration that provides the functionality covered by jackrabbit-core DefaultLoginModule, namely:
-
- `GuestLoginModule`: null login falls back to anonymous
- `TokenLoginModule`: covers token base authentication
- `LoginModuleImpl`: covering regular uid/pw login
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](authentication/differences.html)
+- [Token Authentication and Token Management](authentication/tokenmanagement.html)
+- [External Authentication](authentication/externalloginmodule.html)
+ - [User and Group Synchronization](authentication/usersync.html)
+ - [Identity Management](authentication/identitymanagement.html)
+ - [LDAP Integration](authentication/ldap.html)
+- [Pre-Authentication](authentication/preauthentication.html)
<!-- references -->
[javax.security.auth.spi.LoginModule]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md Tue May 13 10:04:19 2014
@@ -85,7 +85,9 @@ _Phase 2: Commit_
#### External Identity Provider
-_todo_
+The `ExternalLoginModule` is designed to work with a pluggable [ExternalIdentityProvider]
+implementation that is responsible for validating the authentication request and
+provide information about the user that is associated with the specified credentials.
See [External Identity Management](identitymanagement.html) for further information
regarding the identity management API defined by Oak. Section [LDAP](ldap.html)
@@ -100,13 +102,24 @@ present on the IDP.
See section [User Synchronization](usersync.html) for further details and a
description of the default implementation.
-### Example JAAS Configuration
+### Configuration
+
+#### Examples
+
+##### Example JAAS Configuration
The following JAAS configuration shows how the `ExternalLoginModule` could be
used in a setup that not solely uses third party login:
- _todo_
+ jackrabbit.oak {
+ org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
+ org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
+ org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
+ sync.handlerName="default"
+ idp.name="ldap";
+ };
<!-- references -->
+[ExternalIdentityProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html
[DefaultSyncConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Tue May 13 10:04:19 2014
@@ -40,13 +40,25 @@ extended at runtime (see section Configu
#### TokenLoginModule
-The `TokenLoginModule` itself behaves as follows:
+The `TokenLoginModule`designed to support and issue `TokenCredentials`. The
+authentication phases behave as follows:
*Phase 1: Login*
-_todo_
+
+- if no `TokenProvider` is available **returns `false`**
+- if a `TokenProvider` has been configured it retrieves JCR credentials from the [CallbackHandler] using the [CredentialsCallback]
+- in case of `TokenCredentials` validates these credentials: if it succeeds
+ it pushes the users ID to the shared state and returns `true`; otherwise throws `LoginException`
+- for other credentials the method returns `false`
*Phase 1: Commit*
-_todo_
+
+- if phase 1 succeeded the subject is populated and the method returns `true`
+- in case phase 1 did not succeed this method will test if the shared state contain
+ credentials that ask for a new token being created; if this succeeds it will
+ create a new instance of `TokenCredentials`, push the public attributes to the
+ shared stated and update the subject with the new credentials;
+ finally the commit call **returns `false`**
### Token Management API
@@ -162,6 +174,14 @@ _todo_
- [TokenConfiguration]
- [CompositeTokenConfiguration]
+#### Examples
+
+##### Example JAAS Configuration
+
+ jackrabbit.oak {
+ org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
+ org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
+ };
### Pluggability
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Tue May 13 10:04:19 2014
@@ -155,6 +155,10 @@ the security risk associated with it.
// NOTE: workspace operation that doesn't require Session#save()
privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);
+
+### Further Reading
+
+
<!-- references -->
[PrivilegeConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.html
[PrivilegeConstants]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Tue May 13 10:04:19 2014
@@ -242,6 +242,13 @@ The following configuration parameters p
* "autoExpandSize"
* "groupMembershipSplitSize"
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](user/differences.html)
+- [Group Membership](user/membership.html)
+- [Authorizable Actions](user/authorizableaction.html)
+- [Searching Users and Groups](user/query.html)
+
<!-- hidden references -->
[everyone]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html#NAME
[OAK-118]: https://issues.apache.org/jira/browse/OAK-118