You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2014/05/13 12:04:19 UTC
svn commit: r1594180 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: accesscontrol.md authentication.md authentication/externalloginmodule.md authentication/tokenmanagement.md privilege.md user.md

Author: angela
Date: Tue May 13 10:04:19 2014
New Revision: 1594180

URL: http://svn.apache.org/r1594180
Log:
OAK-301 : oak docu

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Tue May 13 10:04:19 2014
@@ -168,6 +168,10 @@ Differences to Jackrabbit 2.x:
 - The "omit-default-permission" configuration option present with the Jackrabbit's AccessControlProvider implementations is no longer supported with Oak.
 - As of OAK no extra access control content is installed by default which renders that flag superfluous.
 
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](accesscontrol/differences.html)
+- [Restriction Management](accesscontrol/restriction.html)
 
 <!-- hidden references -->
 [1]: http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Tue May 13 10:04:19 2014
@@ -353,9 +353,7 @@ _todo_ [Synchronization](authentication/
 Oak in addition provides interfaces to ease custom implementation of the external
 authentication with optional user/group synchronization to the repository.
 
-See section [identity management](authentication/identitymanagement.html) and
-[External Login Module and User Synchronization](authentication/externalloginmodule.html) for details.
-
+See section [identity management](authentication/identitymanagement.html) for details.
 
 ### Configuration
 
@@ -367,13 +365,20 @@ There also exists a utility class that a
 `javax.security.auth.login.Configuration` for the most common setup [11]:
 
 - `ConfigurationUtil#getDefaultConfiguration`: default OAK configuration supporting uid/pw login configures `LoginModuleImpl` only
-
 - `ConfigurationUtil#getJackrabbit2Configuration`: backwards compatible configuration that provides the functionality covered by jackrabbit-core DefaultLoginModule, namely:
-
     - `GuestLoginModule`: null login falls back to anonymous
     - `TokenLoginModule`: covers token base authentication
     - `LoginModuleImpl`: covering regular uid/pw login
 
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](authentication/differences.html)
+- [Token Authentication and Token Management](authentication/tokenmanagement.html)
+- [External Authentication](authentication/externalloginmodule.html)
+    - [User and Group Synchronization](authentication/usersync.html)
+    - [Identity Management](authentication/identitymanagement.html)
+    - [LDAP Integration](authentication/ldap.html)
+- [Pre-Authentication](authentication/preauthentication.html)
 
 <!-- references -->
 [javax.security.auth.spi.LoginModule]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md Tue May 13 10:04:19 2014
@@ -85,7 +85,9 @@ _Phase 2: Commit_
 
 #### External Identity Provider
 
-_todo_
+The `ExternalLoginModule` is designed to work with a pluggable [ExternalIdentityProvider]
+implementation that is responsible for validating the authentication request and
+provide information about the user that is associated with the specified credentials.
 
 See [External Identity Management](identitymanagement.html) for further information
 regarding the identity management API defined by Oak. Section [LDAP](ldap.html)
@@ -100,13 +102,24 @@ present on the IDP.
 See section [User Synchronization](usersync.html) for further details and a
 description of the default implementation.
 
-### Example JAAS Configuration
+### Configuration
+
+#### Examples
+
+##### Example JAAS Configuration
 
 The following JAAS configuration shows how the `ExternalLoginModule` could be
 used in a setup that not solely uses third party login:
 
-    _todo_
+    jackrabbit.oak {
+         org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
+         org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
+         org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
+            sync.handlerName="default"
+            idp.name="ldap";
+     };
 
 <!-- references -->
 
+[ExternalIdentityProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html
 [DefaultSyncConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Tue May 13 10:04:19 2014
@@ -40,13 +40,25 @@ extended at runtime (see section Configu
 
 #### TokenLoginModule
 
-The `TokenLoginModule` itself behaves as follows:
+The `TokenLoginModule`designed to support and issue `TokenCredentials`. The
+authentication phases behave as follows:
 
 *Phase 1: Login*
-_todo_
+
+- if no `TokenProvider` is available **returns `false`**
+- if a `TokenProvider` has been configured it retrieves JCR credentials from the [CallbackHandler] using the [CredentialsCallback]
+- in case of `TokenCredentials` validates these credentials: if it succeeds
+  it pushes the users ID to the shared state and returns `true`; otherwise throws `LoginException`
+- for other credentials the method returns `false`
 
 *Phase 1: Commit*
-_todo_
+
+- if phase 1 succeeded the subject is populated and the method returns `true`
+- in case phase 1 did not succeed this method will test if the shared state contain
+  credentials that ask for a new token being created; if this succeeds it will
+  create a new instance of `TokenCredentials`, push the public attributes to the
+  shared stated and update the subject with the new credentials;
+  finally the commit call **returns `false`**
 
 ### Token Management API
 
@@ -162,6 +174,14 @@ _todo_
 - [TokenConfiguration]
 - [CompositeTokenConfiguration]
 
+#### Examples
+
+##### Example JAAS Configuration
+
+    jackrabbit.oak {
+         org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
+         org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
+     };
 
 
 ### Pluggability

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Tue May 13 10:04:19 2014
@@ -155,6 +155,10 @@ the security risk associated with it.
     // NOTE: workspace operation that doesn't require Session#save()
     privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);
 
+
+### Further Reading
+
+
 <!-- references -->
 [PrivilegeConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.html
 [PrivilegeConstants]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1594180&r1=1594179&r2=1594180&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Tue May 13 10:04:19 2014
@@ -242,6 +242,13 @@ The following configuration parameters p
 * "autoExpandSize"
 * "groupMembershipSplitSize"
 
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](user/differences.html)
+- [Group Membership](user/membership.html)
+- [Authorizable Actions](user/authorizableaction.html)
+- [Searching Users and Groups](user/query.html)
+
 <!-- hidden references -->
 [everyone]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html#NAME
 [OAK-118]: https://issues.apache.org/jira/browse/OAK-118