You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2018/11/01 09:07:02 UTC
svn commit: r1845417 - in
/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: ./ accesscontrol/
authentication/ authentication/external/ authentication/token/
authorization/ permission/ principal/ privilege/ user/
Author: angela
Date: Thu Nov 1 09:07:01 2018
New Revision: 1845417
URL: http://svn.apache.org/viewvc?rev=1845417&view=rev
Log:
OAK-7871 : Broken headers in security documentation
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Thu Nov 1 09:07:01 2018
@@ -28,7 +28,7 @@ read [Using the Access Control Managemen
a comprehensive list of method calls as well as examples that may be used to
edit the access control content of the repository.
-<a name="jcr_api"/>
+<a name="jcr_api"></a>
### JCR API
Access Control Management is an optional feature defined by [JSR 283] consisting of
@@ -58,7 +58,7 @@ The JCR access control management has th
- *effect*: policies bound to a given node only take effect upon `Session.save()`. Access to properties is defined by the their parent node.
- *scope*: a given policy may not only affect the node it is bound to but may have an effect on accessibility of items elsewhere in the workspace.
-<a name="jackrabbit_api"/>
+<a name="jackrabbit_api"></a>
### Jackrabbit API
The Jackrabbit API defines various access control related extensions to the
@@ -80,7 +80,7 @@ The following interfaces and extensions
- `JackrabbitAccessControlList`
- `JackrabbitAccessControlEntry`
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
Oak defines the following interfaces extending the access control management API:
@@ -102,7 +102,7 @@ Oak 1.0 defines a dedicated restriction
[Restriction Management](authorization/restriction.html) for details and further
information regarding extensibility and pluggability.
-<a name="utilities"/>
+<a name="utilities"></a>
### Utilities
The jcr-commons module present with Jackrabbit provide some access control related
@@ -124,14 +124,14 @@ the complete list of methods.
acMgr.setPolicy(path, acl);
session.save();
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Characteristics of the Default Implementation
The behavior of the default access control implementation is described in sections
[Access Control Management: The Default Implementation](accesscontrol/default.html)
and [Restriction Management](authorization/restriction.html).
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The configuration of the access control management implementation is handled
@@ -146,7 +146,7 @@ methods:
The supported configuration options of the default implementation are described in the corresponding [section](accesscontrol/default.html#configuration).
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Differences wrt Jackrabbit 2.x](accesscontrol/differences.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md Thu Nov 1 09:07:01 2018
@@ -115,7 +115,7 @@ restrictions as mentioned by JSR 283. De
in Oak 1.0 as well as a list of built-in restrictions and extensibility can be
found in section [Restriction Management](../authorization/restriction.html).
-<a name="representation"/>
+<a name="representation"></a>
### Representation in the Repository
All access control policies defined with an Oak repository are stores child of
@@ -199,6 +199,7 @@ the node they are bound to. The node typ
}
}
+<a name="xml_import"></a>
### XML Import
As of OAK 1.0 access control content can be imported both with Session and
@@ -225,7 +226,7 @@ the following entry:
See also ([OAK-1350](https://issues.apache.org/jira/browse/OAK-1350)))
-<a name="validation"/>
+<a name="validation"></a>
### Validation
The consistency of this content structure is asserted by a dedicated `AccessControlValidator`.
@@ -248,7 +249,7 @@ The corresponding errors are all of type
| 0013 | Duplicate ACE found in policy |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
#### Configuration Parameters
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md Thu Nov 1 09:07:01 2018
@@ -18,6 +18,7 @@
Using the Access Control Management API
--------------------------------------------------------------------------------
+<a name="read"></a>
### Reading
#### Privilege Discovery
@@ -98,6 +99,7 @@ and privileges on `AccessControlManager`
- `JackrabbitAccessControlManager`
- `getEffectivePolicies(Set<Principal>)`
+<a name="write"></a>
### Writing
#### Adding Policies
@@ -266,6 +268,7 @@ or alternatively use `AccessControlUtils
}
}
+<a name="repository_level"></a>
### Access Control on Repository Level
##### Examples
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Thu Nov 1 09:07:01 2018
@@ -76,7 +76,7 @@ LoginModule is configured and succeeds,
LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules
are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.
-<a name="jcr_api"/>
+<a name="jcr_api"></a>
### JCR API
Within the scope of JCR `Repository.login` is used to authenticate a given user.
@@ -104,7 +104,7 @@ for further details.
In addition JCR defines `Session.impersonate(Credentials)` to impersonate another
user or - as of JSR 333 - clone an existing session.
-<a name="oak_api"/>
+<a name="oak_api"></a>
### Oak API
The Oak API contains the following authentication related methods and interfaces
@@ -113,7 +113,7 @@ The Oak API contains the following authe
- `ContentRepository.login(Credentials, String)`: The Oak counterpart of the JCR login.
- `ContentSession.getAuthInfo()`: exposes the `AuthInfo` associated with the `ContentSession`.
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extension
#### Oak Authentication
@@ -185,7 +185,7 @@ Subclasses are required to implement the
}
}
-<a name="supported_credentials"/>
+<a name="supported_credentials"></a>
#### Supported Credentials
Since Oak 1.5.1 the extensions additionally contain a dedicated interface that
@@ -195,7 +195,7 @@ eases the support for different `Credent
- [CredentialsSupport]: Interface definition exposing the set of supported `Credentials` classes and some common utility methods.
- [SimpleCredentialsSupport]: Default implementation for the widely used `SimpleCredentials`
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Oak Authentication Implementation
A description of the various requirements covered by Oak by default as well
@@ -205,7 +205,7 @@ section [Authentication: Implementation
See section [differences](authentication/differences.html) for comprehensive list
of differences wrt authentication between Jackrabbit 2.x and Oak.
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The configuration of the authentication setup is defined by the [AuthenticationConfiguration].
@@ -223,7 +223,7 @@ There also exists a utility class that a
- `TokenLoginModule`: covers token based authentication
- `LoginModuleImpl`: covering regular uid/pw login
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The default security setup as present with Oak 1.0 is able to provide custom
@@ -238,7 +238,7 @@ implementation on various levels:
by making the modules accessible to the framework and setting their execution
order accordingly. In a Non-OSGi setup this is specified in the [JAAS config].
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Authentication: Implementation Details](authentication/default.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md Thu Nov 1 09:07:01 2018
@@ -39,7 +39,7 @@ dedicated `LoginModule` implementation(s
- [Pre-Authenticated Login](#pre_authenticated)
- [External Login](#external)
-<a name="guest"/>
+<a name="guest"></a>
#### Guest Login
The proper way to obtain an guest session as of Oak is as specified by JSR 283:
@@ -89,7 +89,7 @@ The behavior of the `GuestLoginModule` i
`EveryonePrincipal` the `Subject` in phase 2 of the login process and **returns** `true`
- otherwise it **returns** `false`
-<a name="uid_pw"/>
+<a name="uid_pw"></a>
#### UserId/Password Login
Oak 1.0 comes with 2 different login module implementations that can handle
@@ -126,7 +126,7 @@ This login module implementations behave
* if the private state contains the credentials and principals, it adds them (both) to the subject and **returns `true`**
* if the private state does not contain credentials and principals, it clears the state and **returns `false`**
-<a name="user_authentication"/>
+<a name="user_authentication"></a>
###### User Authentication
The `LoginModuleImpl` uses a configured `Authentication`-implementation for
@@ -142,7 +142,7 @@ will take precedence.
See also section [user management](../user/default.html#pluggability).
-<a name="impersonation"/>
+<a name="impersonation"></a>
#### Impersonation Login
Another flavor of the Oak authentication implementation is covered by
@@ -201,7 +201,7 @@ following steps in order to get JCR impe
with the editing session can be identified by the [AuthInfo] obtained from
from `ImpersonationCredentials.getImpersonatorInfo()`.
-<a name="token"/>
+<a name="token"></a>
#### Token Login
See section [Token Authentication](tokenmanagement.html) for details
@@ -213,7 +213,7 @@ The `TokenLoginModule` is in charge of c
repository logins with `TokenCredentials`. The exact behavior of this login module is
described in section [Token Authentication](tokenmanagement.html).
-<a name="pre_authenticated"/>
+<a name="pre_authenticated"></a>
#### Pre-Authenticated Login
Oak provides two different mechanisms to create pre-authentication that doesn't
@@ -226,7 +226,7 @@ validation.
See section [Pre-Authentication Login](preauthentication.html) for
further details and examples.
-<a name="external"/>
+<a name="external"></a>
#### External Login
While the default setup in Oak is solely relying on repository functionality to
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md Thu Nov 1 09:07:01 2018
@@ -84,7 +84,7 @@ maps the ID of a synchronized user/group
represented by [ExternalIdentityRef].
-<a name="dynamic_membership"/>
+<a name="dynamic_membership"></a>
### Dynamic Group Membership
As of Oak 1.5.3 the default sync handler comes with an addition configuration
@@ -95,7 +95,7 @@ groups are synchronized (see also [OAK-4
The details and effects on other security related modules are described in
section [Dynamic Membership](dynamic.html).
-<a name="xml_import"/>
+<a name="xml_import"></a>
#### XML Import
The protected nature of the `rep:externalPrincipalNames` is also reflected during
@@ -109,7 +109,7 @@ the JMX console. Depending on the _User
the target system the sync will then result in a full sync of group membership or
will re-create the `rep:externalPrincipalNames` property.
-<a name="validation"/>
+<a name="validation"></a>
#### Validation
##### rep:externalPrincipalNames
@@ -143,7 +143,7 @@ validator performs the following checks:
| 0075 | Property 'rep:externalId' may only have a single value of type STRING. |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
#### Configuration of the DefaultSyncHandler
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md Thu Nov 1 09:07:01 2018
@@ -21,7 +21,7 @@ Authentication with External Login Modul
- [Integration with Standard Oak Authentication](#standard)
- [Integration with Pre-Authentication and Login Module Chain](#preauth)
-<a name="standard"/>
+<a name="standard"></a>
### Integration with Standard Oak Authentication
#### Example JAAS Configuration
@@ -143,7 +143,7 @@ Authentication with External Login Modul
`CredentialsSupport` that ensures that authentication against the external
IDP is successful.
-<a name="preauth"/>
+<a name="preauth"></a>
### Integration with Pre-Authentication and Login Module Chain
#### Example JAAS Configuration
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md Thu Nov 1 09:07:01 2018
@@ -36,7 +36,7 @@ What it does not:
* provide a transparent oak principal provider.
* offer services for background synchronization of users and groups
-<a name="details"/>
+<a name="details"></a>
### Implementation Details
The external identity and login handling is split into 3 parts:
@@ -121,7 +121,7 @@ present on the IDP.
See section [User Synchronization](usersync.html) for further details and a
description of the default implementation.
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
@@ -157,7 +157,7 @@ are omitted):
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
};
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md Thu Nov 1 09:07:01 2018
@@ -25,7 +25,7 @@ validation.
- [Pre-Authentication combined with Login Module Chain](#withloginchain)
- [Pre-Authentication without Repository Involvement](#withoutrepository)
-<a name="withloginchain"/>
+<a name="withloginchain"></a>
### Pre-Authentication combined with Login Module Chain
This first variant allows to support 3rd party login modules that wish to provide
@@ -99,7 +99,7 @@ marker to the shared state:
}
}
-<a name="withoutrepository"/>
+<a name="withoutrepository"></a>
### Pre-Authentication without Repository Involvement
Like in Jackrabbit-core the repository internal authentication verification can
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md Thu Nov 1 09:07:01 2018
@@ -106,7 +106,7 @@ throttling method was introduced to only
This is available with Oak 1.7.12 on, see also [OAK-6818]for additional information.
-<a name="representation"/>
+<a name="representation"></a>
### Representation in the Repository
#### Content Structure
@@ -181,7 +181,7 @@ definition:
}
}
-<a name="validation"/>
+<a name="validation"></a>
### Validation
The consistency of this content structure both on creation and modification is
@@ -201,7 +201,7 @@ all of type `Constraint` with the follow
| 0068 | Invalid location of .tokens node |
| 0069 | Change type of .tokens parent node |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The default Oak `TokenConfiguration` allows to define the following configuration
@@ -221,7 +221,7 @@ options for the `TokenProvider`:
| | | |
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
In an OSGi-based setup the default `TokenConfiguration` you can bind a
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Thu Nov 1 09:07:01 2018
@@ -68,7 +68,7 @@ authentication phases behave as follows:
};
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### Token Management API
Oak 1.0 defines the following interfaces used to manage login tokens:
@@ -85,20 +85,20 @@ that is able to aggregate multiple `Toke
See section [Pluggability](#pluggability) for an example.
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Characteristics of the Default Implementation
The characteristics of the default token management implementation is
described in section [Token Management : The Default Implementation](token/default.html).
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The configuration options of the default implementation are described in
the [Configuration](token/default.html#configuration) section.
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The default security setup as present with Oak 1.0 is able to deal with
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md Thu Nov 1 09:07:01 2018
@@ -41,7 +41,7 @@ handle both in a consistent manner. Cons
authorization related operations is a single `AuthorizationConfiguration` (see
section [configuration](#configuration) below).
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
The API extensions provided by Oak are covered in the following sections:
@@ -50,7 +50,7 @@ The API extensions provided by Oak are c
- [Permissions](permission.html#api_extensions)
- [Restriction Management](authorization/restriction.html#api_extensions)
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The configuration of the authorization related parts is handled by the [AuthorizationConfiguration].
@@ -66,7 +66,7 @@ The supported configuration options of t
separately for [access control management](accesscontrol/default.html#configuration)
and [permission evalution](permission/default.html#configuration) .
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
There are multiple options for plugging authorization related custom implementations:
@@ -99,7 +99,7 @@ restriction management that allows to na
items matching a given, defined behavior. Details can be found in section
[RestrictionManagement](authorization/restriction.html#pluggability).
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Access Control Management](accesscontrol.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md Thu Nov 1 09:07:01 2018
@@ -34,7 +34,7 @@ models, this extension is only recommend
knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so
might otherwise result in severe security issues and heavily impact overall performance.
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
There are two interfaces required to make a given authorization model deployable
@@ -70,7 +70,7 @@ this fact by just returning the subset o
will consequently not consult this implementation for the evaluation of write
permissions and move on to other providers in the aggregate.
-<a name="details"/>
+<a name="details"></a>
### Implementation Details
As soon as multiple authorization models are configured with the security setup,
@@ -145,13 +145,13 @@ extensions and the permission evaluation
provide no support for restrictions. Examples include modules that deal with different
types of `AccessControlPolicy` where restriction management doesn't apply (see for example [oak-authorization-cug](cug.html#details)).
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
By default the `CompositeAuthorizationConfiguration` aggregates results by applying an `AND` operation to the current set of providers.
This can be changed via configuration to an `OR`. See section [Introduction to Oak Security](../../introduction.html#configuration) for further details.
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The following steps are required to plug an additional authorization model into
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md Thu Nov 1 09:07:01 2018
@@ -49,7 +49,7 @@ be applied to the repository without tak
effect upon being persisted, i.e. access to items located in a restricted are
will be subject to the permission evaluation associated with the authorization model.
-<a name="jackrabbit_api"/>
+<a name="jackrabbit_api"></a>
### Jackrabbit API
The Jackrabbit API defines an extension of the JCR [AccessControlPolicy] interface
@@ -61,7 +61,7 @@ intended to grant the ability to perform
See [Jackrabbit API](http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrincipalSetPolicy.java)
for details and the methods exposed by the interface.
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
The module comes with the following extension in the
@@ -100,7 +100,7 @@ allows to excluded principals by their n
See also section [Pluggability](#pluggability) below.
-<a name="details"/>
+<a name="details"></a>
### Implementation Details
#### Access Control Management
@@ -183,7 +183,7 @@ _Note:_ the multivalued `rep:principalNa
that CUGs are intended to be used for small principal sets, preferably
`java.security.acl.Group` principals.
-<a name="validation"/>
+<a name="validation"></a>
### Validation
The consistency of this content structure both on creation and modification is
@@ -197,7 +197,7 @@ all of type `AccessControl` with the fol
| 0022 | Access controlled not not of mixin 'rep:CugMixin' |
| 0023 | Wrong name of node with primary type 'rep:CugPolicy' |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The CUG authorization extension is an optional feature that requires mandatory
@@ -237,7 +237,7 @@ _Note:_ This implementation extends the
exclusion list. Alternatively, it is possible to plug a custom `CugExclude` implementation matching
specific needs (see [below](#pluggability)).
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The following section describes how to deploy the CUG authorization model into
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md Thu Nov 1 09:07:01 2018
@@ -51,7 +51,7 @@ facing usage of restrictions i.e. access
In addition Oak provides it's own restriction API that adds support for internal
validation and permission evaluation.
-<a name="jackrabbit_api"/>
+<a name="jackrabbit_api"></a>
### Jackrabbit API
The Jackrabbit API add the following extensions to JCR access control management
@@ -69,7 +69,7 @@ to read and create entries with restrict
- `getRestriction(String restrictionName)`: returns the restriction as JCR value.
- `getRestrictions(String restrictionName)`: returns the restriction as array of JCR values (since Oak 1.0, Jackrabbit API 2.8).
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### Oak Restriction API
The following public interfaces are provided by Oak in the package
@@ -82,7 +82,7 @@ repository internal permission evaluatio
- [RestrictionDefinition]: the static definition of a supported restriction
- [RestrictionPattern]: the processed restriction ready for permission evaluation
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Default Implementation
Oak 1.0 provides the following base implementations:
@@ -158,7 +158,7 @@ Examples without wildcard char:
See also [GlobPattern] for implementation details.
-<a name="representation"/>
+<a name="representation"></a>
### Representation in the Repository
All restrictions defined by default in a Oak repository are stored as properties
@@ -182,7 +182,7 @@ The node type definition used to represe
- * (UNDEFINED) protected multiple
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The default security setup as present with Oak 1.0 is able to provide custom
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md Thu Nov 1 09:07:01 2018
@@ -42,7 +42,7 @@ by a dedicated sub-interfaces of [Securi
- [Principal Management](principal.html)
- [User Management](user.html)
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
The package `org.apache.jackrabbit.oak.spi.security` defines the following interfaces
@@ -180,7 +180,7 @@ of view. Please note the following depen
6. **User Management** is optional and _MAY_ be used for credentials validation during the authentication
step. If present it is _usually_ used as a source for principals exposed by Principal Management.
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The configuration parameters of individual security modules are described in
@@ -232,7 +232,7 @@ implementations. If the ranking paramete
will try to use the [SERVICE_RANKING] to define the order. If neither is available
(or set to `NO_RANKING`) the new entry will be appended to the list.
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
In a default setup Oak allows to plug custom or additional implementations of
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Thu Nov 1 09:07:01 2018
@@ -18,7 +18,7 @@
Permissions
--------------------------------------------------------------------------------
-<a name="jcr_api"/>
+<a name="jcr_api"></a>
### JCR and Jackrabbit API
While access control management is a optional feature, a JCR implementation is
@@ -88,7 +88,7 @@ Important: `absPath` refers to the node
session.save();
}
-<a name="oak_permissions"/>
+<a name="oak_permissions"></a>
### Oak Permissions
#### General Notes
@@ -310,7 +310,7 @@ to be reported to the `EventListener` wi
or excluded according to the modified permissions. See [OAK-4196] for an example.
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
Due to the separation of access control management from permission evaluation,
@@ -328,7 +328,7 @@ defines the following interfaces and cla
- [Permissions]: The permissions defined, respected and evaluated by the repository.
- [PermissionConstants]: Constants used throughout the permission evaluation.
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Characteristics of the Permission Evaluation
As explained above permission evaluation is completely separated from the access
@@ -350,7 +350,7 @@ The behavior of the default permission i
[Permissions: The Default Implementation](permission/default.html) and
[Permission Evaluation in Detail: The Default Implementation](permission/evaluation.html).
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The configuration of the permission evaluation implementation is handled
@@ -364,7 +364,7 @@ methods:
The supported configuration options of the default implementation are described in the corresponding [section](permission/default.html#configuration).
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Permissions vs Privileges](permission/permissionsandprivileges.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md Thu Nov 1 09:07:01 2018
@@ -24,7 +24,7 @@ The default implementation of the `Permi
based on the information stored in a dedicated part of the repository content call
the [permission store](#permissionStore).
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Characteristics of the Permission Evaluation
#### Regular Permission Evaluation
@@ -65,10 +65,10 @@ that deal with the administrator (i.e. `
See section [Multiplexing support in the PermissionStore](multiplexing.html).
-<a name="representation"/>
+<a name="representation"></a>
### Representation in the Repository
-<a name="permissionStore"/>
+<a name="permissionStore"></a>
#### Permission Store
The permission evaluation present with Oak 1.0 keeps a dedicated location where
@@ -155,7 +155,7 @@ implementation (`VersionablePathHook`).
mixin
- * (PATH) protected ABORT
-<a name="validation"/>
+<a name="validation"></a>
### Validation
The consistency of this content structure is asserted by a dedicated `PermissionValidator`.
@@ -167,7 +167,7 @@ The corresponding errors are all of type
| 0021 | Version storage: Node creation without version history |
| 0022 | Version storage: Removal of intermediate node |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
#### Configuration Parameters
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md Thu Nov 1 09:07:01 2018
@@ -18,7 +18,7 @@
Permission Evaluation in Detail
--------------------------------------------------------------------------------
-<a name="permissionentries"/>
+<a name="permissionentries"></a>
### Order and Evaluation of Permission Entries
In order to evaluate the permissions for a given item, the `PermissionProvider`
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md Thu Nov 1 09:07:01 2018
@@ -90,7 +90,7 @@ requires the ability to read access cont
- Restrictions may or may not be respected
- Default implementation close to real permission evaluation (not exactly following the specification)
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Mapping Privileges to Items](../privilege/mappingtoitems.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md Thu Nov 1 09:07:01 2018
@@ -18,7 +18,7 @@
Principal Management
--------------------------------------------------------------------------------
-<a href="jcr_api"/>
+<a href="jcr_api"></a>
### JCR API
JCR itself doesn't come with a dedicated principal management API. Nevertheless
@@ -29,7 +29,7 @@ control management but leaves the discov
Therefore an API for principal management has been defined as part of the
extensions present with Jackrabbit API.
-<a name="jackrabbit_api"/>
+<a name="jackrabbit_api"></a>
### Jackrabbit API
The Jackrabbit API provides support for principal management (i.e. discovery) that
@@ -45,7 +45,7 @@ are missing in JCR. The relevant interfa
See the corresponding [documentation](principal/differences.html).
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
- [PrincipalProvider]: SPI level access to principals known to the repository
@@ -63,7 +63,7 @@ from different source providers.
- [SystemPrincipal]: built-in principal implementation to mark system internal subjects.
- [SystemUserPrincipal]: Marker interface to identify principals associated with special system users.
-<a href="default_implementation"/>
+<a href="default_implementation"></a>
### Oak Principal Management Implementation
The default implementation of the principal management API basically corresponds
@@ -77,7 +77,7 @@ in Jackrabbit 2.x). See the configuratio
See section [Implementations of the PrincipalProvider Interface](principal/principalprovider.html)
for details.
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The [PrincipalConfiguration] is the Oak level entry point to obtain a new
@@ -90,7 +90,7 @@ provider implementation configured. In o
sources a implementation that properly handles the different sources is required;
the [CompositePrincipalProvider] is an example that combines multiple implementations.
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The default security setup as present with Oak 1.0 is able to provide custom
@@ -159,7 +159,7 @@ provider implementation:
...
}
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Differences wrt Jackrabbit 2.x](principal/differences.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md Thu Nov 1 09:07:01 2018
@@ -81,7 +81,7 @@ as must any subsequent call never expose
be accessible in the non-cache scenario where access to principals is protected
by regular permission evalution.
-<a name="validation"/>
+<a name="validation"></a>
##### Validation
The cache is system maintained, protected repository content that can only
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Thu Nov 1 09:07:01 2018
@@ -18,7 +18,7 @@
Privilege Management
--------------------------------------------------------------------------------
-<a name="jcr_api"/>
+<a name="jcr_api"></a>
### JCR API
As of JSR 283 the API contains the following privilege related interfaces and methods:
@@ -27,7 +27,7 @@ As of JSR 283 the API contains the follo
- `AccessControlManager.getSupportedPrivileges(String)` (see also `PrivilegeManager.getRegisteredPrivileges()`)
- `AccessControlManager.privilegeFromName(String)` equivalent to `PrivilegeManager.getPrivilege(String)`
-<a name="jackrabbit_api"/>
+<a name="jackrabbit_api"></a>
### Jackrabbit API
Privilege management is outside of the scope provided by JCR and therefore provided
@@ -59,7 +59,7 @@ by the extensions defined by the Jackrab
// NOTE: workspace operation that doesn't require Session#save()
privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
- [PrivilegeConfiguration] : Oak level entry point to retrieve `PrivilegeManager` and privilege related configuration options.
@@ -67,7 +67,7 @@ by the extensions defined by the Jackrab
- [PrivilegeBitsProvider] : Internal provider to read `PrivilegeBits` from the repository content and map names to internal representation (and vice versa).
- [PrivilegeBits]: Internal representation of JCR privileges.
-<a name="utilities"/>
+<a name="utilities"></a>
### Utilities
The jcr-commons module present with Jackrabbit provide some privilege related
@@ -77,13 +77,13 @@ utility methods:
- `privilegesFromNames(Session session, String... privilegeNames)`
- `privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)`
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Oak Privilege Management Implementation
The behavior of the default privilege management implementation is described in section
[Privilege Management: The Default Implementation](privilege/default.html).
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The [PrivilegeConfiguration] is the Oak level entry point to obtain a new
@@ -91,7 +91,7 @@ The [PrivilegeConfiguration] is the Oak
implementation of the `PrivilegeManager` interface is based on Oak API and can
equally be used for privilege related tasks in the Oak layer.
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
_Please note:_ While it's in theory possible to replace the default privilege
@@ -100,7 +100,7 @@ knowledge and understanding of Jackrabbi
the security risk associated with it. Doing so, will most likely require a re-write
of the default access control and permission evaluation.
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Differences wrt Jackrabbit 2.x](privilege/differences.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md Thu Nov 1 09:07:01 2018
@@ -94,7 +94,7 @@ An overview on how the built-in privileg
can be found in ['Mapping Privileges to Items'](mappingtoitems.html)
and ['Mapping API Calls to Privileges'](mappingtoprivileges.html)
-<a name="representation"/>
+<a name="representation"></a>
### Representation in the Repository
As of Oak 1.0 all privilege definitions are stored in the repository itself
@@ -115,7 +115,7 @@ Note the protection status of all child
as they prevent modification of the privilege definitions using regular JCR
write operations.
-<a name="validation"/>
+<a name="validation"></a>
### Validation
The consistency of this content structure is asserted by a dedicated `PrivilegeValidator`.
@@ -137,7 +137,7 @@ The corresponding errors are all of type
| 0052 | Detected circular aggregation |
| 0053 | Custom aggregate privilege X is already covered. |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
There are no implementation specific configuration options associated with the
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Thu Nov 1 09:07:01 2018
@@ -18,7 +18,7 @@
User Management
--------------------------------------------------------------------------------
-<a name="jcr_api"/>
+<a name="jcr_api"></a>
### JCR API
JCR itself doesn't come with a dedicated user management API. The only method
@@ -26,7 +26,7 @@ related and ultimately used for user man
Therefore an API for user and group management has been defined as part of the
extensions present with Jackrabbit API.
-<a name="jackrabbit_api"/>
+<a name="jackrabbit_api"></a>
### Jackrabbit API
The Jackrabbit API provides the user management related extensions that are
@@ -41,7 +41,7 @@ missing in JCR. The relevant interfaces
- `QueryBuilder`
- `Query`
-<a name="api_extensions"/>
+<a name="api_extensions"></a>
### API Extensions
The Oak project introduces the following user management related public
@@ -54,7 +54,7 @@ interfaces and classes:
- `UserAuthenticationFactory`: see sections [pluggability](user/default.html#pluggability)
and [user authentication](authentication/default.html#user_authentication) for additional details.
-<a name="utilities"/>
+<a name="utilities"></a>
### Utilities
`org.apache.jackrabbit.oak.spi.security.user.*`
@@ -70,13 +70,13 @@ and [user authentication](authentication
function for password generation.
- `UserUtil` : Utilities related to general user management tasks.
-<a name="default_implementation"/>
+<a name="default_implementation"></a>
### Oak User Management Implementation
The behavior of the default user management implementation is described in section
[User Management: The Default Implementation](user/default.html).
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The Oak user management comes with a dedicated entry point called [UserConfiguration].
@@ -90,7 +90,7 @@ and provides the following two methods:
The supported configuration options of the default implementation are described in the corresponding [section](user/default.html#configuration).
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
The default security setup as present with Oak 1.0 is able to have the default
@@ -106,7 +106,7 @@ Alternatively the default user managemen
adjusted using various means. See the corresponding [section](user/default.html#pluggability)
for further details.
-<a name="further_reading"/>
+<a name="further_reading"></a>
### Further Reading
- [Differences wrt Jackrabbit 2.x](user/differences.html)
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md Thu Nov 1 09:07:01 2018
@@ -104,7 +104,7 @@ of the underlaying JCR node but only com
* The `rep:password` property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that `User#changePassword` does not allow to remove the password property.
* Since version 1.1.0 Oak supports the new API to create dedicated system users [JCR-3802](https://issues.apache.org/jira/browse/JCR-3802).
-<a name="query"/>
+<a name="query"></a>
#### Searching
#### XPathQueryBuilder
@@ -149,7 +149,7 @@ history support. By default this feature
See section [Password History](history.html) for details.
-<a name="representation"/>
+<a name="representation"></a>
### Representation in the Repository
The following block lists the built-in node types related to user management tasks:
@@ -201,7 +201,7 @@ The following block lists the built-in n
+ * (rep:Members) = rep:Members protected multiple
- * (WEAKREFERENCE) protected < 'rep:Authorizable'
-<a name="validation"/>
+<a name="validation"></a>
### Validation
The consistency of this content structure is asserted by a dedicated `UserValidator`.
@@ -224,7 +224,7 @@ The corresponding errors are all of type
| 0032 | Attempt to set password with system user |
| 0033 | Attempt to add rep:pwd node to a system user |
-<a name="configuration"/>
+<a name="configuration"></a>
### Configuration
The following user management specific methods are present with the [UserConfiguration]
@@ -268,7 +268,7 @@ detail in section [Caching Results of Pr
It is not related to user management s.str. but affects the implementation
specific `PrincipalProvider` implementation exposed by `UserConfiguration.getUserPrincipalProvider`.
-<a name="pluggability"/>
+<a name="pluggability"></a>
### Pluggability
Within the default user management implementation the following parts can be
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md Thu Nov 1 09:07:01 2018
@@ -61,7 +61,7 @@ invalid transient modifications.
* Group Members: The way many group members are stored with a given Group has been redesigned
in Oak 1.0. See section [Group Membership](membership.html) for a detailed description.
-<a name="query"/>
+<a name="query"></a>
##### QueryBuilder
The user query is expected to work as in Jackrabbit 2.x with the following notable
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md Thu Nov 1 09:07:01 2018
@@ -39,6 +39,7 @@ to obtain a session/login and the passwo
to a next attempt. For specifying the new password, the initial password
has to be provided.
+<a href="configuration"></a>
### Configuration
An administrator may enable password expiry and initial password change
@@ -58,6 +59,7 @@ Note:
- Maximum Password Age (`maxPasswordAge`) will only be enabled when a value greater 0 is set (expiration time in days).
- Change Password On First Login (`initialPasswordChange`): When enabled, forces users to change their password upon first login.
+<a href="how"></a>
### How it works
#### Definition of Expired Password
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md Thu Nov 1 09:07:01 2018
@@ -29,6 +29,7 @@ such as
- add a set of member ids as members of a group
- remove a set of member ids from a group
+<a name="api_extensions"></a>
### GroupAction API
The following public interface is provided by Oak in the package `org.apache.jackrabbit.oak.spi.security.user.action`:
@@ -49,23 +50,26 @@ Any group actions are executed with the
target operation will fail if any of the configured actions fails (e.g. due to
insufficient permissions by the editing Oak ContentSession).
+<a name="default_implementation"></a>
### Default Implementations
Oak 1.5 provides the following base implementation for `GroupAction` implementations to build upon:
- `AbstractGroupAction`: abstract base implementation that doesn't perform any action.
-### Pluggability
-
-Refer to [Authorizable Actions | Pluggability ](authorizableaction.html#Pluggability) for details on how to plug
-a new group action into the system.
-
+<a name="xml_import"></a>
### XML Import
During import the group actions are called in the same fashion as for regular groups as long as the member reference
can be resolved to an existing authorizable. Member IDs of authorizables that do not exist at group import time or
failed member IDs are passed to the group actions if `ImportBehavior.BESTEFFORT` is set for the import.
+<a name="pluggability"></a>
+### Pluggability
+
+Refer to [Authorizable Actions | Pluggability ](authorizableaction.html#Pluggability) for details on how to plug
+a new group action into the system.
+
##### Examples
###### Example Action
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md Thu Nov 1 09:07:01 2018
@@ -24,6 +24,7 @@ Since version 1.3.3 Oak provides functio
of passwords after password changes and to prevent a password to
be set during changing a user's password if found in said history.
+<a href="configuration"></a>
### Configuration
An administrator may enable password history via the
@@ -42,6 +43,7 @@ history and sets feature to remember the
Note, that the current implementation has a limit of at most 1000 passwords
remembered in the history.
+<a href="how"></a>
### How it works
#### Representation in the Repository
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md?rev=1845417&r1=1845416&r2=1845417&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md Thu Nov 1 09:07:01 2018
@@ -18,6 +18,7 @@
Group Membership
--------------------------------------------------------------------------------
+<a href="jcr_api"></a>
### Jackrabbit API
The Jackrabbit API extensions provide various methods to edit and explore the
@@ -37,6 +38,7 @@ member relationship of users and groups:
- `declaredMemberOf() Iterator<Group>`
- `memberOf() Iterator<Group>`
+<a href="default_implementation"></a>
### Characteristics of the Default Implementation
#### Member Representation in the Repository
@@ -199,6 +201,7 @@ The following scenarios may leave the cy
See [OAK-3170] for additional information.
+<a href="configuration"></a>
### Configuration
Note that as of Oak 1.0 the implementation is responsible for defining the