You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/11/09 09:44:20 UTC
svn commit: r1846222 [12/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/default.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/default.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Access Control Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Access_Control_Management_:_The_Default_Implementation"></a>Access Control Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -269,32 +256,57 @@
<div class="section">
<h4><a name="Access_Control_Policies"></a>Access Control Policies</h4>
<p>The Oak access control management exposes two types of policies that cover all use case defined by the specification and required by the default setup:</p>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> Name </th>
-<th> Policy </th>
-<th> Description </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> Default ACL </td>
-<td> <tt>JackrabbitAccessControlList</tt> </td>
-<td> access control on individual nodes </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> Repo-Level ACL </td>
-<td> <tt>JackrabbitAccessControlList</tt> </td>
-<td> repo-level access control for the <tt>null</tt> path </td></tr>
-<tr class="b">
-<td> Read Policy </td>
-<td> <tt>NamedAccessControlPolicy</tt> </td>
-<td> trees that are configured to be readable to everyone </td></tr>
+
+<th>Name </th>
+
+<th>Policy </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>Default ACL </td>
+
+<td><tt>JackrabbitAccessControlList</tt> </td>
+
+<td>access control on individual nodes </td>
+ </tr>
+
+<tr class="a">
+
+<td>Repo-Level ACL </td>
+
+<td><tt>JackrabbitAccessControlList</tt> </td>
+
+<td>repo-level access control for the <tt>null</tt> path </td>
+ </tr>
+
+<tr class="b">
+
+<td>Read Policy </td>
+
+<td><tt>NamedAccessControlPolicy</tt> </td>
+
+<td>trees that are configured to be readable to everyone </td>
+ </tr>
+
<tr class="a">
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
+
+<td> </td>
+ </tr>
+ </tbody>
</table>
<div class="section">
<h5><a name="Default_ACL"></a>Default ACL</h5>
@@ -309,33 +321,38 @@
<h5><a name="Read_Policy"></a>Read Policy</h5>
<p>These immutable policy has been introduced in Oak 1.0 in order to allow for opening up trees that need to be readable to all sessions irrespective of other effective policies.</p>
<p>By default these policies are bound to the following trees:</p>
-<ul>
+<ul>
+
<li><tt>/jcr:system/rep:namespaces</tt>: stores all registered namespaces</li>
+
<li><tt>/jcr:system/jcr:nodeTypes</tt>: stores all registered node types</li>
+
<li><tt>/jcr:system/rep:privileges</tt>: stores all registered privileges</li>
</ul>
<p>The default set can be changed or extended by setting the corresponding configuration option. However, it is important to note that many JCR API calls rely on the accessibility of the namespace, nodetype and privilege information. Removing the corresponding paths from the configuration will most probably have undesired effects.</p></div></div>
<div class="section">
<h4><a name="Access_Control_Entries"></a>Access Control Entries</h4>
<p>The access control entries present in a given list are subject to the following rules applied upon editing but not enforced by <tt>CommitHook</tt>s:</p>
-<ul>
+<ul>
+
<li><i>uniqueness</i>: a given entry may only appear onces in a list</li>
+
<li><i>merging</i>: if an entry exists for a given principal with the same allow-status and restrictions, the existing entry will be updated without being moved in the list.</li>
+
<li><i>redundancy</i>: if an new entry makes an existing entry (partially) redundant the existing entry will be updated or removed altogether.</li>
</ul></div>
<div class="section">
<h4><a name="Restrictions"></a>Restrictions</h4>
<p>Access control entries may be created by limiting their effect by adding restrictions as mentioned by JSR 283. Details about the restriction management in Oak 1.0 as well as a list of built-in restrictions and extensibility can be found in section <a href="../authorization/restriction.html">Restriction Management</a>.</p>
-<a name="representation"></a>
-### Representation in the Repository
-
+<p><a name="representation"></a></p></div></div>
+<div class="section">
+<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
<p>All access control policies defined with an Oak repository are stores child of the node they are bound to. The node type definition used to represent access control content:</p>
-<div>
-<div>
-<pre class="source">[rep:AccessControllable]
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:AccessControllable]
mixin
+ rep:policy (rep:Policy) protected IGNORE
@@ -369,15 +386,14 @@
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
</pre></div></div>
-
+<div class="section">
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Regular_ACL_at_content"></a>Regular ACL at /content</h6>
-<div>
-<div>
-<pre class="source">"": {
+<div class="source">
+<div class="source"><pre class="prettyprint">"": {
"jcr:primaryType": "rep:root",
"content": {
"jcr:primaryType": "oak:Unstructured",
@@ -401,14 +417,12 @@
}
}
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Repo-Level_Policy"></a>Repo-Level Policy</h6>
-<div>
-<div>
-<pre class="source">"": {
+<div class="source">
+<div class="source"><pre class="prettyprint">"": {
"jcr:primaryType": "rep:root",
"jcr:mixinTypes": "rep:RepoAccessControllable",
"rep:repoPolicy": {
@@ -420,8 +434,7 @@
}
}
}
-</pre></div></div>
-</div></div></div></div>
+</pre></div></div></div></div></div></div>
<div class="section">
<h3><a name="XML_Import"></a>XML Import</h3>
<p>As of OAK 1.0 access control content can be imported both with Session and Workspace import.</p>
@@ -430,104 +443,186 @@
<p>The different <tt>ImportBehavior</tt> flags are implemented as follows: - <tt>ABORT</tt>: throws an <tt>AccessControlException</tt> if the principal is unknown - <tt>IGNORE</tt>: ignore the entry defining the unknown principal - <tt>BESTEFFORT</tt>: import the access control entry with an unknown principal.</p>
<p>In order to get the same best effort behavior as present with Jackrabbit 2.x the configuration parameters of the <tt>AuthorizationConfiguration</tt> must contain the following entry:</p>
-<div>
-<div>
-<pre class="source">importBehavior = "besteffort"
+<div class="source">
+<div class="source"><pre class="prettyprint">importBehavior = "besteffort"
</pre></div></div>
-
<p>See also (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>))</p>
-<a name="validation"></a>
-### Validation
-
+<p><a name="validation"></a></p></div>
+<div class="section">
+<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure is asserted by a dedicated <tt>AccessControlValidator</tt>. The corresponding errors are all of type <tt>AccessControl</tt> with the following codes:</p>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> Code </th>
-<th> Message </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> 0001 </td>
-<td> Generic access control violation </td></tr>
-<tr class="a">
-<td> 0002 </td>
-<td> Access control entry node expected </td></tr>
-<tr class="b">
-<td> 0003 </td>
-<td> Invalid policy name </td></tr>
-<tr class="a">
-<td> 0004 </td>
-<td> Invalid policy node: Order of children is not stable </td></tr>
-<tr class="b">
-<td> 0005 </td>
-<td> Access control policy within access control content </td></tr>
-<tr class="a">
-<td> 0006 </td>
-<td> Isolated policy node </td></tr>
-<tr class="b">
-<td> 0007 </td>
-<td> Isolated access control entry </td></tr>
-<tr class="a">
-<td> 0008 </td>
-<td> ACE without principal name </td></tr>
-<tr class="b">
-<td> 0009 </td>
-<td> ACE without privileges </td></tr>
-<tr class="a">
-<td> 0010 </td>
-<td> ACE contains invalid privilege name </td></tr>
-<tr class="b">
-<td> 0011 </td>
-<td> ACE uses abstract privilege </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> 0012 </td>
-<td> Repository level policies defined with non-root node </td></tr>
-<tr class="b">
-<td> 0013 </td>
-<td> Duplicate ACE found in policy </td></tr>
-</tbody>
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>0001 </td>
+
+<td>Generic access control violation </td>
+ </tr>
+
+<tr class="a">
+
+<td>0002 </td>
+
+<td>Access control entry node expected </td>
+ </tr>
+
+<tr class="b">
+
+<td>0003 </td>
+
+<td>Invalid policy name </td>
+ </tr>
+
+<tr class="a">
+
+<td>0004 </td>
+
+<td>Invalid policy node: Order of children is not stable </td>
+ </tr>
+
+<tr class="b">
+
+<td>0005 </td>
+
+<td>Access control policy within access control content </td>
+ </tr>
+
+<tr class="a">
+
+<td>0006 </td>
+
+<td>Isolated policy node </td>
+ </tr>
+
+<tr class="b">
+
+<td>0007 </td>
+
+<td>Isolated access control entry </td>
+ </tr>
+
+<tr class="a">
+
+<td>0008 </td>
+
+<td>ACE without principal name </td>
+ </tr>
+
+<tr class="b">
+
+<td>0009 </td>
+
+<td>ACE without privileges </td>
+ </tr>
+
+<tr class="a">
+
+<td>0010 </td>
+
+<td>ACE contains invalid privilege name </td>
+ </tr>
+
+<tr class="b">
+
+<td>0011 </td>
+
+<td>ACE uses abstract privilege </td>
+ </tr>
+
+<tr class="a">
+
+<td>0012 </td>
+
+<td>Repository level policies defined with non-root node </td>
+ </tr>
+
+<tr class="b">
+
+<td>0013 </td>
+
+<td>Duplicate ACE found in policy </td>
+ </tr>
+ </tbody>
</table>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The default implementation supports the following configuration parameters:</p>
-<table border="0" class="table table-striped">
-<thead>
-
-<tr class="a">
-<th> Parameter </th>
-<th> Type </th>
-<th> Default </th></tr>
-</thead><tbody>
-<tr class="b">
-<td> <tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
-<td> RestrictionProvider </td>
-<td> RestrictionProviderImpl </td></tr>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<td> <tt>PARAM_READ_PATHS</tt> </td>
-<td> Set<String> </td>
-<td> paths to namespace, nodetype and privilege root nodes </td></tr>
-<tr class="b">
-<td> <tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-<td> String (“abort”, “ignore”, “besteffort”) </td>
-<td> “abort” </td></tr>
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
+
+<td>RestrictionProvider </td>
+
+<td>RestrictionProviderImpl </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>PARAM_READ_PATHS</tt> </td>
+
+<td>Set<String> </td>
+
+<td>paths to namespace, nodetype and privilege root nodes </td>
+ </tr>
+
+<tr class="b">
+
+<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+
+<td>String (“abort”, “ignore”, “besteffort”) </td>
+
+<td>“abort” </td>
+ </tr>
+
<tr class="a">
+
+<td> </td>
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
+ </tr>
+ </tbody>
</table>
<p>Differences to Jackrabbit 2.x:</p>
-<ul>
+<ul>
+
<li>The “omit-default-permission” configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak.</li>
+
<li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
-</ul><!-- hidden references --></div></div></div>
+</ul>
+<!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Access Control Management : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<div class="section">
<h3><a name="Access_Control_Management_:_Differences_wrt_Jackrabbit_2.x"></a>Access Control Management : Differences wrt Jackrabbit 2.x</h3>
<div class="section">
@@ -264,7 +251,7 @@
<p>As of OAK those methods throw <tt>PathNotFoundException</tt> if the corresponding node is not accessible by the editing session. This is in accordance with the behavior mandated by JSR 283 and a bug in Jackrabbit 2.x.</p></div>
<div class="section">
<h6><a name="getEffectivePolicies"></a>getEffectivePolicies</h6>
-<p>In contrast to Jackrabbit 2.x the editing session is used to retrieve the effective policies and the policies returned by these methods are guarantueed to only return information that is otherwise accessible by the session. The corresponding methods in Jackrabbit 2.x use to throw an exception in this situation.</p></div></div>
+<p>In contrast to Jackrabbit 2.x the editing session is used to retrieve the effective policies and the policies returned by these methods are guarantueed to only return information that is otherwise accessible by the session. The corresponding methods in Jackrabbit 2.x use to throw an exception in this situation.</p></div></div>
<div class="section">
<h5><a name="AccessControlPolicy"></a>AccessControlPolicy</h5>
<p>OAK introduces a new type of policy that enforces regular read-access for everyone on the trees that hold this new <tt>ReadPolicy</tt> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-951">OAK-951</a>). The main usage of this new policy is to ensure backwards compatible behavior of repository level information (node types, namespace, privileges) that are now kept within the content repository. In Jackrabbit 2.x this information was stored in the file system without the ability to apply or enforce regular access control such as present with items in the repository.</p>
@@ -282,28 +269,34 @@
<div class="section">
<h5><a name="Restrictions"></a>Restrictions</h5>
<p>The implementation of additional restrictions associated with an ACE has been slighly modified/extended.</p>
-<p>See section <a href="../authorization/restriction.html">Restriction Management</a> for details.</p></div>
+<p>See section <a href="../authorization/restriction.html">Restriction Management</a> for details. </p></div>
<div class="section">
<h5><a name="XML_Import"></a>XML Import</h5>
-<ul>
+<ul>
+
<li>respects <tt>ImportBehavior</tt> for handling of principals instead of just performing best effort import</li>
+
<li>supports both <tt>Workspace</tt> and <tt>Session</tt> import</li>
</ul></div></div>
<div class="section">
<h4><a name="Configuration"></a>Configuration</h4>
-<ul>
+<ul>
+
<li>The “omit-default-permission” configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak.</li>
+
<li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
</ul></div>
<div class="section">
<h4><a name="Important_Note"></a>Important Note</h4>
<p>The following modification is most likely to have an effect on existing applications:</p>
-<ul>
-<li><tt>AccessControlManager#hasPrivilege()</tt> and <tt>AccessControlManager#getPrivileges()</tt> will throw a <tt>PathNotFoundException</tt> if the node for the specified path is not accessible. The Jackrabbit 2 implementation is wrong and we fixed that in OAK (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-886">OAK-886</a>). If the new behaviour turns out to be a problem with existing applications we might consider adding backward compatible behaviour.</li>
-</ul><!-- hidden references --></div></div></div>
+<ul>
+
+<li><tt>AccessControlManager#hasPrivilege()</tt> and <tt>AccessControlManager#getPrivileges()</tt> will throw a <tt>PathNotFoundException</tt> if the node for the specified path is not accessible. The Jackrabbit 2 implementation is wrong and we fixed that in OAK (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-886">OAK-886</a>). If the new behaviour turns out to be a problem with existing applications we might consider adding backward compatible behaviour.</li>
+</ul>
+<!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Using the Access Control Management API</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,34 +239,37 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<h2><a name="Using_the_Access_Control_Management_API"></a>Using the Access Control Management API</h2>
<div class="section">
<h3><a name="Reading"></a>Reading</h3>
<div class="section">
<h4><a name="Privilege_Discovery"></a>Privilege Discovery</h4>
<p>Discover/test privileges for the editing session:</p>
-<ul>
+<ul>
+
<li><tt>AccessControlManager</tt>
+
<ul>
-
+
<li><tt>hasPrivileges(String, Privilege[])</tt></li>
+
<li><tt>getPrivileges(String)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<p>Discover/test privileges for a set of principal that may differ from those associated with the reading subject. Note that this method requires editing session to be able to have <tt>READ_ACCESS_CONTROL</tt> permission on the node associated with the specified path.</p>
-<ul>
+<ul>
+
<li><tt>JackrabbitAccessControlManager</tt>
+
<ul>
-
+
<li><tt>hasPrivileges(String, Set<Principal>, Privilege[])</tt></li>
+
<li><tt>getPrivileges(String, Set<Principal>, Privilege[])</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<div class="section">
<h5><a name="Note"></a>Note</h5>
@@ -286,121 +277,123 @@
<p>See section <a href="../permission/permissionsandprivileges.html">Permissions vs Privileges</a> for an comprehensive overview on the differences between testing permissions on <tt>Session</tt> and privileges on <tt>AccessControlManager</tt>.</p></div></div>
<div class="section">
<h4><a name="Reading_Policies"></a>Reading Policies</h4>
-<ul>
+<ul>
+
<li>
-
<p><tt>AccessControlManager</tt></p>
+
<ul>
-
+
<li><tt>getApplicablePolicies(String)</tt></li>
+
<li><tt>getPolicies(String)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>JackrabbitAccessControlManager</tt></p>
+
<ul>
-
+
<li><tt>getApplicablePolicies(Principal)</tt></li>
+
<li><tt>getPolicies(Principal)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Read_policies_bound_to_a_node"></a>Read policies bound to a node</h6>
-<div>
-<div>
-<pre class="source">AccessControlManager acMgr = session.getAccessControlManager();
+<div class="source">
+<div class="source"><pre class="prettyprint">AccessControlManager acMgr = session.getAccessControlManager();
AccessControlPolicy[] policies = acMgr.getPolicies("/content");
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Read_policies_that_have_not_yet_been_bound_to_the_node"></a>Read policies that have not yet been bound to the node</h6>
-<div>
-<div>
-<pre class="source">AccessControlManager acMgr = session.getAccessControlManager();
+<div class="source">
+<div class="source"><pre class="prettyprint">AccessControlManager acMgr = session.getAccessControlManager();
AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/content");
-</pre></div></div>
-</div></div></div>
+</pre></div></div></div></div></div>
<div class="section">
<h4><a name="Reading_Policy_Content"></a>Reading Policy Content</h4>
-<ul>
+<ul>
+
<li>
-
<p><tt>AccessControlList</tt></p>
+
<ul>
-
+
<li><tt>getAccessControlEntries()</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>JackrabbitAccessControlList</tt></p>
+
<ul>
-
+
<li><tt>getRestrictionNames()</tt></li>
+
<li><tt>getRestrictionType(String)</tt></li>
+
<li><tt>isEmpty()</tt></li>
+
<li><tt>size()</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>PrincipalSetPolicy</tt></p>
+
<ul>
-
+
<li><tt>getPrincipals()</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul></div>
<div class="section">
<h4><a name="Reading_Effective_Policies"></a>Reading Effective Policies</h4>
-<ul>
-
-<li>
-<p><tt>AccessControlManager</tt></p>
<ul>
-
+
+<li><tt>AccessControlManager</tt>
+
+<ul>
+
<li><tt>getEffectivePolicies(String)</tt></li>
+ </ul></li>
</ul>
-</li>
-<li>
-<p><tt>JackrabbitAccessControlManager</tt></p>
<ul>
-
+
+<li><tt>JackrabbitAccessControlManager</tt>
+
+<ul>
+
<li><tt>getEffectivePolicies(Set<Principal>)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul></div></div>
<div class="section">
<h3><a name="Writing"></a>Writing</h3>
<div class="section">
<h4><a name="Adding_Policies"></a>Adding Policies</h4>
-<ul>
+<ul>
+
<li><tt>AccessControlManager</tt>
+
<ul>
-
+
<li><tt>setPolicy(String, AccessControlPolicy)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Bind_a_policy_to_a_node"></a>Bind a policy to a node</h6>
-<div>
-<div>
-<pre class="source">AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/content");
+<div class="source">
+<div class="source"><pre class="prettyprint">AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/content");
while (it.hasNext()) {
AccessControlPolicy policy = it.nextPolicy();
if (policy instanceof NamedAccessControlPolicy && "myPolicy".equals((NamedAccessControlPolicy) policy).getName()) {
@@ -408,124 +401,137 @@ while (it.hasNext()) {
session.save();
}
}
-</pre></div></div>
-</div></div></div>
+</pre></div></div></div></div></div>
<div class="section">
<h4><a name="Modifying_Policies"></a>Modifying Policies</h4>
<p>Modification of policies is specific to the policy type. JCR/Jackrabbit API only define a single mutable type of policies: the access control list. Depending on the access control implementation there may be other mutable policies.</p>
-<ul>
+<ul>
+
<li>
-
<p><tt>AccessControlList</tt></p>
+
<ul>
-
+
<li><tt>addAccessControlEntry(Principal, Privilege[])</tt></li>
+
<li><tt>removeAccessControlEntry(AccessControlEntry)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>JackrabbitAccessControlList</tt></p>
+
<ul>
-
+
<li><tt>addAccessControlEntry(Principal, Privilege[], boolean)</tt></li>
+
<li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map<String, Value>)</tt></li>
+
<li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map<String, Value>, Map<String, Value[]>)</tt></li>
+
<li><tt>orderBefore(AccessControlEntry, AccessControlEntry)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>PrincipalSetPolicy</tt></p>
+
<ul>
-
+
<li><tt>addPrincipals(Principal...)</tt></li>
+
<li><tt>removePrincipals(Principal...)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>AccessControlUtils</tt></p>
+
<ul>
-
+
<li><tt>getAccessControlList(Session, String)</tt></li>
+
<li><tt>getAccessControlList(AccessControlManager, String)</tt></li>
+
<li><tt>addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
+
<li><tt>addAccessControlEntry(Session, String, Principal, Privilege[], boolean)</tt></li>
+
<li><tt>grantAllToEveryone(Session, String)</tt></li>
+
<li><tt>denyAllToEveryone(Session, String)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<div class="section">
<h5><a name="Retrieve_Principals"></a>Retrieve Principals</h5>
<p>The default and recommended ways to obtain <tt>Principal</tt>s for access control management is through the principal management API:</p>
-<ul>
+<ul>
+
<li><tt>PrincipalManager</tt> (see section <a href="../principal.html">Principal Management</a>)
+
<ul>
-
+
<li><tt>getPrincipal(String)</tt></li>
+
<li><tt>getPrivilege(String)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<p>One way of representing principals in the repository is by the means of user management: If user management is supported in a given Oak repository (see <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java">OPTION_USER_MANAGEMENT_SUPPORTED</a> repository descriptor), principals associated with a given user/group can be obtained by calling:</p>
-<ul>
+<ul>
+
<li><tt>Authorizable</tt> (see section <a href="../user.html">User Management</a>)
+
<ul>
-
+
<li><tt>getPrincipal()</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<p>Note however, that this will only work for principals backed by a user/group. Principals provided by a different principal management implementation won’t be accessible through user management.</p></div>
<div class="section">
<h5><a name="Retrieve_Privileges"></a>Retrieve Privileges</h5>
-<ul>
+<ul>
+
<li>
-
<p><tt>PrivilegeManager</tt> (see section <a href="../privilege.html">Privilege Management</a>)</p>
+
<ul>
-
+
<li><tt>getRegisteredPrivileges()</tt></li>
+
<li><tt>getPrivilege(String)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>AccessControlManager</tt></p>
+
<ul>
-
+
<li><tt>getSupportedPrivileges(String)</tt></li>
+
<li><tt>privilegeFromName(String)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><tt>AccessControlUtils</tt></p>
+
<ul>
-
+
<li><tt>privilegesFromNames(Session session, String... privilegeNames)</tt></li>
+
<li><tt>privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
-<p><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</p>
-</li>
+<p><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</p></li>
</ul></div>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Modify_an_AccessControlList"></a>Modify an AccessControlList</h6>
-<div>
-<div>
-<pre class="source">JackrabbitAccessControlList acl = null;
+<div class="source">
+<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = null;
// try if there is an acl that has been set before
for (AccessControlPolicy policy : acMgr.getPolicies("/content")) {
if (policy instanceof JackrabbitAccessControlList) {
@@ -542,14 +548,12 @@ if (acl != null) {
acMgr.setPolicy(acl.getPath(), acl);
session.save();
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Create_or_Modify_an_AccessControlList"></a>Create or Modify an AccessControlList</h6>
-<div>
-<div>
-<pre class="source">JackrabbitAccessControlList acl = null;
+<div class="source">
+<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = null;
// try if there is an acl that has been set before
for (AccessControlPolicy policy : acMgr.getPolicies("/content")) {
if (policy instanceof JackrabbitAccessControlList) {
@@ -578,12 +582,10 @@ if (acl != null) {
session.save();
}
</pre></div></div>
-
<p>or alternatively use <tt>AccessControlUtils</tt>:</p>
-<div>
-<div>
-<pre class="source">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, "/content");
+<div class="source">
+<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, "/content");
if (acl != null) {
PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
Principal principal = principalManager.getPrincipal("jackrabbit");
@@ -593,34 +595,32 @@ if (acl != null) {
acMgr.setPolicy(acl.getPath(), acl);
session.save();
}
-</pre></div></div>
-</div></div></div>
+</pre></div></div></div></div></div>
<div class="section">
<h4><a name="Removing_Policies"></a>Removing Policies</h4>
-<ul>
+<ul>
+
<li><tt>AccessControlManager</tt>
+
<ul>
-
+
<li><tt>removePolicy(String, AccessControlPolicy)</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Remove_a_policy"></a>Remove a policy</h6>
-<div>
-<div>
-<pre class="source">for (AccessControlPolicy policy : acMgr.getPolicies("/content");
+<div class="source">
+<div class="source"><pre class="prettyprint">for (AccessControlPolicy policy : acMgr.getPolicies("/content");
if (policy instanceof NamedAccessControlPolicy && "myPolicy".equals((NamedAccessControlPolicy) policy).getName()) {
acMgr.removePolicy("/content", policy);
session.save();
}
}
-</pre></div></div>
-</div></div></div></div>
+</pre></div></div></div></div></div></div>
<div class="section">
<h3><a name="Access_Control_on_Repository_Level"></a>Access Control on Repository Level</h3>
<div class="section">
@@ -629,9 +629,8 @@ if (acl != null) {
<div class="section">
<h6><a name="Allow_a_Principal_to_Register_Namespaces"></a>Allow a Principal to Register Namespaces</h6>
-<div>
-<div>
-<pre class="source">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
+<div class="source">
+<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
if (acl != null) {
PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
Principal principal = principalManager.getPrincipal("dinosaur");
Modified: jackrabbit/site/live/oak/docs/security/authentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Authentication"></a>Authentication</h2>
<div class="section">
<h3><a name="JAAS_Authentication_and_Login_Modules"></a>JAAS Authentication and Login Modules</h3>
@@ -263,74 +250,97 @@
<h5><a name="Brief_recap_of_the_JAAS_authentication"></a>Brief recap of the JAAS authentication</h5>
<p>The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html">javax.security.auth.spi.LoginModule</a>. The authentication process within the <tt>LoginModule</tt> proceeds in two distinct phases, login and commit phase:</p>
<p><i>Phase 1: Login</i></p>
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal">
+
<li>In the first phase, the <tt>LoginModule</tt>’s <tt>login</tt> method gets invoked by the <tt>LoginContext</tt>’s <tt>login</tt> method.</li>
-<li>The <tt>login</tt> method for the <tt>LoginModule</tt> then performs the actual authentication (prompt for and verify a password for example) and saves its authentication status as private state information.</li>
-<li>Once finished, the <tt>LoginModule</tt>’s login method either returns <tt>true</tt> (if it succeeded) or <tt>false</tt> (if it should be ignored), or throws a <tt>LoginException</tt> to specify a failure. In the failure case, the <tt>LoginModule</tt> must not retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, the <tt>LoginModule</tt>’s <tt>login</tt> method will be called again.</li>
+
+<li>The <tt>login</tt> method for the <tt>LoginModule</tt> then performs the actual authentication (prompt for and verify a password for example) and saves its authentication status as private state information.</li>
+
+<li>Once finished, the <tt>LoginModule</tt>’s login method either returns <tt>true</tt> (if it succeeded) or <tt>false</tt> (if it should be ignored), or throws a <tt>LoginException</tt> to specify a failure. In the failure case, the <tt>LoginModule</tt> must not retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, the <tt>LoginModule</tt>’s <tt>login</tt> method will be called again.</li>
</ol>
<p><i>Phase 2: Commit</i></p>
-<ol style="list-style-type: decimal">
-<li>In the second phase, if the <tt>LoginContext</tt>’s overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded), then the <tt>commit</tt> method for the <tt>LoginModule</tt> gets invoked.</li>
-<li>The <tt>commit</tt> method for a <tt>LoginModule</tt> checks its privately saved state to see if its own authentication succeeded.</li>
-<li>If the overall <tt>LoginContext</tt> authentication succeeded and the <tt>LoginModule</tt>’s own authentication succeeded, then the <tt>commit</tt> method associates the relevant Principals (authenticated identities) and Credentials (authentication data such as cryptographic keys) with the Subject located within the <tt>LoginModule</tt>.</li>
-<li>If the <tt>LoginContext</tt>’s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed), then the <tt>abort</tt> method for each <tt>LoginModule</tt> gets invoked. In this case, the <tt>LoginModule</tt> removes/destroys any authentication state originally saved.</li>
+<ol style="list-style-type: decimal">
+
+<li>In the second phase, if the <tt>LoginContext</tt>’s overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded), then the <tt>commit</tt> method for the <tt>LoginModule</tt> gets invoked.</li>
+
+<li>The <tt>commit</tt> method for a <tt>LoginModule</tt> checks its privately saved state to see if its own authentication succeeded.</li>
+
+<li>If the overall <tt>LoginContext</tt> authentication succeeded and the <tt>LoginModule</tt>’s own authentication succeeded, then the <tt>commit</tt> method associates the relevant Principals (authenticated identities) and Credentials (authentication data such as cryptographic keys) with the Subject located within the <tt>LoginModule</tt>.</li>
+
+<li>If the <tt>LoginContext</tt>’s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed), then the <tt>abort</tt> method for each <tt>LoginModule</tt> gets invoked. In this case, the <tt>LoginModule</tt> removes/destroys any authentication state originally saved.</li>
</ol></div>
<div class="section">
<h5><a name="Login_module_execution_order"></a>Login module execution order</h5>
<p>Very simply put, all the login modules that participate in JAAS authentication are configured in a list and can have flags indicating how to treat their behaviors on the <tt>login()</tt> calls.</p>
-<p>JAAS defines the following module flags:<br />
-(The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html">javax.security.auth.login.Configuration</a>)</p>
-<ul>
+<p>JAAS defines the following module flags:<br />(The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html">javax.security.auth.login.Configuration</a>)</p>
-<li><b>Required</b>: The LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</li>
-<li><b>Requisite</b>: The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).</li>
-<li><b>Sufficient</b>: The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.</li>
-<li><b>Optional</b>: The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</li>
+<ul>
+
+<li><b>Required</b>: The LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</li>
+
+<li><b>Requisite</b>: The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).</li>
+
+<li><b>Sufficient</b>: The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.</li>
+
+<li><b>Optional</b>: The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</li>
</ul>
<p>The overall authentication succeeds <b>only</b> if <b>all</b> Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.</p>
-<a name="jcr_api"></a>
-### JCR API
-
+<p><a name="jcr_api"></a></p></div></div></div>
+<div class="section">
+<h3><a name="JCR_API"></a>JCR API</h3>
<p>Within the scope of JCR <tt>Repository.login</tt> is used to authenticate a given user. This method either takes a <tt>Credentials</tt> argument if the validation is performed by the repository itself or <tt>null</tt> in case the user has be pre-authenticated by an external system.</p>
<p>Furthermore JCR defines two types of <tt>Credentials</tt> implementations:</p>
-<ul>
+<ul>
+
<li><a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/GuestCredentials.html">javax.jcr.GuestCredentials</a>: used to obtain a “guest”, “public” or “anonymous” session.</li>
+
<li><a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html">javax.jcr.SimpleCredentials</a>: used to login a user with a userId and password.</li>
</ul>
<p>The following variants exist for the repository login itself:</p>
-<ul>
+<ul>
+
<li><tt>Repository.login()</tt>: equivalent to passing <tt>null</tt> credentials and the default workspace name.</li>
+
<li><tt>Repository.login(Credentials credentials)</tt>: login with credentials to the default workspace.</li>
+
<li><tt>Repository.login(String workspace)</tt>: login with <tt>null</tt> credentials to the workspace with the specified name.</li>
+
<li><tt>Repository.login(Credentials credentials, String workspaceName)</tt></li>
-<li><tt>JackrabbitRepository.login(Credentials credentials, String workspaceName, Map<String, Object> attributes)</tt>: in addition allows to pass implementation specific session attributes.</li>
+
+<li><tt>JackrabbitRepository.login(Credentials credentials, String workspaceName, Map<String, Object> attributes)</tt>: in addition allows to pass implementation specific session attributes.</li>
</ul>
<p>See <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/Repository.html">javax.jcr.Repository</a> and <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java">org.apache.jackrabbit.api.JackrabbitRepository</a> for further details.</p>
-<p>In addition JCR defines <tt>Session.impersonate(Credentials)</tt> to impersonate another user or - as of JSR 333 - clone an existing session.</p>
-<a name="oak_api"></a>
-### Oak API
-
+<p>In addition JCR defines <tt>Session.impersonate(Credentials)</tt> to impersonate another user or - as of JSR 333 - clone an existing session.</p>
+<p><a name="oak_api"></a></p></div>
+<div class="section">
+<h3><a name="Oak_API"></a>Oak API</h3>
<p>The Oak API contains the following authentication related methods and interfaces</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a>: Immutable object created upon successful login providing information about the authenticated <tt>Subject.</tt></li>
+
<li><tt>ContentRepository.login(Credentials, String)</tt>: The Oak counterpart of the JCR login.</li>
+
<li><tt>ContentSession.getAuthInfo()</tt>: exposes the <tt>AuthInfo</tt> associated with the <tt>ContentSession</tt>.</li>
</ul>
-<a name="api_extensions"></a>
-### API Extension
-</div></div>
+<p><a name="api_extensions"></a></p></div>
+<div class="section">
+<h3><a name="API_Extension"></a>API Extension</h3>
<div class="section">
<h4><a name="Oak_Authentication"></a>Oak Authentication</h4>
<p>In the the package <tt>org.apache.jackrabbit.oak.spi.security.authentication</tt> Oak 1.0 defines some extensions points that allow for further customization of the authentication.</p>
-<ul>
+<ul>
+
<li><tt>LoginContextProvider</tt>: Configurable provider of the <tt>LoginContext</tt> (see below)</li>
+
<li><tt>LoginContext</tt>: Interface version of the JAAS LoginContext aimed to ease integration with non-JAAS components</li>
+
<li><tt>Authentication</tt>: Aimed to validate credentials during the first phase of the (JAAS) login process.</li>
</ul>
<p>In addition this package contains various utilities and base implementations. Most notably an abstract login module implementation (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.html">AbstractLoginModule</a>) as described below and a default implementation of the AuthInfo interface (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.html">AuthInfoImpl</a>).</p>
@@ -338,18 +348,20 @@
<h5><a name="Abstract_Login_Module"></a>Abstract Login Module</h5>
<p>This package also contains a abstract <tt>LoginModule</tt> implementation (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.html">AbstractLoginModule</a>) providing common functionality. In particular it contains Oak specific methods that allow subclasses to retrieve the <tt>SecurityProvider</tt>, a <tt>Root</tt> and accesss to various security related interfaces (e.g. <tt>PrincipalManager</tt>).</p>
<p>Subclasses are required to implement the following methods:</p>
-<ul>
+<ul>
+
<li><tt>getSupportedCredentials()</tt>: return a set of supported credential classes. See also section <a href="#supported_credentials">Supported Credentials</a></li>
+
<li><tt>login()</tt>: The login method defined by <tt>LoginModule</tt></li>
+
<li><tt>commit()</tt>: The commit method defined by <tt>LoginModule</tt></li>
</ul>
<div class="section">
<h6><a name="Example:_Extending_AbstractLoginModule"></a>Example: Extending AbstractLoginModule</h6>
-<div>
-<div>
-<pre class="source">public class TestLoginModule extends AbstractLoginModule {
+<div class="source">
+<div class="source"><pre class="prettyprint">public class TestLoginModule extends AbstractLoginModule {
private Credentials credentials;
private String userId;
@@ -390,70 +402,87 @@
}
}
</pre></div></div>
-<a name="supported_credentials"></a>
-#### Supported Credentials
-
+<p><a name="supported_credentials"></a></p></div></div></div>
+<div class="section">
+<h4><a name="Supported_Credentials"></a>Supported Credentials</h4>
<p>Since Oak 1.5.1 the extensions additionally contain a dedicated interface that eases the support for different <tt>Credentials</tt> in the package space <tt>org.apache.jackrabbit.oak.spi.security.authentication.credentials</tt>:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>: Interface definition exposing the set of supported <tt>Credentials</tt> classes and some common utility methods.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/SimpleCredentialsSupport.html">SimpleCredentialsSupport</a>: Default implementation for the widely used <tt>SimpleCredentials</tt></li>
</ul>
-<a name="default_implementation"></a>
-### Oak Authentication Implementation
-
+<p><a name="default_implementation"></a></p></div></div>
+<div class="section">
+<h3><a name="Oak_Authentication_Implementation"></a>Oak Authentication Implementation</h3>
<p>A description of the various requirements covered by Oak by default as well as the characteristics of the corresponding implementations can be found in section <a href="authentication/default.html">Authentication: Implementation Details</a>.</p>
<p>See section <a href="authentication/differences.html">differences</a> for comprehensive list of differences wrt authentication between Jackrabbit 2.x and Oak.</p>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>The configuration of the authentication setup is defined by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.html">AuthenticationConfiguration</a>. This interface provides the following method:</p>
-<ul>
+<ul>
+
<li><tt>getLoginContextProvider()</tt>: provides the login contexts for the desired authentication mechanism.</li>
-</ul></div></div></div>
+</ul>
<div class="section">
<h4><a name="JAAS_Configuration_Utilities"></a>JAAS Configuration Utilities</h4>
<p>There also exists a utility class that allows to obtain different <tt>javax.security.auth.login.Configuration</tt> for the most common setup [11]:</p>
-<ul>
+<ul>
+
<li><tt>ConfigurationUtil#getDefaultConfiguration</tt>: default OAK configuration supporting uid/pw login configures <tt>LoginModuleImpl</tt> only</li>
+
<li><tt>ConfigurationUtil#getJackrabbit2Configuration</tt>: backwards compatible configuration that provides the functionality covered by jackrabbit-core DefaultLoginModule, namely:
+
<ul>
-
+
<li><tt>GuestLoginModule</tt>: null login falls back to anonymous</li>
+
<li><tt>TokenLoginModule</tt>: covers token based authentication</li>
+
<li><tt>LoginModuleImpl</tt>: covering regular uid/pw login</li>
+ </ul></li>
</ul>
-</li>
-</ul>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 is able to provide custom implementation on various levels:</p>
-<ol style="list-style-type: decimal">
-<li>The complete authentication setup can be changed by plugging a different <tt>AuthenticationConfiguration</tt> implementations. In OSGi-base setup this is achieved by making the configuration a service. In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
-<li>Within the default authentication setup you replace or extend the set of login modules and their individual settings. In an OSGi-base setup is achieved by making the modules accessible to the framework and setting their execution order accordingly. In a Non-OSGi setup this is specified in the <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS config</a>.</li>
+<ol style="list-style-type: decimal">
+
+<li>The complete authentication setup can be changed by plugging a different <tt>AuthenticationConfiguration</tt> implementations. In OSGi-base setup this is achieved by making the configuration a service. In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
+
+<li>Within the default authentication setup you replace or extend the set of login modules and their individual settings. In an OSGi-base setup is achieved by making the modules accessible to the framework and setting their execution order accordingly. In a Non-OSGi setup this is specified in the <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS config</a>.</li>
</ol>
-<a name="further_reading"></a>
-### Further Reading
+<p><a name="further_reading"></a></p></div>
+<div class="section">
+<h3><a name="Further_Reading"></a>Further Reading</h3>
<ul>
-
+
<li><a href="authentication/default.html">Authentication: Implementation Details</a></li>
+
<li><a href="authentication/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="authentication/tokenmanagement.html">Token Authentication and Token Management</a></li>
+
<li><a href="authentication/externalloginmodule.html">External Authentication</a>
+
<ul>
-
+
<li><a href="authentication/usersync.html">User and Group Synchronization</a></li>
+
<li><a href="authentication/identitymanagement.html">Identity Management</a></li>
+
<li><a href="authentication/ldap.html">LDAP Integration</a></li>
-</ul>
-</li>
+ </ul></li>
+
<li><a href="authentication/preauthentication.html">Pre-Authentication</a></li>
-</ul><!-- references --></div></div></div>
+</ul>
+<!-- references --></div></div>
</div>
</div>
</div>