You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/08/21 10:31:38 UTC
svn commit: r1838538 [34/35] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak-mongo-js/fonts/ oak-mongo-js/scripts/
oak-mongo-js/scripts/prettify/ oak-mongo...
Modified: jackrabbit/site/live/oak/docs/security/user/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/default.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/default.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,19 +239,22 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="User_Management_:_The_Default_Implementation"></a>User Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
<p>The default user management implementation stores user/group information in the content repository. In contrast to Jackrabbit 2.x, which by default used a single, dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace.</p>
<p>Consequently the <tt>UserManager</tt> associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x <tt>UserPerWorkspaceUserManager</tt>).</p>
-<ul>
-<li>The Oak implementation is build on the Oak API. This allows for double usage as extension to the JCR API as well as within the Oak layer (aka SPI).</li>
-<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing <tt>Session</tt> from which the class has been obtained.</li>
+<ul>
+
+<li>The Oak implementation is build on the Oak API. This allows for double usage as extension to the JCR API as well as within the Oak layer (aka SPI).</li>
+
+<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing <tt>Session</tt> from which the class has been obtained.</li>
+
<li>Changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
-<li>In case of any failure during user management related write operations the API consumer is in charge of specifically revert pending or invalid transient modifications or calling <tt>Session#refresh(false)</tt>.</li>
+
+<li>In case of any failure during user management related write operations the API consumer is in charge of specifically revert pending or invalid transient modifications or calling <tt>Session#refresh(false)</tt>.</li>
</ul></div>
<div class="section">
<h3><a name="Differences_wrt_Jackrabbit_2.x"></a>Differences wrt Jackrabbit 2.x</h3>
@@ -272,11 +272,9 @@
<p>In contrast to Jackrabbit 2.x the anonymous (or guest) user is optional. Creation will be skipped if the value of the <tt>PARAM_ANONYMOUS_ID</tt> configuration parameter is <tt>null</tt> or empty.</p>
<p>Note, that the anonymous user will always be created without specifying a password in order to prevent regular login with <tt>SimpleCredentials</tt>. The proper way to obtain a guest session is:</p>
-<div>
-<div>
-<pre class="source">Repository#login(new GuestCredentials(), wspName);
+<div class="source">
+<div class="source"><pre class="prettyprint">Repository#login(new GuestCredentials(), wspName);
</pre></div></div>
-
<p>See section <a href="../authentication.html">Authentication</a> for further information about guest login.</p></div></div>
<div class="section">
<h4><a name="Everyone_Group"></a>Everyone Group</h4>
@@ -288,13 +286,19 @@
<h4><a name="Reading_Authorizables"></a>Reading Authorizables</h4>
<div class="section">
<h5><a name="Handling_of_the_Authorizable_ID"></a>Handling of the Authorizable ID</h5>
-<ul>
+<ul>
+
<li>As of Oak 1.0 the node type definition of <tt>rep:Authorizable</tt> defines a new property <tt>rep:authorizableId</tt> which is intended to store the ID of a user or group.</li>
+
<li>This property is protected and system maintained and cannot be changed after creation through user management API calls.</li>
+
<li>The default implementation comes with a dedicated property index for <tt>rep:authorizableId</tt> which asserts the uniqueness of that ID.</li>
+
<li>For backwards compatibility with Jackrabbit 2.x the ID specified during creation is also reflected in the <tt>jcr:uuid</tt> (protected and mandatory), which is used for the lookup.</li>
+
<li><tt>Authorizable#getID</tt> returns the string value contained in <tt>rep:authorizableID</tt> and for backwards compatibility falls back on the node name in case the <tt>rep:authorizableId</tt> property is missing.</li>
+
<li>The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface (see configuration section below). By default it uses the ID as name hint and includes a conversion to a valid JCR node name.</li>
</ul></div>
<div class="section">
@@ -302,14 +306,16 @@
<p>The implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for user and groups slightly differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</p></div></div>
<div class="section">
<h4><a name="Creating_Authorizables"></a>Creating Authorizables</h4>
-<ul>
+<ul>
+
<li>The <tt>rep:password</tt> property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that <tt>User#changePassword</tt> does not allow to remove the password property.</li>
+
<li>Since version 1.1.0 Oak supports the new API to create dedicated system users <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3802">JCR-3802</a>.</li>
</ul>
-<a name="query"></a>
-#### Searching
-</div>
+<p><a name="query"></a></p></div>
+<div class="section">
+<h4><a name="Searching"></a>Searching</h4></div>
<div class="section">
<h4><a name="XPathQueryBuilder"></a>XPathQueryBuilder</h4>
<p>Oak 1.0 comes with a default XPATH based implementation of the <tt>QueryBuilder</tt> interface which is passed to the query upon calling <tt>UserManager#findAuthorizables(Query)</tt>.</p></div>
@@ -319,18 +325,22 @@
<div class="section">
<h4><a name="Autosave_Behavior"></a>Autosave Behavior</h4>
<p>Due to the nature of the UserManager (see above) we decided to drop the auto-save behavior in the default implementation present with OAK. Consequently,</p>
-<ul>
+<ul>
+
<li><tt>UserManager#autoSave(boolean)</tt> throws <tt>UnsupportedRepositoryOperationException</tt></li>
+
<li><tt>UserManager#isAutoSave()</tt> always returns <tt>false</tt></li>
</ul>
<p>See also <tt>PARAM_SUPPORT_AUTOSAVE</tt> below; while this should not be needed if application code has been written against the Jackrabbit API (and thus testing if auto-save mode is enabled or not) this configuration option can be used as last resort.</p></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
<p>As of Oak 1.0 user and group nodes can be imported both with Session and Workspace import. Other differences compared to Jackrabbit 2.x:</p>
-<ul>
+<ul>
+
<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
+
<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
</ul></div>
<div class="section">
@@ -341,14 +351,13 @@
<h4><a name="Password_History"></a>Password History</h4>
<p>Since Oak 1.3.3 the default user management implementation provides password history support. By default this feature is disabled.</p>
<p>See section <a href="history.html">Password History</a> for details.</p>
-<a name="representation"></a>
-### Representation in the Repository
-
+<p><a name="representation"></a></p></div></div>
+<div class="section">
+<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
<p>The following block lists the built-in node types related to user management tasks:</p>
-<div>
-<div>
-<pre class="source">[rep:Authorizable] > mix:referenceable, nt:hierarchyNode
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:Authorizable] > mix:referenceable, nt:hierarchyNode
abstract
+ * (nt:base) = nt:unstructured VERSION
- rep:principalName (STRING) protected mandatory
@@ -366,7 +375,7 @@
[rep:Impersonatable]
mixin
- rep:impersonators (STRING) protected multiple
-
+
/* @since oak 1.1.0 */
[rep:Password]
- * (UNDEFINED) protected
@@ -388,196 +397,363 @@
/* @since oak 1.0 */
[rep:MemberReferencesList]
+ * (rep:MemberReferences) = rep:MemberReferences protected COPY
-
+
/* @deprecated since oak 1.0 */
[rep:Members]
orderable
+ * (rep:Members) = rep:Members protected multiple
- * (WEAKREFERENCE) protected < 'rep:Authorizable'
</pre></div></div>
-<a name="validation"></a>
-### Validation
-
+<p><a name="validation"></a></p></div>
+<div class="section">
+<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure is asserted by a dedicated <tt>UserValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Code </th>
-<th> Message </th></tr>
-</thead><tbody>
-
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> 0020 </td>
-<td> Admin user cannot be disabled </td></tr>
+
+<td>0020 </td>
+
+<td>Admin user cannot be disabled </td>
+ </tr>
+
<tr class="a">
-<td> 0021 </td>
-<td> Invalid jcr:uuid for authorizable (creation) </td></tr>
+
+<td>0021 </td>
+
+<td>Invalid jcr:uuid for authorizable (creation) </td>
+ </tr>
+
<tr class="b">
-<td> 0022 </td>
-<td> Changing Id, principal name after creation </td></tr>
+
+<td>0022 </td>
+
+<td>Changing Id, principal name after creation </td>
+ </tr>
+
<tr class="a">
-<td> 0023 </td>
-<td> Invalid jcr:uuid for authorizable (mod) </td></tr>
+
+<td>0023 </td>
+
+<td>Invalid jcr:uuid for authorizable (mod) </td>
+ </tr>
+
<tr class="b">
-<td> 0024 </td>
-<td> Password may not be plain text </td></tr>
+
+<td>0024 </td>
+
+<td>Password may not be plain text </td>
+ </tr>
+
<tr class="a">
-<td> 0025 </td>
-<td> Attempt to remove id, principalname or pw </td></tr>
+
+<td>0025 </td>
+
+<td>Attempt to remove id, principalname or pw </td>
+ </tr>
+
<tr class="b">
-<td> 0026 </td>
-<td> Mandatory property rep:principalName missing </td></tr>
+
+<td>0026 </td>
+
+<td>Mandatory property rep:principalName missing </td>
+ </tr>
+
<tr class="a">
-<td> 0027 </td>
-<td> The admin user cannot be removed </td></tr>
+
+<td>0027 </td>
+
+<td>The admin user cannot be removed </td>
+ </tr>
+
<tr class="b">
-<td> 0028 </td>
-<td> Attempt to create outside of configured scope </td></tr>
+
+<td>0028 </td>
+
+<td>Attempt to create outside of configured scope </td>
+ </tr>
+
<tr class="a">
-<td> 0029 </td>
-<td> Intermediate folders not rep:AuthorizableFolder </td></tr>
+
+<td>0029 </td>
+
+<td>Intermediate folders not rep:AuthorizableFolder </td>
+ </tr>
+
<tr class="b">
-<td> 0030 </td>
-<td> Missing uuid for group (check for cyclic membership) </td></tr>
+
+<td>0030 </td>
+
+<td>Missing uuid for group (check for cyclic membership) </td>
+ </tr>
+
<tr class="a">
-<td> <s>0031</s> </td>
-<td> <s>Cyclic group membership</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6072">OAK-6072</a>) </td></tr>
+
+<td><s>0031</s> </td>
+
+<td><s>Cyclic group membership</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6072">OAK-6072</a>) </td>
+ </tr>
+
<tr class="b">
-<td> 0032 </td>
-<td> Attempt to set password with system user </td></tr>
+
+<td>0032 </td>
+
+<td>Attempt to set password with system user </td>
+ </tr>
+
<tr class="a">
-<td> 0033 </td>
-<td> Attempt to add rep:pwd node to a system user </td></tr>
-</tbody>
+
+<td>0033 </td>
+
+<td>Attempt to add rep:pwd node to a system user </td>
+ </tr>
+ </tbody>
</table>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>The following user management specific methods are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a> as of OAK 1.0:</p>
-<ul>
+<ul>
+
<li>getUserManager: Obtain a new user manager instance</li>
-</ul></div>
+</ul>
<div class="section">
<h4><a name="Configuration_Parameters_supported_by_the_default_implementation"></a>Configuration Parameters supported by the default implementation</h4>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Parameter </th>
-<th> Type </th>
-<th> Default </th></tr>
-</thead><tbody>
-
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> <tt>PARAM_ADMIN_ID</tt> </td>
-<td> String </td>
-<td> “admin” </td></tr>
+
+<td><tt>PARAM_ADMIN_ID</tt> </td>
+
+<td>String </td>
+
+<td>“admin” </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_OMIT_ADMIN_PW</tt> </td>
-<td> boolean </td>
-<td> false </td></tr>
+
+<td><tt>PARAM_OMIT_ADMIN_PW</tt> </td>
+
+<td>boolean </td>
+
+<td>false </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_ANONYMOUS_ID</tt> </td>
-<td> String </td>
-<td> “anonymous” (nullable) </td></tr>
+
+<td><tt>PARAM_ANONYMOUS_ID</tt> </td>
+
+<td>String </td>
+
+<td>“anonymous” (nullable) </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_USER_PATH</tt> </td>
-<td> String </td>
-<td> “/rep:security/rep:authorizables/rep:users” </td></tr>
+
+<td><tt>PARAM_USER_PATH</tt> </td>
+
+<td>String </td>
+
+<td>“/rep:security/rep:authorizables/rep:users” </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_GROUP_PATH</tt> </td>
-<td> String </td>
-<td> “/rep:security/rep:authorizables/rep:groups” </td></tr>
+
+<td><tt>PARAM_GROUP_PATH</tt> </td>
+
+<td>String </td>
+
+<td>“/rep:security/rep:authorizables/rep:groups” </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_DEFAULT_DEPTH</tt> </td>
-<td> int </td>
-<td> 2 </td></tr>
+
+<td><tt>PARAM_DEFAULT_DEPTH</tt> </td>
+
+<td>int </td>
+
+<td>2 </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
-<td> String </td>
-<td> “SHA-256” </td></tr>
+
+<td><tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
+
+<td>String </td>
+
+<td>“SHA-256” </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
-<td> int </td>
-<td> 1000 </td></tr>
+
+<td><tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
+
+<td>int </td>
+
+<td>1000 </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
-<td> int </td>
-<td> 8 </td></tr>
+
+<td><tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
+
+<td>int </td>
+
+<td>8 </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
-<td> AuthorizableNodeName </td>
-<td> AuthorizableNodeName#DEFAULT </td></tr>
+
+<td><tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
+
+<td>AuthorizableNodeName </td>
+
+<td>AuthorizableNodeName#DEFAULT </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
-<td> AuthorizableActionProvider </td>
-<td> DefaultAuthorizableActionProvider </td></tr>
+
+<td><tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
+
+<td>AuthorizableActionProvider </td>
+
+<td>DefaultAuthorizableActionProvider </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
-<td> boolean </td>
-<td> false </td></tr>
+
+<td><tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
+
+<td>boolean </td>
+
+<td>false </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-<td> String (“abort”, “ignore”, “besteffort”) </td>
-<td> “ignore” </td></tr>
+
+<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+
+<td>String (“abort”, “ignore”, “besteffort”) </td>
+
+<td>“ignore” </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
-<td> int </td>
-<td> 0 </td></tr>
+
+<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+
+<td>int </td>
+
+<td>0 </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
-<td> boolean </td>
-<td> false </td></tr>
+
+<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+
+<td>boolean </td>
+
+<td>false </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
-<td> int (upper limit: 1000) </td>
-<td> 0 </td></tr>
+
+<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+
+<td>int (upper limit: 1000) </td>
+
+<td>0 </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_CACHE_EXPIRATION</tt> </td>
-<td> long </td>
-<td> 0 </td></tr>
+
+<td><tt>PARAM_CACHE_EXPIRATION</tt> </td>
+
+<td>long </td>
+
+<td>0 </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_ENABLE_RFC7613_USERCASE_MAPPED_PROFILE</tt></td>
-<td> boolean </td>
-<td> false </td></tr>
+
+<td><tt>PARAM_ENABLE_RFC7613_USERCASE_MAPPED_PROFILE</tt></td>
+
+<td>boolean </td>
+
+<td>false </td>
+ </tr>
+
<tr class="b">
+
+<td> </td>
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
+ </tr>
+ </tbody>
</table>
<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
-<ul>
+<ul>
+
<li><tt>compatibleJR16</tt></li>
+
<li><tt>autoExpandTree</tt></li>
+
<li><tt>autoExpandSize</tt></li>
+
<li><tt>groupMembershipSplitSize</tt></li>
</ul>
<p>The optional <tt>cacheExpiration</tt> configuration option listed above is discussed in detail in section <a href="../principal/cache.html">Caching Results of Principal Resolution</a>. It is not related to user management s.str. but affects the implementation specific <tt>PrincipalProvider</tt> implementation exposed by <tt>UserConfiguration.getUserPrincipalProvider</tt>.</p>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>Within the default user management implementation the following parts can be modified or extended at runtime by providing corresponding OSGi services or passing appropriate configuration parameters exposing the custom implementations:</p>
-<ul>
+<ul>
+
<li><tt>AuthorizableActionProvider</tt>: Defines the authorizable actions, see <a href="authorizableaction.html">Authorizable Actions</a>.</li>
-<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository. See <a href="authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
+
+<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository. See <a href="authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
+
<li><tt>UserAuthenticationFactory</tt>: see below</li>
-</ul></div>
+</ul>
<div class="section">
<h4><a name="UserAuthenticationFactory_:_Authenticating_Users"></a>UserAuthenticationFactory : Authenticating Users</h4>
-<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation.</p>
+<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation. </p>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_UserAuthenticationFactory"></a>Example UserAuthenticationFactory</h6>
-<div>
-<div>
-<pre class="source">@Component()
+<div class="source">
+<div class="source"><pre class="prettyprint">@Component()
@Service(UserAuthenticationFactory.class)
public class MyUserAuthenticationFactory implements UserAuthenticationFactory {
Modified: jackrabbit/site/live/oak/docs/security/user/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/differences.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/differences.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management : Differences to Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,80 +239,99 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<div class="section">
<h3><a name="User_Management_:_Differences_to_Jackrabbit_2.x"></a>User Management : Differences to Jackrabbit 2.x</h3>
<p>The default user management implementation present has the following characteristics that differ from the default behavior in Jackrabbit 2.x</p>
<div class="section">
<h4><a name="General"></a>General</h4>
-<ul>
+<ul>
+
<li>changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
+
<li>In case of a failure <tt>Session#refresh</tt> is no longer called in order to prevent reverting other changes unrelated to the user management operation. Consequently it’s the responsibility of the API consumer to specifically revert pending or invalid transient modifications.</li>
</ul></div>
<div class="section">
<h4><a name="Differences_by_Interface"></a>Differences by Interface</h4>
<div class="section">
<h5><a name="UserManager"></a>UserManager</h5>
-<ul>
+<ul>
+
<li>stores user/group information in the workspace associated with the editing Session</li>
-<li>the autosave feature is no longer supported by default; configuration option <tt>PARAM_SUPPORT_AUTOSAVE</tt> can be used to obtain backwards compatible behavior</li>
-<li>calling <tt>getAuthorizable</tt> with empty id or <tt>null</tt> id/principal will not throw a runtime exception but silently returns <tt>null</tt></li>
+
+<li>the autosave feature is no longer supported by default; configuration option <tt>PARAM_SUPPORT_AUTOSAVE</tt> can be used to obtain backwards compatible behavior</li>
+
+<li>calling <tt>getAuthorizable</tt> with empty id or <tt>null</tt> id/principal will not throw a runtime exception but silently returns <tt>null</tt></li>
</ul></div>
<div class="section">
<h5><a name="Authorizable"></a>Authorizable</h5>
-<ul>
-<li>Equality and HashCode : the implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for authorizables differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</li>
-<li>Authorizable ID: the ID of authorizables is stored separately in a <tt>rep:authorizableId</tt> property. This value is returned upon <tt>Authorizable#getID</tt>. For backwards compatibility it falls back on the node name in case the ID property is missing.</li>
-<li>Node Name: The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface. Default: ID as name hint. See section <a href="authorizablenodename.html">Authorizable Node Name Generation</a> for details.</li>
+<ul>
+
+<li>Equality and HashCode : the implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for authorizables differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</li>
+
+<li>Authorizable ID: the ID of authorizables is stored separately in a <tt>rep:authorizableId</tt> property. This value is returned upon <tt>Authorizable#getID</tt>. For backwards compatibility it falls back on the node name in case the ID property is missing.</li>
+
+<li>Node Name: The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface. Default: ID as name hint. See section <a href="authorizablenodename.html">Authorizable Node Name Generation</a> for details.</li>
</ul></div>
<div class="section">
<h5><a name="User"></a>User</h5>
-<ul>
+<ul>
+
<li>Creation: The password is no longer mandatory upon user creation.</li>
</ul></div>
<div class="section">
<h5><a name="Group"></a>Group</h5>
-<ul>
-<li>Creation: <tt>createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
-<li>Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section <a href="membership.html">Group Membership</a> for a detailed description.</li>
+<ul>
+
+<li>Creation: <tt>createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
+
+<li>Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section <a href="membership.html">Group Membership</a> for a detailed description.</li>
</ul>
-<a name="query"></a>
-##### QueryBuilder
-
+<p><a name="query"></a></p></div>
+<div class="section">
+<h5><a name="QueryBuilder"></a>QueryBuilder</h5>
<p>The user query is expected to work as in Jackrabbit 2.x with the following notable bug fixes:</p>
-<ul>
-<li><tt>QueryBuilder#setScope(String groupID, boolean declaredOnly)</tt> now also works properly for the everyone group (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-949">OAK-949</a>)</li>
-<li><tt>QueryBuilder#impersonates(String principalName)</tt> works properly for the admin principal which are specially treated in the implementation of the <tt>Impersonation</tt> interface (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1183">OAK-1183</a>).</li>
+<ul>
+
+<li><tt>QueryBuilder#setScope(String groupID, boolean declaredOnly)</tt> now also works properly for the everyone group (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-949">OAK-949</a>)</li>
+
+<li><tt>QueryBuilder#impersonates(String principalName)</tt> works properly for the admin principal which are specially treated in the implementation of the <tt>Impersonation</tt> interface (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1183">OAK-1183</a>).</li>
</ul></div></div>
<div class="section">
<h4><a name="Additional_Functionality"></a>Additional Functionality</h4>
<div class="section">
<h5><a name="XML_Import"></a>XML Import</h5>
-<ul>
-<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
+<ul>
+
+<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
+
<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
+
<li>Oak also supports workspace import for authorizables</li>
</ul></div>
<div class="section">
<h5><a name="Built-in_Users"></a>Built-in Users</h5>
-<ul>
+<ul>
+
<li>admin user can be initialized without password (<tt>PARAM_OMIT_ADMIN_PW</tt> config option)</li>
+
<li>anonymous user is optional (missing <tt>PARAM_ANONYMOUS_ID</tt> config option)</li>
+
<li>anonymous user is always initialized without password.</li>
</ul></div>
<div class="section">
<h5><a name="Group_representing_the_Everyone_Principal"></a>Group representing the Everyone Principal</h5>
-<ul>
+<ul>
+
<li>the implementation of the optional special group representing the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html">everyone</a> principal is consistent throughout all group membership related methods.</li>
</ul></div>
<div class="section">
@@ -325,44 +341,56 @@
<div class="section">
<h4><a name="Node_Type_Definitions"></a>Node Type Definitions</h4>
<p>The built-in node types related to user management tasks have been modified as follows.</p>
-<ul>
+<ul>
+
<li><i>rep:Authorizable</i>
+
<ul>
-
+
<li>new protected property <tt>rep:authorizableId</tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li><i>rep:Group</i>
+
<ul>
-
+
<li>extends from <tt>rep:MemberReferences</tt> which provides the multivalued property <tt>rep:members</tt></li>
+
<li>the child node definition <tt>rep:members</tt> has been deprecated and is no longer used</li>
+
<li>new child node definition <tt>rep:membersList</tt></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<p>The following node type definitions have been added:</p>
-<ul>
+<ul>
+
<li><i>rep:MemberReferences</i> : provides the multivalued <tt>rep:members</tt> property.</li>
+
<li><i>rep:MemberReferencesList</i></li>
</ul>
<p>The following node type definition has been deprecated and will no longer be used:</p>
-<ul>
+<ul>
+
<li><i>rep:Members</i></li>
</ul></div>
<div class="section">
<h4><a name="Configuration"></a>Configuration</h4>
<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
-<ul>
+<ul>
+
<li>“compatibleJR16”</li>
+
<li>“autoExpandTree”</li>
+
<li>“autoExpandSize”</li>
+
<li>“groupMembershipSplitSize”</li>
-</ul><!-- hidden references --></div></div></div>
+</ul>
+<!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/expiry.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/expiry.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/expiry.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/expiry.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Password Expiry and Force Initial Password Change</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Password_Expiry_and_Force_Initial_Password_Change"></a>Password Expiry and Force Initial Password Change</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -258,11 +254,52 @@
<h3><a name="Configuration"></a>Configuration</h3>
<p>An administrator may enable password expiry and initial password change via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default both features are disabled.</p>
<p>The following configuration options are supported:</p>
-<p>| Parameter | Type | Default | Description | |————————————- |——– -|————————| | <tt>PARAM_PASSWORD_MAX_AGE</tt> | int | 0 | Number of days until the password expires. | | <tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> | boolean | false | boolean flag to enable initial pw change. |</p>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+
+<td>int </td>
+
+<td>0 </td>
+
+<td>Number of days until the password expires. </td>
+ </tr>
+
+<tr class="a">
+
+<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+
+<td>boolean </td>
+
+<td>false </td>
+
+<td>boolean flag to enable initial pw change. </td>
+ </tr>
+ </tbody>
+</table>
<p>Note:</p>
-<ul>
+<ul>
+
<li>Maximum Password Age (<tt>maxPasswordAge</tt>) will only be enabled when a value greater 0 is set (expiration time in days).</li>
+
<li>Change Password On First Login (<tt>initialPasswordChange</tt>): When enabled, forces users to change their password upon first login.</li>
</ul></div>
<div class="section">
@@ -270,10 +307,12 @@
<div class="section">
<h4><a name="Definition_of_Expired_Password"></a>Definition of Expired Password</h4>
<p>An expired password is defined as follows:</p>
-<ul>
-<li>The current date-time is after or on the date-time + maxPasswordAge specified in a <tt>rep:passwordLastModified</tt> property</li>
-<li>OR: Expiry and/or Enforce Password Change is enabled, but no <tt>rep:passwordLastModified</tt> property exists</li>
+<ul>
+
+<li>The current date-time is after or on the date-time + maxPasswordAge specified in a <tt>rep:passwordLastModified</tt> property</li>
+
+<li>OR: Expiry and/or Enforce Password Change is enabled, but no <tt>rep:passwordLastModified</tt> property exists</li>
</ul>
<p>For the above, a password node <tt>rep:pw</tt> and a property <tt>rep:passwordLastModified</tt>, governed by a new <tt>rep:Password</tt> node type and located in the user’s home, have been introduced, leaving open future enhancements to password management (such as password policies, history, et al):</p></div>
<div class="section">
@@ -281,23 +320,19 @@
<div class="section">
<h5><a name="Node_Type_rep:Password"></a>Node Type rep:Password</h5>
-<div>
-<div>
-<pre class="source">[rep:Password]
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:Password]
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h5><a name="Node_rep:pwd_and_Property_rep:passwordLastModified"></a>Node rep:pwd and Property rep:passwordLastModified</h5>
-<div>
-<div>
-<pre class="source">[rep:User] > rep:Authorizable, rep:Impersonatable
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:User] > rep:Authorizable, rep:Impersonatable
+ rep:pwd (rep:Password) = rep:Password protected
...
</pre></div></div>
-
<p>The <tt>rep:pw</tt> node and the <tt>rep:passwordLastModified</tt> property are defined protected in order to guard against the user modifying (overcoming) her password expiry. The new sub-node also has the advantage of allowing repository consumers to e.g. register specific commit hooks / actions on such a node.</p>
<p>In the future the <tt>rep:password</tt> property on the user node may be migrated to the <tt>rep:pw</tt> sub-node.</p></div></div>
<div class="section">
@@ -322,16 +357,19 @@
<p>This method of changing password via the normal login call only works if a user’s password is in fact expired and cannot be used for regular password changes (attribute is ignored, use <tt>User#changePassword</tt> directly instead).</p>
<p>Should the <a href="history.html">Password History feature</a> be enabled, and - for the above password change - a password already in the history be used, the change will fail and the login still throw a <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/CredentialExpiredException.html">CredentialExpiredException</a>. In order for consumers of the exception to become aware that the credentials are still considered expired, and that the password was not changed due to the new password having been found in the password history, the credentials object is fitted with an additional attribute with name <tt>PasswordHistoryException</tt>.</p>
<p>This attribute may contain the following two values:</p>
-<ul>
+<ul>
+
<li><i>“New password was found in password history.”</i> or</li>
+
<li><i>"“New password is identical to the current password.”</i></li>
</ul></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
<p>When users are imported via the Oak JCR XML importer, the expiry relevant nodes and property are supported. If the XML specifies a <tt>rep:pw</tt> node and optionally a <tt>rep:passwordLastModified</tt> property, these are imported, irrespective of the password expiry or force initial password change being enabled in the configuration. If they’re enabled, the imported property will be used in the normal login process as described above. If not enabled, the imported property will have no effect.</p>
<p>On the other hand, if the imported user already exists, potentially existing <tt>rep:passwordLastModified</tt> properties will be overwritten with the value from the import. If password expiry is enabled, this may cause passwords to expire earlier or later than anticipated, governed by the new value. Also, an import may create such a property where none previously existed, thus effectively cancelling the need to change the password on first login - if the feature is enabled.</p>
-<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p><!-- hidden references --></div></div></div>
+<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p>
+<!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/groupaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/groupaction.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/groupaction.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/groupaction.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Group Actions</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,24 +239,28 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<h2><a name="Group_Actions"></a>Group Actions</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>Oak 1.6 comes with an extension to the Jackrabbit user management API that allows to perform additional actions or validations upon group member management tasks such as</p>
-<ul>
+<ul>
+
<li>add an authorizable to a group</li>
+
<li>remove an authorizable from a group</li>
+
<li>add a set of member ids as members of a group</li>
+
<li>remove a set of member ids from a group</li>
</ul></div>
<div class="section">
<h3><a name="GroupAction_API"></a>GroupAction API</h3>
<p>The following public interface is provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user.action</tt>:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/GroupAction.html">GroupAction</a></li>
</ul>
<p>The <tt>GroupAction</tt> interface extends from <tt>AuthorizableAction</tt> and itself allows to perform validations or write additional application specific content while executing group member management related write operations. Therefore these actions are executed as part of the transient user management modifications. This contrasts to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s which in turn are only triggered once modifications are persisted.</p>
@@ -268,8 +269,9 @@
<div class="section">
<h3><a name="Default_Implementations"></a>Default Implementations</h3>
<p>Oak 1.5 provides the following base implementation for <tt>GroupAction</tt> implementations to build upon:</p>
-<ul>
+<ul>
+
<li><tt>AbstractGroupAction</tt>: abstract base implementation that doesn’t perform any action.</li>
</ul></div>
<div class="section">
@@ -277,7 +279,7 @@
<p>Refer to <a href="authorizableaction.html#Pluggability">Authorizable Actions | Pluggability </a> for details on how to plug a new group action into the system.</p></div>
<div class="section">
<h3><a name="XML_Import"></a>XML Import</h3>
-<p>During import the group actions are called in the same fashion as for regular groups as long as the member reference can be resolved to an existing authorizable. Member IDs of authorizables that do not exist at group import time or failed member IDs are passed to the group actions if <tt>ImportBehavior.BESTEFFORT</tt> is set for the import.</p>
+<p>During import the group actions are called in the same fashion as for regular groups as long as the member reference can be resolved to an existing authorizable. Member IDs of authorizables that do not exist at group import time or failed member IDs are passed to the group actions if <tt>ImportBehavior.BESTEFFORT</tt> is set for the import.</p>
<div class="section">
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
@@ -285,9 +287,8 @@
<h6><a name="Example_Action"></a>Example Action</h6>
<p>This example action creates or removes asset home directories for members added to or removed from a specific group:</p>
-<div>
-<div>
-<pre class="source">public class CreateHomeForMemberGroupAction extends AbstractGroupAction {
+<div class="source">
+<div class="source"><pre class="prettyprint">public class CreateHomeForMemberGroupAction extends AbstractGroupAction {
private static final String GROUP_ID = "asset-editors";
private static final String ASSET_ROOT = "/content/assets";
Modified: jackrabbit/site/live/oak/docs/security/user/history.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/history.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/history.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/history.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Password History</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Password_History"></a>Password History</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -252,27 +248,45 @@
<h3><a name="Configuration"></a>Configuration</h3>
<p>An administrator may enable password history via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default the history is disabled (<tt>passwordHistorySize</tt> set to 0).</p>
<p>The following configuration option is supported:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Parameter </th>
-<th> Type </th>
-<th> Default </th>
-<th> Description </th></tr>
-</thead><tbody>
-
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> <tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
-<td> int </td>
-<td> 0 </td>
-<td> Number of passwords to be stored in the history </td></tr>
+
+<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+
+<td>int </td>
+
+<td>0 </td>
+
+<td>Number of passwords to be stored in the history </td>
+ </tr>
+
<tr class="a">
-<td> </td>
-<td> </td>
-<td> </td>
-<td> </td></tr>
-</tbody>
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+ </tbody>
</table>
<p>Setting the configuration option to a value greater than 0 enables password history and sets feature to remember the specified number of passwords for a user. Note, that the current implementation has a limit of at most 1000 passwords remembered in the history.</p></div>
<div class="section">
@@ -282,28 +296,26 @@
<p>History password hashes are recorded in a multi-value property <tt>rep:pwdHistory</tt> on the user’s <tt>rep:pwd</tt> node, which mandates the specific node type <tt>rep:Password</tt></p>
<p>The <tt>rep:pwdHistory</tt> property is defined protected in order to guard against the user modifying (overcoming) her password history limitations.</p>
-<div>
-<div>
-<pre class="source">[rep:User] > rep:Authorizable, rep:Impersonatable
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:User] > rep:Authorizable, rep:Impersonatable
+ rep:pwd (rep:Password) = rep:Password protected
- rep:password (STRING) protected
...
-
+
[rep:Password]
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h4><a name="Recording_of_Passwords"></a>Recording of Passwords</h4>
<p>If the feature is enabled, during a user changing her password, the old password hash is recorded in the password history.</p>
<p>The old password hash is only recorded if a password was set (non-empty). Therefore setting a password for a user for the first time (i.e. during creation or if the user doesn’t have a password set before) does not result in a history record, as there is no old password.</p>
<p>The old password hash is copied to the password history <i>after</i> the provided new password has been validated but <i>before</i> the new password hash is written to the user’s <tt>rep:password</tt> property.</p>
<p>The history operates as a FIFO list. A new password history record exceeding the configured max history size, results in the oldest recorded password from being removed from the history.</p>
-<p>Also, if the configuration parameter for the history size is changed to a non-zero but smaller value than before, upon the next password change the oldest records exceeding the new history size are removed.</p></div>
+<p>Also, if the configuration parameter for the history size is changed to a non-zero but smaller value than before, upon the next password change the oldest records exceeding the new history size are removed. </p></div>
<div class="section">
<h4><a name="Evaluation_of_Password_History"></a>Evaluation of Password History</h4>
-<p>Upon a user changing her password and if the password history feature is enabled (configured password history size > 0), implementation checks if the current password or any of the password hashes recorded in the history matches the new password.</p>
+<p>Upon a user changing her password and if the password history feature is enabled (configured password history size > 0), implementation checks if the current password or any of the password hashes recorded in the history matches the new password.</p>
<p>If any record is a match, a <tt>ConstraintViolationException</tt> is thrown and the user’s password is <i>NOT</i> changed.</p></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
Modified: jackrabbit/site/live/oak/docs/security/user/membership.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/membership.html?rev=1838538&r1=1838537&r2=1838538&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/membership.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/membership.html Tue Aug 21 10:31:37 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-10
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180810" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Group Membership</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -137,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-10<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -156,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -242,38 +239,45 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<h2><a name="Group_Membership"></a>Group Membership</h2>
<div class="section">
<h3><a name="Jackrabbit_API"></a>Jackrabbit API</h3>
<p>The Jackrabbit API extensions provide various methods to edit and explore the member relationship of users and groups:</p>
-<ul>
+<ul>
+
<li>
-
<p><a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/Group.java">org.apache.jackrabbit.api.security.user.Group</a></p>
+
<ul>
-
+
<li><tt>getDeclaredMembers() Iterator<Authorizable></tt></li>
+
<li><tt>getMembers() Iterator<Authorizable></tt></li>
+
<li><tt>isDeclaredMember(Authorizable) boolean</tt></li>
+
<li><tt>isMember(Authorizable boolean</tt></li>
+
<li><tt>addMember(Authorizable) boolean</tt></li>
+
<li><tt>removeMember(Authorizable) boolen</tt></li>
+
<li><tt>addMembers(String...) Set<String></tt></li>
+
<li><tt>removeMembers(String...) Set<String></tt></li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
<p><a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/Authorizable.java">org.apache.jackrabbit.api.security.user.Authorizable</a></p>
+
<ul>
-
+
<li><tt>declaredMemberOf() Iterator<Group></tt></li>
+
<li><tt>memberOf() Iterator<Group></tt></li>
-</ul>
-</li>
+ </ul></li>
</ul></div>
<div class="section">
<h3><a name="Characteristics_of_the_Default_Implementation"></a>Characteristics of the Default Implementation</h3>
@@ -288,9 +292,8 @@
<div class="section">
<h5><a name="Relevant_new_and_modified_node_types"></a>Relevant new and modified node types</h5>
-<div>
-<div>
-<pre class="source">[rep:Group] > rep:Authorizable, rep:MemberReferences
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:Group] > rep:Authorizable, rep:MemberReferences
+ rep:members (rep:Members) = rep:Members multiple protected VERSION /* @deprecated */
+ rep:membersList (rep:MemberReferencesList) = rep:MemberReferencesList protected COPY
@@ -299,17 +302,15 @@
[rep:MemberReferencesList]
+ * (rep:MemberReferences) = rep:MemberReferences protected COPY
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_Group_with_few_members"></a>Example Group with few members</h6>
<p><i>(irrelevant properties excluded)</i></p>
-<div>
-<div>
-<pre class="source">{
+<div class="source">
+<div class="source"><pre class="prettyprint">{
"jcr:primaryType": "rep:Group",
"rep:principalName": "contributor",
"rep:members": [
@@ -322,15 +323,13 @@
"65c3084e-abfc-3719-8223-72c6cb9a3d6f"
]
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Example_Group_with_many_members"></a>Example Group with many members</h6>
<p><i>(irrelevant properties excluded)</i></p>
-<div>
-<div>
-<pre class="source">{
+<div class="source">
+<div class="source"><pre class="prettyprint">{
"jcr:primaryType": "rep:Group",
"rep:principalName": "employees",
"rep:membersList": {
@@ -355,7 +354,6 @@
}
}
</pre></div></div>
-
<p><i>Note</i>: The exact threshold value that determines the storage strategy is an implementation detail and might even vary depending on the underlying persistence layer. In Oak 1.0 the threshold value is set to 100.</p></div></div></div>
<div class="section">
<h4><a name="Upgrading_Groups_from_Jackrabbit_2.x_to_Oak_content_structure"></a>Upgrading Groups from Jackrabbit 2.x to Oak content structure</h4>
@@ -366,20 +364,27 @@
<div class="section">
<h4><a name="Add_and_Remove_Group_Members_by_Id"></a>Add and Remove Group Members by Id</h4>
<p>Since Oak 1.3.4 the default user management implementation also allows to modify group membership by specifying the member id(s) (see <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3880">JCR-3880</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3170">OAK-3170</a>). The following details are worth mentioning:</p>
-<ul>
+<ul>
+
<li>a <tt>null</tt> or empty String id will immediately fail the operation with <tt>ConstraintViolationException</tt>; changes already made will not be reverted,</li>
+
<li>an attempt to make the same group member of itself will list that id in the return value but will not fail the operation,</li>
+
<li>duplicate ids in the parameter list will be silently ignored,</li>
-<li><s>cyclic membership validation is postponed to the validator called upon </s><tt><s>Root.commit</s></tt><s> and will only fail at that point; the cyclic membership then needs to be manually resolved by the application</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3170">OAK-3170</a> and below)</li>
-<li>whether or not a non-existing (or not accessible) authorizable can be added or removed depends on the configured <tt>ImportBehavior</tt>:
+
+<li><s>cyclic membership validation is postponed to the validator called upon </s><tt><s>Root.commit</s></tt><s> and will only fail at that point; the cyclic membership then needs to be manually resolved by the application</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3170">OAK-3170</a> and below)</li>
+
+<li>whether or not a non-existing (or not accessible) authorizable can be added or removed depends on the configured <tt>ImportBehavior</tt>:
+
<ul>
-
-<li>ABORT: each id is resolved to the corresponding authorizable; if it doesn’t exist <tt>ConstraintViolationException</tt> is thrown immediately; changes already made will not be reverted.</li>
-<li>BESTEFFORT: the specified ids are not resolved to the corresponding authorizables and are silently added|removed to|from the set of members; ids that were not successfully added|removed are listed in the return value.</li>
-<li>IGNORE: each id is resolved to the corresponding authorizable; if it doesn’t exist it will be returned as <i>failed</i> in the return value.</li>
-</ul>
-</li>
+
+<li>ABORT: each id is resolved to the corresponding authorizable; if it doesn’t exist <tt>ConstraintViolationException</tt> is thrown immediately; changes already made will not be reverted.</li>
+
+<li>BESTEFFORT: the specified ids are not resolved to the corresponding authorizables and are silently added|removed to|from the set of members; ids that were not successfully added|removed are listed in the return value.</li>
+
+<li>IGNORE: each id is resolved to the corresponding authorizable; if it doesn’t exist it will be returned as <i>failed</i> in the return value.</li>
+ </ul></li>
</ul></div>
<div class="section">
<h4><a name="Invalid_Membership"></a>Invalid Membership</h4>
@@ -397,10 +402,11 @@
<h5><a name="Cyclic_Membership"></a>Cyclic Membership</h5>
<p>Since Oak 1.7.0 the explicit check for cyclic group membership has been moved from the <tt>Validator</tt> to the <tt>Group</tt> implementation. As before cyclic membership might not be spotted and the membership resolution will log the cycle upon collection of all members/groups.</p>
<p>The following scenarios may leave the cycle unnoticed upon adding members: - <tt>Group.addMember(Authorizable)</tt> when the editing <tt>Session</tt> cannot read all groups included in the cycle. - <tt>Group.addMembers(String...)</tt> with <tt>ImportBehavior.BESTEFFORT</tt> where the member ID is not resolved.</p>
-<p>See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3170">OAK-3170</a> for additional information.</p></div></div></div>
+<p>See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3170">OAK-3170</a> for additional information. </p></div></div></div>
<div class="section">
<h3><a name="Configuration"></a>Configuration</h3>
-<p>Note that as of Oak 1.0 the implementation is responsible for defining the content structure and will expand the multi-valued <tt>rep:members</tt> property accordingly. Consequently, the following configuration option <tt>groupMembershipSplitSize</tt> present with Jackrabbit 2.x is not supported anymore.</p><!-- hidden references --></div></div>
+<p>Note that as of Oak 1.0 the implementation is responsible for defining the content structure and will expand the multi-valued <tt>rep:members</tt> property accordingly. Consequently, the following configuration option <tt>groupMembershipSplitSize</tt> present with Jackrabbit 2.x is not supported anymore.</p>
+<!-- hidden references --></div></div>
</div>
</div>
</div>