You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2014/05/15 16:36:09 UTC
svn commit: r1594929 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: accesscontrol.md accesscontrol/editing.md authentication.md privilege.md

Author: angela
Date: Thu May 15 14:36:09 2014
New Revision: 1594929

URL: http://svn.apache.org/r1594929
Log:
OAK-301 : oak docu

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1594929&r1=1594928&r2=1594929&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Thu May 15 14:36:09 2014
@@ -287,22 +287,18 @@ See also ([OAK-1350](https://issues.apac
 
 ### API Extensions
 
-_todo_
-
-org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol [1]
+Oak provides some access control related base classes in `org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol`
+that may be used for a custom implementation:
 
-- `AbstractAccessControlList`
-- `ImmutableACL`
-- `ACE`
+- `AbstractAccessControlList`: abstract base implementation of the `JackrabbitAccessControlList` interface
+    - `ImmutableACL`: immutable subclass of `AbstractAccessControlList`
+    - `ACE`: abstract subclass that implements common methods of a mutable access control list.
 
 #### Restriction Management
 
-- `RestrictionProvider`:
-- `RestrictionDefinition`
-- `RestrictionPattern`
-- `Restriction`
-
-See [Restriction Management](accesscontrol/restriction.html) for details.
+Oak 1.0 defines a dedicated restriction management API. See
+[Restriction Management](accesscontrol/restriction.html) for details and further
+information regarding extensibility and pluggability.
 
 ### Utilities
 

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md?rev=1594929&r1=1594928&r2=1594929&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md Thu May 15 14:36:09 2014
@@ -18,6 +18,8 @@
 Using the Access Control Management API
 --------------------------------------------------------------------------------
 
+_todo_: add examples
+
 ### Reading
 
 #### Privilege Discovery

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1594929&r1=1594928&r2=1594929&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Thu May 15 14:36:09 2014
@@ -328,17 +328,72 @@ section [External Authentication](authen
 
 #### Oak Authentication
 
+In the the package `org.apache.jackrabbit.oak.spi.security.authentication` Oak 1.0
+defines some extensions points that allow for further customization of the authentication.
+
+- `LoginContextProvider`: Configurable provider of the `LoginContext` (see below)
+- `LoginContext`: Interface version of the JAAS LoginContext aimed to ease integration with non-JAAS components
+- `Authentication`: Aimed to validate credentials during the first phase of the (JAAS) login process.
 _todo_
 
 ##### Abstract Login Module
 
-_todo_
+This package also contains a abstract `LoginModule` implementation ([AbstractLoginModule])
+providing common functionality. In particular it contains Oak specific methods that allow
+subclasses to retrieve the `SecurityProvider`, a `Root` and accesss to various
+security related interfaces (e.g. `PrincipalManager`).
+
+Subclasses are required to implement the following methods:
+
+- `getSupportedCredentials(): return a set of supported credential classes.
+- `login()`: The login method defined by `LoginModule`
+- `commit()`: The commit method defined by `LoginModule`
+
+###### Example: Extending AbstractLoginModule
+
+    public class TestLoginModule extends AbstractLoginModule {
+
+        private Credentials credentials;
+        private String userId;
+        private Set<? extends Principal> principals;
+
+        @Nonnull
+        @Override
+        protected Set<Class> getSupportedCredentials() {
+            return ImmutableSet.of(TestCredentials.class);
+        }
+
+        @Override
+        public boolean login() throws LoginException {
+            credentials = getCredentials();
+            if (validCredentials(credentials)) {
+                this.credentials = credentials;
+                this.userId = getUserId(credentials);
+                this.principals = getPrincipals(userId);
+                return true;
+            }
+            return false;
+        }
+
+        @Override
+        public boolean commit() throws LoginException {
+            if (credentials != null) {
+                if (!subject.isReadOnly()) {
+                    subject.getPublicCredentials().add(credentials);
+                    if (principals != null) {
+                        subject.getPrincipals().addAll(principals);
+                    }
+                    AuthInfo authInfo = new AuthInfoImpl(userId, Collections.EMPTY_MAP, principals);
+                    setAuthInfo(authInfo, subject);
+                }
+                return true;
+            }
+            return false;
+        }
+    }
+
 
-org.apache.jackrabbit.oak.spi.security.authentication:
 
-- `LoginContextProvider`: Configurable provider of the `LoginContext` (see below)
-- `LoginContext`: Interface version of the JAAS LoginContext aimed to ease integration with non-JAAS components
-- `Authentication`: Aimed to validate credentials during the first phase of the (JAAS) login process.
 
 #### Token Management
 
@@ -356,7 +411,6 @@ _todo_ [Synchronization](authentication/
 
 Oak in addition provides interfaces to ease custom implementation of the external
 authentication with optional user/group synchronization to the repository.
-
 See section [identity management](authentication/identitymanagement.html) for details.
 
 ### Configuration
@@ -374,6 +428,10 @@ There also exists a utility class that a
     - `TokenLoginModule`: covers token base authentication
     - `LoginModuleImpl`: covering regular uid/pw login
 
+### Pluggability
+
+_todo_
+
 ### Further Reading
 
 - [Differences wrt Jackrabbit 2.x](authentication/differences.html)
@@ -397,4 +455,4 @@ There also exists a utility class that a
 [LoginModuleImpl]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html
 [com.day.crx.security.ldap.LDAPLoginModule]: http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html
 [AuthenticationConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.html
-[TokenConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenConfiguration.html
\ No newline at end of file
+[AbstractLoginModoule]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.html
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1594929&r1=1594928&r2=1594929&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Thu May 15 14:36:09 2014
@@ -154,6 +154,15 @@ write operations.
 - [PrivilegeBitsProvider] : Internal provider to read `PrivilegeBits` from the repository content and map names to internal representation (and vice versa).
 - [PrivilegeBits]: Internal representation of JCR privileges.
 
+### Utilities
+
+The jcr-commons module present with Jackrabbit provide some privilege related
+utility methods:
+
+- `AccessControlUtils`
+    - `privilegesFromNames(Session session, String... privilegeNames)`
+    - `privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)`
+
 
 ### Configuration