You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2016/05/18 06:44:11 UTC
svn commit: r1744354 [2/3] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/segment/ oak_api/
plugins/ query/ security/ security/accesscontrol/ security/authentication/
security/authorization/ security/p...
Added: jackrabbit/site/live/oak/docs/security/authentication/defaultusersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/defaultusersync.html?rev=1744354&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/defaultusersync.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/defaultusersync.html Wed May 18 06:44:10 2016
@@ -0,0 +1,824 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-05-18
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20160518" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - User and Group Synchronization : The Default Implementation</title>
+ <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="../../css/site.css" />
+ <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <a class="brand" href="../../" title="Oak logo">
+
+
+ <img src="../../oak_logo.png" alt="Oak logo" />
+
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="../../license.html" title="License">License</a>
+</li>
+
+ <li> <a href="../../downloads.html" title="Downloads">Downloads</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../architecture/overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="../../architecture/nodestate.html" title="The Node State Model">The Node State Model</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a>
+</li>
+
+ <li> <a href="../../oak_api/overview.html" title="Oak API">Oak API</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../features/atomic-counter.html" title="Atomic Counter">Atomic Counter</a>
+</li>
+
+ <li> <a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+</li>
+
+ <li> <a href="../../clustering.html" title="Clustering">Clustering</a>
+</li>
+
+ <li> <a href="../../nodestore/documentmk.html" title="DocumentNodeStore">DocumentNodeStore</a>
+</li>
+
+ <li> <a href="../../nodestore/overview.html" title="Node Storage">Node Storage</a>
+</li>
+
+ <li> <a href="../../nodestore/persistent-cache.html" title="Persistent Cache">Persistent Cache</a>
+</li>
+
+ <li> <a href="../../query/query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="../../security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="../../nodestore/segment/overview.html" title="Segment Node Store">Segment Node Store</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../../construct.html" title="Repository Construction">Repository Construction</a>
+</li>
+
+ <li> <a href="../../osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="../../command_line.html" title="Command Line Tools">Command Line Tools</a>
+</li>
+
+ <li> <a href="../../migration.html" title="Migration">Migration</a>
+</li>
+
+ <li> <a href="../../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="../../known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="../../dos_and_donts.html" title="Dos and Don'ts">Dos and Don'ts</a>
+</li>
+
+ <li> <a href="../../coldstandby/coldstandby.html" title="Cold Standby">Cold Standby</a>
+</li>
+
+ <li> <a href="../../FAQ.html" title="FAQ">FAQ</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../../participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="../../developing-with-git.html" title="Developing with Git">Developing with Git</a>
+</li>
+
+ <li> <a href="../../diagnostic-builds.html" title="Cutting diagnostic builds">Cutting diagnostic builds</a>
+</li>
+
+ <li> <a href="../../attribution.html" title="Attribution">Attribution</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2016-05-18</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="../../index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../../license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="../../downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+ <li class="nav-header">Concepts and Architecture</li>
+
+ <li>
+
+ <a href="../../architecture/overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="../../architecture/nodestate.html" title="The Node State Model">
+ <i class="none"></i>
+ The Node State Model</a>
+ </li>
+ <li class="nav-header">Main APIs</li>
+
+ <li>
+
+ <a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API">
+ <i class="none"></i>
+ JCR API</a>
+ </li>
+
+ <li>
+
+ <a href="../../oak_api/overview.html" title="Oak API">
+ <i class="none"></i>
+ Oak API</a>
+ </li>
+ <li class="nav-header">Features and Plugins</li>
+
+ <li>
+
+ <a href="../../features/atomic-counter.html" title="Atomic Counter">
+ <i class="none"></i>
+ Atomic Counter</a>
+ </li>
+
+ <li>
+
+ <a href="../../plugins/blobstore.html" title="Blob Storage">
+ <i class="none"></i>
+ Blob Storage</a>
+ </li>
+
+ <li>
+
+ <a href="../../clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+
+ <li>
+
+ <a href="../../nodestore/documentmk.html" title="DocumentNodeStore">
+ <i class="none"></i>
+ DocumentNodeStore</a>
+ </li>
+
+ <li>
+
+ <a href="../../nodestore/overview.html" title="Node Storage">
+ <i class="none"></i>
+ Node Storage</a>
+ </li>
+
+ <li>
+
+ <a href="../../nodestore/persistent-cache.html" title="Persistent Cache">
+ <i class="none"></i>
+ Persistent Cache</a>
+ </li>
+
+ <li>
+
+ <a href="../../query/query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="../../security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="../../nodestore/segment/overview.html" title="Segment Node Store">
+ <i class="none"></i>
+ Segment Node Store</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="../../use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../../construct.html" title="Repository Construction">
+ <i class="none"></i>
+ Repository Construction</a>
+ </li>
+
+ <li>
+
+ <a href="../../osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../../command_line.html" title="Command Line Tools">
+ <i class="none"></i>
+ Command Line Tools</a>
+ </li>
+
+ <li>
+
+ <a href="../../migration.html" title="Migration">
+ <i class="none"></i>
+ Migration</a>
+ </li>
+
+ <li>
+
+ <a href="../../differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="../../known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="../../dos_and_donts.html" title="Dos and Don'ts">
+ <i class="none"></i>
+ Dos and Don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="../../coldstandby/coldstandby.html" title="Cold Standby">
+ <i class="none"></i>
+ Cold Standby</a>
+ </li>
+
+ <li>
+
+ <a href="../../FAQ.html" title="FAQ">
+ <i class="none"></i>
+ FAQ</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="../../dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../../participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="../../developing-with-git.html" title="Developing with Git">
+ <i class="none"></i>
+ Developing with Git</a>
+ </li>
+
+ <li>
+
+ <a href="../../diagnostic-builds.html" title="Cutting diagnostic builds">
+ <i class="none"></i>
+ Cutting diagnostic builds</a>
+ </li>
+
+ <li>
+
+ <a href="../../attribution.html" title="Attribution">
+ <i class="none"></i>
+ Attribution</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak/docs/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<h2>User and Group Synchronization : The Default Implementation<a name="User_and_Group_Synchronization_:_The_Default_Implementation"></a></h2>
+<div class="section">
+<h3>Default Implementation of Sync API<a name="Default_Implementation_of_Sync_API"></a></h3>
+<div class="section">
+<h4>SyncManager<a name="SyncManager"></a></h4>
+<p>The default implementation (<tt>SyncManagerImpl</tt>) is intended for use in an OSGi-base repository setup: it tracks all <tt>SyncHandler</tt> registered via OSGi.</p>
+<p>It can be used in non-OSGi environments by passing a <tt>org.apache.jackrabbit.oak.spi.whiteboard.Whiteboard</tt> to the constructor.</p></div>
+<div class="section">
+<h4>SyncHandler<a name="SyncHandler"></a></h4>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html">DefaultSyncHandler</a> comes with a set of configuration options that allow to specify the synchronization behavior (see below). Depending on the configuration it chooses between two different <tt>SyncContext</tt> implementations.</p></div>
+<div class="section">
+<h4>SyncContext<a name="SyncContext"></a></h4>
+<p>Oak provides the following implementations of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> interface:</p>
+
+<ul>
+
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a>: base implementation that synchronizes external user and group accounts into the repository</li>
+
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicSyncContext.html">DynamicSyncContext</a>: derived implementation that provides special handling for external groups.</li>
+</ul>
+<div class="section">
+<h5>DefaultSyncContext<a name="DefaultSyncContext"></a></h5>
+<p>All users/groups synchronized by this context will get the following properties set. These properties allow to run separate task for periodical update and make sure the authorizables can later on be identified as external users.</p>
+
+<ul>
+
+<li><tt>rep:externalId</tt> : This allows to identify the external users, know the associated IDP and distinguish them from others.</li>
+
+<li><tt>rep:lastSynced</tt> : Sync timestamp to mark the external user/group valid for the configurable time (to reduce expensive syncing). Once expired, they will be validated against the 3rd party system again.</li>
+</ul>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> is exported as part of the ‘basic’ package space and may be used to provide custom implementations.</p></div>
+<div class="section">
+<h5>DynamicSyncContext<a name="DynamicSyncContext"></a></h5>
+<p>Extending from the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> this implementation that provides special handling for external groups in case the <a href="#dynamic_membership">Dynamic Group Membership</a> option is enabled in the <a href="#configuration">Configuration</a>.</p>
+<p>In addition to the properties mentioned above this implementation will additionally create a multivalued STRING property that caches the group principal names of the external user accounts:</p>
+
+<ul>
+
+<li><tt>rep:externalPrincipalNames</tt> : Optional system-maintained property related to <a href="#dynamic_membership">Dynamic Group Membership</a></li>
+</ul></div></div>
+<div class="section">
+<h4>SyncResult<a name="SyncResult"></a></h4>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncResultImpl.html">DefaultSyncResultImpl</a> is exported as part of the ‘basic’ package space providing a simple <tt>SyncResult</tt> implementation based on a status and a <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncedIdentity.html">DefaultSyncedIdentity</a>.</p></div>
+<div class="section">
+<h4>SyncedIdentity<a name="SyncedIdentity"></a></h4>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncedIdentity.html">DefaultSyncedIdentity</a> is exported as part of the ‘basic’ package space. It maps the ID of a synchronized user/group account to the external identity references represented by <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>.</p>
+<p><a name="dynamic_membership"></a></p></div></div>
+<div class="section">
+<h3>Dynamic Group Membership<a name="Dynamic_Group_Membership"></a></h3>
+<p>As of Oak 1.5.3 the default sync handler comes with an addition configuration option that allows to enable dynamic group membership resolution for external users. Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external groups are synchronized (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4101">OAK-4101</a>). </p>
+<p>The key benefits of dynamic membership resolution are:</p>
+
+<ul>
+
+<li>avoiding duplicate user management effort wrt to membership handling both in the external IDP and the repository</li>
+
+<li>ease principal resolution upon repository login</li>
+</ul>
+<div class="section">
+<h4>SyncContext with Dynamic Membership<a name="SyncContext_with_Dynamic_Membership"></a></h4>
+<p>With the default <tt>SyncHandler</tt> this configuration option will show the following effects:</p>
+
+<ul>
+
+<li>If enabled the handler will use an alternative <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> to synchronize external groups.</li>
+
+<li>Instead of synchronizing groups into the user management, this <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicSyncContext.html">DynamicSyncContext</a> will additionally set the property <tt>rep:externalPrincipalNames</tt> on the synchronized external user</li>
+
+<li><tt>rep:externalPrincipalNames</tt> is a system maintained multivalued property of type ‘STRING’ storing the names of the <tt>java.security.acl.Group</tt>-principals a given external user is member of (both declared and inherited according to the configured membership nesting depth)</li>
+
+<li>External groups will no longer be synchronised into the repository’s user management but will only be available as <tt>Principal</tt>s (see section <i>User Management</i> below).</li>
+</ul></div>
+<div class="section">
+<h4>Effect of Dynamic Membership on other Security Modules<a name="Effect_of_Dynamic_Membership_on_other_Security_Modules"></a></h4>
+<div class="section">
+<h5>Principal Management<a name="Principal_Management"></a></h5>
+<p>The dynamic (principal) membership features comes with a dedicated <tt>PrincipalConfiguration</tt> implementation (i.e. <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.html">ExternalPrincipalConfiguration</a>) that is in charge of securing<br />the <tt>rep:externalPrincipalNames</tt> properties (see also section <a href="#validation">Validation</a> and <a href="#configuration">Configuration</a> below). </p>
+<p>Additionally the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.html">ExternalPrincipalConfiguration</a> provides a <tt>PrincipalProvider</tt> implementation which makes external (group) principals available to the repository’s authentication and authorization using the <tt>rep:externalPrincipalNames</tt> as a persistent cache to avoid expensive lookup on the IDP. This also makes external <tt>Principal</tt>s retrievable and searchable through the Jackrabbit principal management API (see section <a href="../principal.html">Principal Management</a> for a comprehensive description).</p>
+<p>Please note the following implementation detail wrt accessibility of group principals: A given external principal will be accessible though the principal management API if it can be read from any of the <tt>rep:externalPrincipalNames</tt> properties present using a dedicated query.</p></div>
+<div class="section">
+<h5>User Management<a name="User_Management"></a></h5>
+<p>As described above the dynamic membership option will effectively disable the synchronization of the complete external group account information into the repository’s user management feature but limit the synchronized information to the principal names and the membership relation between a given <tt>java.security.acl.Group</tt> principal and external user accounts.</p>
+<p>The user management API will consequently no longer be knowledgeable of external group identities (exception: groups that have been synchronized before enabling the feature will remain untouched and will be synchronized according to the sync configuration).</p>
+<p>While this behavior does not affect default authentication and authorization modules (see below) it will have an impact on applications that rely on full synchronization of external identities. Those application won’t be able to benefit from the dynamic membership feature until dynamic groups can be created with the Jackrabbit <a href="../user.html">User Management API</a> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-2687">OAK-2687</a>).</p></div>
+<div class="section">
+<h5>Authentication<a name="Authentication"></a></h5>
+<p>The authentication setup provided by Oak is not affected by the dynamic membership handling as long as the configured <tt>LoginModule</tt> implementations rely on the <tt>PrincipalProvider</tt> for principal resolution and the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.html">ExternalPrincipalConfiguration</a> is properly registered with the <tt>SecurityProvider</tt> (see section <a href="#configuration">Configuration</a> below).</p></div>
+<div class="section">
+<h5>Authorization<a name="Authorization"></a></h5>
+<p>The authorization modules shipped with Oak only depend on <tt>Principal</tt>s (and not on user management functionality) and are therefore not affected by the dynamic membership configuration.</p>
+<p><a name="xml_import"></a></p></div></div>
+<div class="section">
+<h4>XML Import<a name="XML_Import"></a></h4>
+<p>The protected nature of the <tt>rep:externalPrincipalNames</tt> is also reflected during XML import of user accounts:</p>
+<p>External users with a <tt>rep:externalPrincipalNames</tt> property will get regularly imported. However, any non-system driven import will omit the <tt>rep:externalPrincipalNames</tt> and additional remove the <tt>rep:lastSynced</tt> property in order to force a re-sync of the external user by the system upon the next login or when triggered through the JMX console. Depending on the <i>User Dynamic Membership</i> configuration value on the target system the sync will then result in a full sync of group membership or will re-create the <tt>rep:externalPrincipalNames</tt> property.</p>
+<p><a name="validation"></a></p></div>
+<div class="section">
+<h4>Validation<a name="Validation"></a></h4>
+<p>As of Oak 1.5.3 a dedicated <tt>Validator</tt> implementation asserts that the protected, system-maintained property <tt>rep:externalPrincipalNames</tt> is only written by the internal system session. </p>
+<p>This prevents users to unintentionally or maliciously manipulating the information linking to the external identity provider in particular their external identity and the set of external group principals associated with their account.</p>
+<p>Additionally the validator asserts the consistency of the properties defined with external user/group accounts.</p>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>0070 </td>
+
+<td>Attempt to create, modify or remove the system property rep:externalPrincipalNames </td>
+ </tr>
+
+<tr class="a">
+
+<td>0071 </td>
+
+<td>Attempt to write rep:externalPrincipalNames with a type other than Type.STRINGS </td>
+ </tr>
+
+<tr class="b">
+
+<td>0072 </td>
+
+<td>Property rep:externalPrincipalNames requires rep:externalId to be present on the Node. </td>
+ </tr>
+
+<tr class="a">
+
+<td>0073 </td>
+
+<td>Property rep:externalId cannot be removed if rep:externalPrincipalNames is present. </td>
+ </tr>
+ </tbody>
+</table>
+<p><a name="configuration"></a></p></div></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<div class="section">
+<h4>Configuration of the DefaultSyncHandler<a name="Configuration_of_the_DefaultSyncHandler"></a></h4>
+<p>The default <tt>SyncHandler</tt> implementations are configured via <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a>:</p>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Name </th>
+
+<th>Property </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>Sync Handler Name </td>
+
+<td><tt>handler.name</tt> </td>
+
+<td>Name of this sync configuration. This is used to reference this handler by the login modules. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User auto membership </td>
+
+<td><tt>user.autoMembership</tt> </td>
+
+<td>List of groups that a synced user is added to automatically </td>
+ </tr>
+
+<tr class="b">
+
+<td>User Expiration Time </td>
+
+<td><tt>user.expirationTime</tt> </td>
+
+<td>Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="a">
+
+<td>User Membership Expiration </td>
+
+<td><tt>user.membershipExpTime</tt> </td>
+
+<td>Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="b">
+
+<td>User membership nesting depth </td>
+
+<td><tt>user.membershipNestingDepth</tt> </td>
+
+<td>Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User Dynamic Membership </td>
+
+<td><tt>user.dynamicMembership</tt> </td>
+
+<td>Enabling dynamic membership for external users. </td>
+ </tr>
+
+<tr class="b">
+
+<td>User Path Prefix </td>
+
+<td><tt>user.pathPrefix</tt> </td>
+
+<td>The path prefix used when creating new users. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User property mapping </td>
+
+<td><tt>user.propertyMapping</tt> </td>
+
+<td>List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group auto membership </td>
+
+<td><tt>group.autoMembership</tt> </td>
+
+<td>List of groups that a synced group is added to automatically </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group Expiration Time </td>
+
+<td><tt>group.expirationTime</tt> </td>
+
+<td>Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group Path Prefix </td>
+
+<td><tt>group.pathPrefix</tt> </td>
+
+<td>The path prefix used when creating new groups. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group property mapping </td>
+
+<td><tt>group.propertyMapping</tt> </td>
+
+<td>List mapping definition of local properties from external ones. </td>
+ </tr>
+
+<tr class="b">
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+ </tbody>
+</table></div>
+<div class="section">
+<h4>Configuration of the ExternalPrincipalConfiguration<a name="Configuration_of_the_ExternalPrincipalConfiguration"></a></h4>
+<p>Please note that the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.html">ExternalPrincipalConfiguration</a> comes with a dedicated <tt>RepositoryInitializer</tt>, which requires the repository to be (re)initialized once the module <tt>oak-auth-external</tt> is installed.</p>
+<p>The recommended way to assert a proper init, is to add ‘org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration’ as additional value to the <tt>requiredServicePids</tt> configuration option of the <tt>SecurityProviderRegistration</tt> <i>(“Apache Jackrabbit Oak SecurityProvider”)</i>.</p>
+<p>See section <a href="../introduction.html">Introduction to Oak Security</a> for further details on the <tt>SecurityProviderRegistration</tt>.</p>
+<!-- references --></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2016
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_thin_badge.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Propchange: jackrabbit/site/live/oak/docs/security/authentication/defaultusersync.html
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/site/live/oak/docs/security/authentication/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/differences.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/differences.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Authentication : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Authentication with the External Login Module</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
@@ -550,14 +550,7 @@
<h5>General<a name="General"></a></h5>
<p>The external login module has 2 main tasks. One is to authenticate credentials against a 3rd party system, the other is to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager).</p>
<p>If a user needs re-authentication (for example, if the cache validity expired or if the user is not yet present in the local system at all), the login module must check the credentials with the external system during the <tt>login()</tt> method.</p>
-<p>Note:</p>
-
-<ul>
-
-<li>users (and groups) that are synced from the 3rd party system contain a <tt>rep:externalId</tt> property. This allows to identify the external users and distinguish them from others.</li>
-
-<li>to reduce expensive syncing, the synced users and groups have sync timestamp <tt>rep:lastSynced</tt> and are considered valid for a configurable time. if they expire, they need to be validated against the 3rd party system again.</li>
-</ul></div>
+<p>The details of the default user/group synchronization mechanism are described in section <a href="defaultusersync.html">User and Group Synchronization : The Default Implementation</a></p></div>
<div class="section">
<h5>Supported Credentials<a name="Supported_Credentials"></a></h5>
<p>As of Oak 1.5.1 the <tt>ExternalLoginModule</tt> can deal for any kind of <tt>Credentials</tt> implementations. By default (i.e. unless configured otherwise) the module supports <tt>SimpleCredentials</tt> and thus behaves backwards compatible to previous versions.</p>
Modified: jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - External Identity Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authentication/ldap.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/ldap.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/ldap.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/ldap.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - LDAP Integration</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Pre-Authenticated Login</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Token Authentication and Token Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authentication/usersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/usersync.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/usersync.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/usersync.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - User and Group Synchronization</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
@@ -510,8 +510,7 @@
<h2>User and Group Synchronization<a name="User_and_Group_Synchronization"></a></h2>
<div class="section">
<h3>General<a name="General"></a></h3>
-<p>The synchronization of users and groups is triggered by the <a href="externalloginmodule.html">ExternalLoginModule</a>, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p>
-<p>Oak comes with a default implementation of the <tt>SyncHandler</tt> interface: [org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler].</p></div>
+<p>The synchronization of users and groups is triggered by the <a href="externalloginmodule.html">ExternalLoginModule</a>, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p></div>
<div class="section">
<h3>Synchronization API<a name="Synchronization_API"></a></h3>
@@ -549,145 +548,8 @@
</ul></div></div>
<div class="section">
<h3>Default Implementation<a name="Default_Implementation"></a></h3>
-<p>Oak 1.0 provides a default implementation of the user synchronization API that allow to plug additional <tt>SyncHandler</tt> implementations.</p>
-<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html">DefaultSyncHandler</a> itself comes with a set of configuration options that allow to specify the synchronization behavior (see below). All users/groups synchronized by this handler will get the following properties set:</p>
-
-<ul>
-
-<li><tt>rep:externalId</tt></li>
-
-<li><tt>rep:lastSynced</tt></li>
-</ul>
-<p>These properties allow to run separat task for periodical update and make sure the authorizables can later on be identitied as external users.</p></div>
-<div class="section">
-<h3>Configuration<a name="Configuration"></a></h3>
-<div class="section">
-<h4>Configuration of the DefaultSyncHandler<a name="Configuration_of_the_DefaultSyncHandler"></a></h4>
-<p>The default sync handler implementation is configured via <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html">DefaultSyncConfig</a>:</p>
-
-<table border="0" class="table table-striped">
- <thead>
-
-<tr class="a">
-
-<th>Name </th>
-
-<th>Property </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>Sync Handler Name </td>
-
-<td><tt>handler.name</tt> </td>
-
-<td>Name of this sync configuration. This is used to reference this handler by the login modules. </td>
- </tr>
-
-<tr class="a">
-
-<td>User auto membership </td>
-
-<td><tt>user.autoMembership</tt> </td>
-
-<td>List of groups that a synced user is added to automatically </td>
- </tr>
-
-<tr class="b">
-
-<td>User Expiration Time </td>
-
-<td><tt>user.expirationTime</tt> </td>
-
-<td>Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td>
- </tr>
-
-<tr class="a">
-
-<td>User Membership Expiration </td>
-
-<td><tt>user.membershipExpTime</tt> </td>
-
-<td>Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td>
- </tr>
-
-<tr class="b">
-
-<td>User membership nesting depth </td>
-
-<td><tt>user.membershipNestingDepth</tt> </td>
-
-<td>Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td>
- </tr>
-
-<tr class="a">
-
-<td>User Path Prefix </td>
-
-<td><tt>user.pathPrefix</tt> </td>
-
-<td>The path prefix used when creating new users. </td>
- </tr>
-
-<tr class="b">
-
-<td>User property mapping </td>
-
-<td><tt>user.propertyMapping</tt> </td>
-
-<td>List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td>
- </tr>
-
-<tr class="a">
-
-<td>Group auto membership </td>
-
-<td><tt>group.autoMembership</tt> </td>
-
-<td>List of groups that a synced group is added to automatically </td>
- </tr>
-
-<tr class="b">
-
-<td>Group Expiration Time </td>
-
-<td><tt>group.expirationTime</tt> </td>
-
-<td>Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td>
- </tr>
-
-<tr class="a">
-
-<td>Group Path Prefix </td>
-
-<td><tt>group.pathPrefix</tt> </td>
-
-<td>The path prefix used when creating new groups. </td>
- </tr>
-
-<tr class="b">
-
-<td>Group property mapping </td>
-
-<td><tt>group.propertyMapping</tt> </td>
-
-<td>List mapping definition of local properties from external ones. </td>
- </tr>
-
-<tr class="a">
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
- </tbody>
-</table></div></div>
+<p>Oak 1.0 provides a default implementation of the user synchronization API that allow to plug additional <tt>SyncHandler</tt> implementations. </p>
+<p>Default implementation is described in section <a href="defaultusersync.html">User and Group Synchronization : The Default Implementation</a>.</p></div>
<div class="section">
<h3>Pluggability<a name="Pluggability"></a></h3>
<p>There are two ways to replace/change the user synchronization behavior</p>
Modified: jackrabbit/site/live/oak/docs/security/authorization.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization.html (original)
+++ jackrabbit/site/live/oak/docs/security/authorization.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Authorization</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authorization/composite.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization/composite.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization/composite.html (original)
+++ jackrabbit/site/live/oak/docs/security/authorization/composite.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Combining Multiple Authorization Models</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authorization/cug.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization/cug.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization/cug.html (original)
+++ jackrabbit/site/live/oak/docs/security/authorization/cug.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Managing Access with Closed User Groups (CUG)</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/authorization/restriction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization/restriction.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization/restriction.html (original)
+++ jackrabbit/site/live/oak/docs/security/authorization/restriction.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Restriction Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/introduction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/introduction.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/introduction.html (original)
+++ jackrabbit/site/live/oak/docs/security/introduction.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Introduction to Oak Security</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/overview.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/overview.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/overview.html (original)
+++ jackrabbit/site/live/oak/docs/security/overview.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - The Oak Security Layer</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permissions</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/default.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/default.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permissions : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/differences.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/differences.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permissions : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission/evaluation.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/evaluation.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/evaluation.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/evaluation.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permission Evaluation in Detail</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/permission/permissionsandprivileges.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/permissionsandprivileges.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/permissionsandprivileges.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/permissionsandprivileges.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Permissions vs Privileges</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/principal.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/principal.html (original)
+++ jackrabbit/site/live/oak/docs/security/principal.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Principal Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/principal/cache.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal/cache.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/principal/cache.html (original)
+++ jackrabbit/site/live/oak/docs/security/principal/cache.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Caching Results of Principal Resolution</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/principal/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal/differences.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/principal/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/principal/differences.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Principal Management : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/principal/principalprovider.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal/principalprovider.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/principal/principalprovider.html (original)
+++ jackrabbit/site/live/oak/docs/security/principal/principalprovider.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Implementations of the PrincipalProvider Interface</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
@@ -522,7 +522,13 @@
<div class="section">
<h3><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/CompositePrincipalProvider.html">CompositePrincipalProvider</a><a name="CompositePrincipalProvider"></a></h3>
<p>This implementation is a simple wrapper implementation that combines different principals from different source providers. It is used in <tt>CompositePrincipalConfiguration</tt> held by the default <tt>SecurityProvider</tt> to collect all configured/plugged principal configurations i.e. the various implementations of principal management.</p>
-<p>Custom <tt>PrincipalProvider</tt> implementations may be used to combine principals from different source i.e. detaching principal management from the user management, where principals are backed by an existing user/group account.</p>
+<p>Custom <tt>PrincipalProvider</tt> implementations may be used to combine principals from different source i.e. detaching principal management from the user management, where principals are backed by an existing user/group account.</p></div>
+<div class="section">
+<h3><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.html">ExternalGroupPrincipalProvider</a><a name="ExternalGroupPrincipalProvider"></a></h3>
+<p>Implementation of the <tt>PrincipalProvider</tt> interface that exposes <i>external</i> principals of type <tt>java.security.acl.Group</tt>. <i>External</i> refers to the fact that these principals are defined and managed by an external identity provider in contrast to the default implementation that represents principals native to the repository. This implies that the principals known and exposed by this provider implementation does not expect principals to be backed by an authorizable group. As such they can only be retrieved using Jackrabbit Principal Management API but not with User Management calls.</p>
+<p>For performance reasons the <tt>ExternalGroupPrincipalProvider</tt> doesn’t lookup principals on the IDP but relies on a persisted cache inside the repository where the names of these external principals are synchronized to based on a configurable expiration time.</p>
+<p>See section <a href="../authentication/defaultusersync.html">User and Group Synchronization : The Default Implementation</a> for additional details.</p>
+<p>Since Oak 1.5.3</p>
<!-- references --></div></div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/privilege.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Privilege Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/privilege/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/default.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/default.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Privilege Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/privilege/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/differences.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/differences.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Privilege Management : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
Modified: jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html?rev=1744354&r1=1744353&r2=1744354&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html Wed May 18 06:44:10 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-04-20
+ | Generated by Apache Maven Doxia at 2016-05-04
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160420" />
+ <meta name="Date-Revision-yyyymmdd" content="20160504" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Privilege Management : Mapping Privileges to Items</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-04-20</li>
+ <li id="publishDate">Last Published: 2016-05-04</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>