You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2016/09/15 09:46:37 UTC
svn commit: r1760905 - in /jackrabbit/site/live/oak/docs: .DS_Store
query/lucene.html query/property-index.html security/authentication/token/
security/authentication/token/default.html
security/authentication/tokenmanagement.html
Author: thomasm
Date: Thu Sep 15 09:46:36 2016
New Revision: 1760905
URL: http://svn.apache.org/viewvc?rev=1760905&view=rev
Log:
OAK-936: Site checkin for project Oak Documentation-1.6-SNAPSHOT
Added:
jackrabbit/site/live/oak/docs/security/authentication/token/
jackrabbit/site/live/oak/docs/security/authentication/token/default.html
Modified:
jackrabbit/site/live/oak/docs/.DS_Store
jackrabbit/site/live/oak/docs/query/lucene.html
jackrabbit/site/live/oak/docs/query/property-index.html
jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
Modified: jackrabbit/site/live/oak/docs/.DS_Store
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/.DS_Store?rev=1760905&r1=1760904&r2=1760905&view=diff
==============================================================================
Binary files - no diff available.
Modified: jackrabbit/site/live/oak/docs/query/lucene.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/query/lucene.html?rev=1760905&r1=1760904&r2=1760905&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/query/lucene.html (original)
+++ jackrabbit/site/live/oak/docs/query/lucene.html Thu Sep 15 09:46:36 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-08-10
+ | Generated by Apache Maven Doxia at 2016-09-15
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160810" />
+ <meta name="Date-Revision-yyyymmdd" content="20160915" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Lucene Index</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -216,7 +216,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-08-10</li>
+ <li id="publishDate">Last Published: 2016-09-15</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
@@ -971,7 +971,7 @@
</pre></div></div>
<div class="section">
<h4>Analyzers<a name="Analyzers"></a></h4>
-<p><tt>@since Oak 1.5.5</tt> Unless custom analyzer is configured (as documented below), in-built analyzer can be configured to include original term as well to be indexed. This is controlled by setting boolean property <tt>indexOriginalTerm</tt> on analyzers node.</p>
+<p><tt>@since Oak 1.5.5, 1.4.7</tt> Unless custom analyzer is configured (as documented below), in-built analyzer can be configured to include original term as well to be indexed. This is controlled by setting boolean property <tt>indexOriginalTerm</tt> on analyzers node.</p>
<div class="source">
<pre>/oak:index/assetType
Modified: jackrabbit/site/live/oak/docs/query/property-index.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/query/property-index.html?rev=1760905&r1=1760904&r2=1760905&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/query/property-index.html (original)
+++ jackrabbit/site/live/oak/docs/query/property-index.html Thu Sep 15 09:46:36 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-08-10
+ | Generated by Apache Maven Doxia at 2016-09-15
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160810" />
+ <meta name="Date-Revision-yyyymmdd" content="20160915" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - The Property Index</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -216,7 +216,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-08-10</li>
+ <li id="publishDate">Last Published: 2016-09-15</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
@@ -579,6 +579,7 @@
<div class="section">
<div class="section">
<h4>Reindexing<a name="Reindexing"></a></h4>
+<p>Usually, reindexing is only needed if the configuration of an index is changed, such that the index should contain more or different data. For example, reindexing is needed if the property to be indexed is changed, if a nodetype is added to <b><tt>declaringNodeTypes</tt></b>, or if <b><tt>includedPaths</tt></b> is changed. It is not strictly needed if less data is to be indexed, for example if a nodetype is removed. However, to save space, it might make sense to reindex even in that case. Typically, if a query does not return the expected result, reindexing does not help; more likely, the reason in somewhere else to be found, and disabling the index should be tried first.</p>
<p>Reindexing a property index happens synchronously by setting the <b><tt>reindex</tt></b> flag to <b><tt>true</tt></b>. This means that the first #save call will generate a full repository traversal with the purpose of building the index content and it might take a long time.</p>
<p>Asynchronous reindexing of a property index is available as of OAK-1456. The way this works is by pushing the property index updates to a background job and when the indexing process is done, the property definition will be switched back to a synchronous updates mode. To enable this async reindex behaviour you need to first set the <b><tt>reindex-async</tt></b> and <b><tt>reindex</tt></b> flags to <b><tt>true</tt></b> (call #save). You can verify the initial setup worked by refreshing the index definition node and looking for the <b><tt>async</tt></b> = <b><tt>async-reindex</tt></b> property. Next you need to start the dedicated background job via a jmx call to the <b><tt>PropertyIndexAsyncReindex#startPropertyIndexAsyncReindex</tt></b> MBean.</p>
<p>Example:</p>
@@ -590,7 +591,26 @@
.setProperty("reindex-async", true)
.setProperty("reindex", true);
}
-</pre></div></div></div></div>
+</pre></div></div>
+<div class="section">
+<h4>Cost Estimation<a name="Cost_Estimation"></a></h4>
+<p>When running a query, the property index reports its estimated cost to the query engine, and then the query engine picks the index with the lowest cost (cost-based query optimization). The algorithm to calculate the estimated cost is roughly as follows (a bit simplified):</p>
+
+<ul>
+
+<li>The cost is infinity (so the index is never used) if the condition contains a fulltext constraint, no applicable restriction, the wrong nodetype, or if the path filtering (<tt>includedPaths</tt> / <tt>excludedPaths</tt>) does not match the query.</li>
+
+<li>For the nodetype index, the cost is the sum of the cost for the <tt>jcr:primaryType</tt> lookup (if the primary type is known), plus the cost for the <tt>jcr:mixinTypes</tt> lookup (if that is known).</li>
+
+<li>Otherwise, the cost is based on the overhead (which is 2), plus the estimated number of entries.</li>
+
+<li>For an “x is not null” condition, the estimated number of entries is either the configured <tt>entryCount</tt> or, if not set, the approximate number of entries in the index. The approximation is an “order of magnitude” estimation (Morris’ algorithm).</li>
+
+<li>For a unique index and “x = 1” condition, the estimated number of entries is either 0 or 1 (depending on whether the key is found).</li>
+
+<li>For a non-unique index and a “x = 1” condition, if the <tt>entryCount</tt> and <tt>keyCount</tt> are set, those setting are used to estimate the number of entries. If not, the approximate number of entries for the key is read (maintained using Morris’ algorithm). In addition to that, the path condition is used to scale down the estimated count depending on the approximate number of nodes in that subtree versus the approximate number of entries in the repository, using approximation available via the <tt>counter</tt> index.</li>
+</ul>
+<p>For example, for a query with path restriction “/content/products/t-shirts” and property restriction “color = ‘red’”, if there is an index for the property “color”, then the entry count approximation is read from the index. Let’s say it is 10’000 for this value. Then the approximate number of nodes in the subtree “/content/products/t-shirts” is read (let’s say it is 20’000), and the approximate number of nodes in the repository (let’s say it is 1 million). Therefore, the estimated number of entries is scaled down (divided by 50) from 10’000 to 200. The estimated cost is therefore 202, due to the overhead of 2.</p></div></div></div>
</div>
</div>
</div>
Added: jackrabbit/site/live/oak/docs/security/authentication/token/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/token/default.html?rev=1760905&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/token/default.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/token/default.html Thu Sep 15 09:46:36 2016
@@ -0,0 +1,905 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-09-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20160915" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - Token Management : The Default Implementation</title>
+ <link rel="stylesheet" href="../../../css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="../../../css/site.css" />
+ <link rel="stylesheet" href="../../../css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="../../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <a class="brand" href="../../../" title="Oak logo">
+
+
+ <img src="../../../oak_logo.png" alt="Oak logo" />
+
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="../../../license.html" title="License">License</a>
+</li>
+
+ <li> <a href="../../../downloads.html" title="Downloads">Downloads</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../../architecture/overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="../../../architecture/nodestate.html" title="The Node State Model">The Node State Model</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a>
+</li>
+
+ <li> <a href="../../../oak_api/overview.html" title="Oak API">Oak API</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../../features/atomic-counter.html" title="Atomic Counter">Atomic Counter</a>
+</li>
+
+ <li> <a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+</li>
+
+ <li> <a href="../../../clustering.html" title="Clustering">Clustering</a>
+</li>
+
+ <li> <a href="../../../nodestore/documentmk.html" title="DocumentNodeStore">DocumentNodeStore</a>
+</li>
+
+ <li> <a href="../../../nodestore/overview.html" title="Node Storage">Node Storage</a>
+</li>
+
+ <li> <a href="../../../nodestore/persistent-cache.html" title="Persistent Cache">Persistent Cache</a>
+</li>
+
+ <li> <a href="../../../query/query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="../../../security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="../../../nodestore/segment/overview.html" title="Segment Node Store">Segment Node Store</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../../use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../../../construct.html" title="Repository Construction">Repository Construction</a>
+</li>
+
+ <li> <a href="../../../osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="../../../command_line.html" title="Command Line Tools">Command Line Tools</a>
+</li>
+
+ <li> <a href="../../../migration.html" title="Migration">Migration</a>
+</li>
+
+ <li> <a href="../../../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="../../../known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="../../../dos_and_donts.html" title="Dos and Don'ts">Dos and Don'ts</a>
+</li>
+
+ <li> <a href="../../../coldstandby/coldstandby.html" title="Cold Standby">Cold Standby</a>
+</li>
+
+ <li> <a href="../../../FAQ.html" title="FAQ">FAQ</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="../../../dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="../../../participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="../../../developing-with-git.html" title="Developing with Git">Developing with Git</a>
+</li>
+
+ <li> <a href="../../../diagnostic-builds.html" title="Cutting diagnostic builds">Cutting diagnostic builds</a>
+</li>
+
+ <li> <a href="../../../attribution.html" title="Attribution">Attribution</a>
+</li>
+
+ <li> <a href="../../../release-schedule.html" title="Release Schedule">Release Schedule</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2016-09-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="../../../index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../../../license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="../../../downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+ <li class="nav-header">Concepts and Architecture</li>
+
+ <li>
+
+ <a href="../../../architecture/overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="../../../architecture/nodestate.html" title="The Node State Model">
+ <i class="none"></i>
+ The Node State Model</a>
+ </li>
+ <li class="nav-header">Main APIs</li>
+
+ <li>
+
+ <a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API">
+ <i class="none"></i>
+ JCR API</a>
+ </li>
+
+ <li>
+
+ <a href="../../../oak_api/overview.html" title="Oak API">
+ <i class="none"></i>
+ Oak API</a>
+ </li>
+ <li class="nav-header">Features and Plugins</li>
+
+ <li>
+
+ <a href="../../../features/atomic-counter.html" title="Atomic Counter">
+ <i class="none"></i>
+ Atomic Counter</a>
+ </li>
+
+ <li>
+
+ <a href="../../../plugins/blobstore.html" title="Blob Storage">
+ <i class="none"></i>
+ Blob Storage</a>
+ </li>
+
+ <li>
+
+ <a href="../../../clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+
+ <li>
+
+ <a href="../../../nodestore/documentmk.html" title="DocumentNodeStore">
+ <i class="none"></i>
+ DocumentNodeStore</a>
+ </li>
+
+ <li>
+
+ <a href="../../../nodestore/overview.html" title="Node Storage">
+ <i class="none"></i>
+ Node Storage</a>
+ </li>
+
+ <li>
+
+ <a href="../../../nodestore/persistent-cache.html" title="Persistent Cache">
+ <i class="none"></i>
+ Persistent Cache</a>
+ </li>
+
+ <li>
+
+ <a href="../../../query/query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="../../../security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="../../../nodestore/segment/overview.html" title="Segment Node Store">
+ <i class="none"></i>
+ Segment Node Store</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="../../../use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../../../construct.html" title="Repository Construction">
+ <i class="none"></i>
+ Repository Construction</a>
+ </li>
+
+ <li>
+
+ <a href="../../../osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="../../../command_line.html" title="Command Line Tools">
+ <i class="none"></i>
+ Command Line Tools</a>
+ </li>
+
+ <li>
+
+ <a href="../../../migration.html" title="Migration">
+ <i class="none"></i>
+ Migration</a>
+ </li>
+
+ <li>
+
+ <a href="../../../differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="../../../known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="../../../dos_and_donts.html" title="Dos and Don'ts">
+ <i class="none"></i>
+ Dos and Don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="../../../coldstandby/coldstandby.html" title="Cold Standby">
+ <i class="none"></i>
+ Cold Standby</a>
+ </li>
+
+ <li>
+
+ <a href="../../../FAQ.html" title="FAQ">
+ <i class="none"></i>
+ FAQ</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="../../../dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="../../../participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="../../../developing-with-git.html" title="Developing with Git">
+ <i class="none"></i>
+ Developing with Git</a>
+ </li>
+
+ <li>
+
+ <a href="../../../diagnostic-builds.html" title="Cutting diagnostic builds">
+ <i class="none"></i>
+ Cutting diagnostic builds</a>
+ </li>
+
+ <li>
+
+ <a href="../../../attribution.html" title="Attribution">
+ <i class="none"></i>
+ Attribution</a>
+ </li>
+
+ <li>
+
+ <a href="../../../release-schedule.html" title="Release Schedule">
+ <i class="none"></i>
+ Release Schedule</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak/docs/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="../../../images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<h2>Token Management : The Default Implementation<a name="Token_Management_:_The_Default_Implementation"></a></h2>
+<div class="section">
+<h3>General Notes<a name="General_Notes"></a></h3>
+<p>The default implementation of the token management API stores login tokens along with the user’s home directory in the repository. Along with the hash of the login token separated properties defining the expiration time of the token as well as as additional properties associated with the login tokens. This additional information may be mandatory (thus validated during the login) or optional. The optional properties are meant to have informative value only and will be transferred to public attributes as exposed by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a> present with each <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/ContentSession.html">ContentSession</a>.</p></div>
+<div class="section">
+<h3>Token Management Operations<a name="Token_Management_Operations"></a></h3>
+<div class="section">
+<h4>Token Creation<a name="Token_Creation"></a></h4>
+<p>The creation of a new token is triggered by valid and supported <tt>Credentials</tt> passed to the login module chain that contain an additional, empty <tt>.token</tt> attribute.</p>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will obtain these <tt>Credentials</tt> from the shared state during the commit phase (i.e. phase 2 of the JAAS authentication) and will pass them to the configured <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a> implementation the following sequence:</p>
+
+<div class="source">
+<pre>Credentials shared = getSharedCredentials();
+if (shared != null && tokenProvider.doCreateToken(shared)) {
+ [...]
+ TokenInfo ti = tokenProvider.createToken(shared);
+ [...]
+}
+</pre></div>
+<p>In case of success these steps will have generated a new token and stored it’s hash along with all mandatory and informative attributes to the new content node representing the token.</p>
+<div class="section">
+<h5>Supported Credentials for Token Creation<a name="Supported_Credentials_for_Token_Creation"></a></h5>
+<p>By default the implementation deals with shared <tt>SimpleCredentials</tt>.</p>
+<p>With Oak 1.5.8 the token management has been extended in order to allow for custom <tt>Credentials</tt> implementations. This is achieved by registering a custom implementation of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface. The default the token management uses <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/SimpleCredentialsSupport.html">SimpleCredentialsSupport</a>.</p>
+<p>See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4129">OAK-4129</a> and section <a href="#pluggability">Pluggability</a> below) for additional information.</p></div></div>
+<div class="section">
+<h4>Token Validation<a name="Token_Validation"></a></h4>
+<p>Once a token has been created it can be used for subsequent repository logins with <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java">TokenCredentials</a>. This time the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will attempt to perform the login phase (i.e. phase 1 of the JAAS authentication).</p>
+<p>This includes resolving the login token (<tt>TokenProvider.getTokenInfo</tt>) and asserting it’s validity in case it exists. The validation consists of following steps:</p>
+
+<ul>
+
+<li>check that the token has not expired (<tt>TokenInfo.isExpired</tt>)</li>
+
+<li>verify that all mandatory attributes are present and match the expectations (<tt>TokenInfo.matches</tt>)</li>
+</ul>
+<p>Only if these steps have been successfully completed the login of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> will succeed.</p></div>
+<div class="section">
+<h4>Token Removal<a name="Token_Removal"></a></h4>
+<p>A given login token (and the node associated with it) will be removed if the authentication fails due to an expired token or with an explicit API call i.e. <tt>TokenInfo.remove</tt>.</p></div>
+<div class="section">
+<h4>Resetting Expiration Time<a name="Resetting_Expiration_Time"></a></h4>
+<p>The default <tt>TokenProvider</tt> implementation will automatically reset the expiration time of a given token upon successful authentication.</p>
+<p>This behavior can be disabled by setting the <tt>tokenRefresh</tt> configuration parameter to <tt>false</tt> (see <tt>PARAM_TOKEN_REFRESH</tt> below). In this case expiration time will not be reset and an attempt to do so using the API (e.g. calling <tt>
+TokenInfo.resetExpiration(long loginTime)</tt>) will return <tt>false</tt> indicating that the expiration time has not been reset. The token will consequently expire and the user will need to login again using the configured login mechanism (e.g. using the credentials support for token creation).</p>
+<p><a name="representation"></a></p></div></div>
+<div class="section">
+<h3>Representation in the Repository<a name="Representation_in_the_Repository"></a></h3>
+<div class="section">
+<h4>Content Structure<a name="Content_Structure"></a></h4>
+<p>The login tokens issued for a given user are all located underneath a node named <tt>.tokens</tt> that will be created by the <tt>TokenProvider</tt> once the first token is created. The default implementation creates a distinct node for each login token as described below</p>
+
+<div class="source">
+<pre>testUser {
+ "jcr:primaryType": "rep:User",
+ ...
+ ".tokens" {
+ "jcr:primaryType": "rep:Unstructured",
+ "2014-04-10T16.09.07.159+02.00" {
+ "jcr:primaryType": "rep:Token",
+ ...
+ "2014-05-07T12.08.57.683+02.00" {
+ "jcr:primaryType": "rep:Token",
+ ...
+ }
+ "2014-06-25T16.00.13.018+02.00" {
+ "jcr:primaryType": "rep:Token",
+ ...
+ }
+ }
+}
+</pre></div></div>
+<div class="section">
+<h4>Token Nodes<a name="Token_Nodes"></a></h4>
+<p>As of Oak 1.0 the login token are represented in the repository as follows:</p>
+
+<ul>
+
+<li>the token node is referenceable with the dedicated node type <tt>rep:Token</tt> (used to be unstructured in Jackrabbit 2.x)</li>
+
+<li>expiration and key properties are defined to be mandatory and protected</li>
+
+<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the configuration parameter with the same name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
+</ul>
+<p>The definition of the new built-in node type <tt>rep:Token</tt>:</p>
+
+<div class="source">
+<pre>[rep:Token] > mix:referenceable
+- rep:token.key (STRING) protected mandatory
+- rep:token.exp (DATE) protected mandatory
+- * (UNDEFINED) protected
+- * (UNDEFINED) multiple protected
+</pre></div>
+<p>The following example illustrates the token nodes resulting from this node type definition:</p>
+
+<div class="source">
+<pre>testUser {
+ "jcr:primaryType": "rep:User",
+ ...
+ ".tokens" {
+ "2014-04-10T16.09.07.159+02.00" {
+ "jcr:primaryType": "rep:Token",
+ "jcr:uuid": "30c1f361-35a2-421a-9ebc-c781eb8a08f0",
+ "rep:token.key": "{SHA-256}afaf64dba5d862f9-1000-3e2d4e58ac16189b9f2ac95d8d5b692e61cb06db437bcd9be5c10bdf3792356a",
+ "rep:token.exp": "2014-04-11T04:09:07.159+02:00",
+ ".token.ip": "0:0:0:0:0:0:0:1%0"
+ ".token.otherMandatoryProperty": "expectedValue",
+ "referer": "http://localhost:4502/crx/explorer/login.jsp"
+ "otherInformalProperty": "somevalue"
+ },
+ "2014-05-07T12.08.57.683+02.00" {
+ "jcr:primaryType": "rep:Token",
+ "jcr:uuid": "c95c91e2-2e08-48ab-93db-6e7c8cdd6469",
+ "rep:token.key": "{SHA-256}b1d268c55abda258-1000-62e4c368972260576d37e6ba14a10f9f02897e42992624890e22c522220f7e54",
+ "rep:token.exp": "2014-05-08T00:08:57.683+02:00"
+ },
+ ...
+ }
+ }
+}
+</pre></div>
+<p><a name="validation"></a></p></div></div>
+<div class="section">
+<h3>Validation<a name="Validation"></a></h3>
+<p>The consistency of this content structure both on creation and modification is asserted by a dedicated <tt>TokenValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>0060 </td>
+
+<td>Attempt to create reserved token property in other ctx </td>
+ </tr>
+
+<tr class="a">
+
+<td>0061 </td>
+
+<td>Attempt to change existing token key </td>
+ </tr>
+
+<tr class="b">
+
+<td>0062 </td>
+
+<td>Change primary type of existing node to rep:Token </td>
+ </tr>
+
+<tr class="a">
+
+<td>0063 </td>
+
+<td>Creation/Manipulation of tokens without using provider </td>
+ </tr>
+
+<tr class="b">
+
+<td>0064 </td>
+
+<td>Create a token outside of configured scope </td>
+ </tr>
+
+<tr class="a">
+
+<td>0065 </td>
+
+<td>Invalid location of token node </td>
+ </tr>
+
+<tr class="b">
+
+<td>0066 </td>
+
+<td>Invalid token key </td>
+ </tr>
+
+<tr class="a">
+
+<td>0067 </td>
+
+<td>Mandatory token expiration missing </td>
+ </tr>
+
+<tr class="b">
+
+<td>0068 </td>
+
+<td>Invalid location of .tokens node </td>
+ </tr>
+
+<tr class="a">
+
+<td>0069 </td>
+
+<td>Change type of .tokens parent node </td>
+ </tr>
+ </tbody>
+</table>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The default Oak [TokenConfiguration] allows to define the following configuration options for the <tt>TokenProvider</tt>:</p>
+<div class="section">
+<h4>Configuration Parameters<a name="Configuration_Parameters"></a></h4>
+
+<table border="0" class="table table-striped">
+ <thead>
+
+<tr class="a">
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>PARAM_TOKEN_EXPIRATION </td>
+
+<td>long </td>
+
+<td>2 * 3600 * 1000 (2 hours)</td>
+ </tr>
+
+<tr class="a">
+
+<td>PARAM_TOKEN_LENGTH </td>
+
+<td>int </td>
+
+<td>8 </td>
+ </tr>
+
+<tr class="b">
+
+<td>PARAM_TOKEN_REFRESH </td>
+
+<td>boolean </td>
+
+<td>true </td>
+ </tr>
+
+<tr class="a">
+
+<td>PARAM_PASSWORD_HASH_ALGORITHM </td>
+
+<td>String </td>
+
+<td>SHA-256 </td>
+ </tr>
+
+<tr class="b">
+
+<td>PARAM_PASSWORD_HASH_ITERATIONS </td>
+
+<td>int </td>
+
+<td>1000 </td>
+ </tr>
+
+<tr class="a">
+
+<td>PARAM_PASSWORD_SALT_SIZE </td>
+
+<td>int </td>
+
+<td>8 </td>
+ </tr>
+
+<tr class="b">
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+ </tbody>
+</table>
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>In an OSGi-based setup the default <tt>TokenConfiguration</tt> you can bind a custom implementation of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface. Doing so allows to support any type of custom credentials, which do not reveal the ID of the user logging into repository.</p>
+<p>In particular when chaining the <tt>TokenLoginModule</tt> and the <tt>ExternalLoginModule</tt> the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> can be used to authenticate and synchronize users provided by third party systems during phase 1 (login) and generate a login token during phase 2 (commit). See section <a href="../externalloginmodule.html">Authentication with the External Login Module</a> for additional details. For this to work the same <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> must be configured with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> and the <tt>TokenConfiguration</tt> and <tt>CredentialsSupport.getUserId</tt> must reveal the ID of the synced user (i.e. <tt>Ex
ternalUser.getId</tt>).</p>
+<p>In general the following steps are required in order to plug a different <tt>CredentialsSupport</tt> into the default <tt>TokenConfiguration</tt>:</p>
+
+<ul>
+
+<li>implement the <tt>CredentialsSupport</tt> interface (e.g. as extension to the <tt>ExternalIdentityProvider</tt>)</li>
+
+<li>make sure the implementation is an OSGi service and deploy it to the Oak repository.</li>
+</ul>
+<div class="section">
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Example CredentialsSupport<a name="Example_CredentialsSupport"></a></h6>
+<p>In an OSGi-based setup it’s sufficient to make the service available to the repository in order to enable a custom <tt>CredentialsSupport</tt>.</p>
+
+<div class="source">
+<pre>@Component
+@Service(value = {CredentialsSupport.class})
+/**
+ * Custom implementation of the {@code CredentialsSupport} interface.
+ */
+final class MyCredentialsSupport implements CredentialsSupport {
+
+ @Nonnull
+ @Override
+ public Set<Class> getCredentialClasses() {
+ return ImmutableSet.<Class>of(MyCredentials.class);
+ }
+
+ @CheckForNull
+ @Override
+ public String getUserId(@Nonnull Credentials credentials) {
+ if (credentials instanceof MyCredentials) {
+ // TODO: resolve user id
+ return resolveUserId(credentials);
+ } else {
+ return null;
+ }
+ }
+
+ @Nonnull
+ @Override
+ public Map<String, ?> getAttributes(@Nonnull Credentials credentials) {
+ // TODO: optional implementation
+ return ImmutableMap.of();
+ }
+
+ @Override
+ public boolean setAttributes(@Nonnull Credentials credentials, @Nonnull Map<String, ?> attributes) {
+ // TODO: optional implementation
+ return false;
+ }
+
+ [...]
+}
+</pre></div></div>
+<div class="section">
+<h6>Example CredentialsSupport in Combination with External Authentication<a name="Example_CredentialsSupport_in_Combination_with_External_Authentication"></a></h6>
+<p>See section <a href="../externalloginmodule.html#pluggability">Authentication with the External Login Module</a> for an example.</p>
+<!-- references --></div></div></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2016
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_thin_badge.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Modified: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1760905&r1=1760904&r2=1760905&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Thu Sep 15 09:46:36 2016
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2016-08-10
+ | Generated by Apache Maven Doxia at 2016-09-15
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20160810" />
+ <meta name="Date-Revision-yyyymmdd" content="20160915" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak - Token Authentication and Token Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -216,7 +216,7 @@
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2016-08-10</li>
+ <li id="publishDate">Last Published: 2016-09-15</li>
<li class="divider">|</li> <li id="projectVersion">Version: 1.6-SNAPSHOT</li>
@@ -556,7 +556,11 @@
<li>if phase 1 succeeded the subject is populated and the method returns <tt>true</tt></li>
<li>in case phase 1 did not succeed this method will test if the shared state contain credentials that ask for a new token being created; if this succeeds it will create a new instance of <tt>TokenCredentials</tt>, push the public attributes to the shared stated and update the subject with the new credentials; finally the commit call <b>returns <tt>false</tt></b></li>
-</ul></div></div>
+</ul>
+<div class="section">
+<h5>Example JAAS Configuration<a name="Example_JAAS_Configuration"></a></h5>
+<p>jackrabbit.oak { org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient; org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required; };</p>
+<p><a name="api_extensions"></a></p></div></div></div>
<div class="section">
<h3>Token Management API<a name="Token_Management_API"></a></h3>
<p>Oak 1.0 defines the following interfaces used to manage login tokens:</p>
@@ -573,257 +577,23 @@
<ul>
-<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenProvider.html">CompositeTokenProvider</a></li>
-</ul></div>
-<div class="section">
-<h3>Characteristics of the TokenProvider Implementation<a name="Characteristics_of_the_TokenProvider_Implementation"></a></h3>
-<p>The default implementation of the token management API stores login tokens along with the user’s home directory in the repository. Along with the hash of the login token separated properties defining the expiration time of the token as well as as additional properties associated with the login tokens. This additional information may be mandatory (thus validated during the login) or optional. The optional properties are meant to have informative value only and will be transferred to public attributes as exposed by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a> present with each <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/ContentSession.html">ContentSession</a>.</p>
-<div class="section">
-<h4>Token Creation<a name="Token_Creation"></a></h4>
-<p>The creation of a new token is triggered by valid <tt>SimpleCredentials</tt> passed to the login module chain that contain an additional, empty <tt>.token</tt> attribute. The default <tt>TokenProvider</tt> implementation will consequently generate a new token and store it’s hash along with all mandatory and informative attributes to the new content node representing the new token.</p></div>
-<div class="section">
-<h4>Token Removal<a name="Token_Removal"></a></h4>
-<p>In the default implementation a given login token (and the node associated with it) will be removed if the authentication fails due to an expired token.</p></div>
-<div class="section">
-<h4>Resetting Expiration Time<a name="Resetting_Expiration_Time"></a></h4>
-<p>The default <tt>TokenProvider</tt> implementation will automatically reset the expiration time of a given token upon successful authentication.</p>
-<p>This behavior can be disabled by setting the <tt>tokenRefresh</tt> configuration parameter to <tt>false</tt> (see <tt>PARAM_TOKEN_REFRESH</tt> below). In this case expiration time will not be reset and an attempt to do so using the API (e.g. calling <tt>
-TokenInfo.resetExpiration(long loginTime)</tt>) will return <tt>false</tt> indicating that the expiration time has not been reset. The token will consequently expire and the user will need to login again using the configured default login mechanism (e.g. using <tt>SimpleCredentials</tt>).</p></div>
-<div class="section">
-<h4>Token Representation in the Repository<a name="Token_Representation_in_the_Repository"></a></h4>
-<div class="section">
-<h5>Content Structure<a name="Content_Structure"></a></h5>
-<p>The login tokens issued for a given user are all located underneath a node named <tt>.tokens</tt> that will be created by the <tt>TokenProvider</tt> once the first token is created. The default implementation creates a distinct node for each login token as described below</p>
-
-<div class="source">
-<pre>testUser {
- "jcr:primaryType": "rep:User",
- ...
- ".tokens" {
- "jcr:primaryType": "rep:Unstructured",
- "2014-04-10T16.09.07.159+02.00" {
- "jcr:primaryType": "rep:Token",
- ...
- "2014-05-07T12.08.57.683+02.00" {
- "jcr:primaryType": "rep:Token",
- ...
- }
- "2014-06-25T16.00.13.018+02.00" {
- "jcr:primaryType": "rep:Token",
- ...
- }
- }
-}
-</pre></div></div>
-<div class="section">
-<h5>Token Nodes<a name="Token_Nodes"></a></h5>
-<p>As of Oak 1.0 the login token are represented in the repository as follows:</p>
-
-<ul>
-
-<li>the token node is referenceable with the dedicated node type <tt>rep:Token</tt> (used to be unstructured in Jackrabbit 2.x)</li>
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenConfiguration.html">CompositeTokenConfiguration</a>: Extension of the <tt>CompositeConfiguration</tt> to combined different token management implementations.</li>
-<li>expiration and key properties are defined to be mandatory and protected</li>
-
-<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the configuration parameter with the same name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenProvider.html">CompositeTokenProvider</a>: Aggregation of the <tt>TokenProvider</tt> implementations defined by the configurations contained the <tt>CompositeTokenConfiguration</tt></li>
</ul>
-<p>The definition of the new built-in node type <tt>rep:Token</tt>:</p>
-
-<div class="source">
-<pre>[rep:Token] > mix:referenceable
-- rep:token.key (STRING) protected mandatory
-- rep:token.exp (DATE) protected mandatory
-- * (UNDEFINED) protected
-- * (UNDEFINED) multiple protected
-</pre></div>
-<p>The following example illustrates the token nodes resulting from this node type definition:</p>
-
-<div class="source">
-<pre>testUser {
- "jcr:primaryType": "rep:User",
- ...
- ".tokens" {
- "2014-04-10T16.09.07.159+02.00" {
- "jcr:primaryType": "rep:Token",
- "jcr:uuid": "30c1f361-35a2-421a-9ebc-c781eb8a08f0",
- "rep:token.key": "{SHA-256}afaf64dba5d862f9-1000-3e2d4e58ac16189b9f2ac95d8d5b692e61cb06db437bcd9be5c10bdf3792356a",
- "rep:token.exp": "2014-04-11T04:09:07.159+02:00",
- ".token.ip": "0:0:0:0:0:0:0:1%0"
- ".token.otherMandatoryProperty": "expectedValue",
- "referer": "http://localhost:4502/crx/explorer/login.jsp"
- "otherInformalProperty": "somevalue"
- },
- "2014-05-07T12.08.57.683+02.00" {
- "jcr:primaryType": "rep:Token",
- "jcr:uuid": "c95c91e2-2e08-48ab-93db-6e7c8cdd6469",
- "rep:token.key": "{SHA-256}b1d268c55abda258-1000-62e4c368972260576d37e6ba14a10f9f02897e42992624890e22c522220f7e54",
- "rep:token.exp": "2014-05-08T00:08:57.683+02:00"
- },
- ...
- }
- }
-}
-</pre></div>
-<p><a name="validation"></a></p></div>
+<p>See section <a href="#pluggability">Pluggability</a> for an example.</p>
+<p><a href="default_implementation"></a></p></div>
<div class="section">
-<h5>Validation<a name="Validation"></a></h5>
-<p>The consistency of this content structure both on creation and modification is asserted by a dedicated <tt>TokenValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
-
-<table border="0" class="table table-striped">
- <thead>
-
-<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>0060 </td>
-
-<td>Attempt to create reserved token property in other ctx </td>
- </tr>
-
-<tr class="a">
-
-<td>0061 </td>
-
-<td>Attempt to change existing token key </td>
- </tr>
-
-<tr class="b">
-
-<td>0062 </td>
-
-<td>Change primary type of existing node to rep:Token </td>
- </tr>
-
-<tr class="a">
-
-<td>0063 </td>
-
-<td>Creation/Manipulation of tokens without using provider </td>
- </tr>
-
-<tr class="b">
-
-<td>0064 </td>
-
-<td>Create a token outside of configured scope </td>
- </tr>
-
-<tr class="a">
-
-<td>0065 </td>
-
-<td>Invalid location of token node </td>
- </tr>
-
-<tr class="b">
-
-<td>0066 </td>
-
-<td>Invalid token key </td>
- </tr>
-
-<tr class="a">
-
-<td>0067 </td>
-
-<td>Mandatory token expiration missing </td>
- </tr>
-
-<tr class="b">
-
-<td>0068 </td>
-
-<td>Invalid location of .tokens node </td>
- </tr>
-
-<tr class="a">
-
-<td>0069 </td>
-
-<td>Change type of .tokens parent node </td>
- </tr>
- </tbody>
-</table></div></div></div>
+<h3>Characteristics of the Default Implementation<a name="Characteristics_of_the_Default_Implementation"></a></h3>
+<p>The characteristics of the default token management implementation is described in section <a href="token/default.html">Token Management : The Default Implementation</a>. </p>
+<p><a name="configuration"></a></p></div>
<div class="section">
<h3>Configuration<a name="Configuration"></a></h3>
-<p>The Oak token management comes with it’s own [TokenConfiguration] which allows to obtain a new <tt>TokenProvider</tt> instance with the specified configuration options.</p>
-<p>Apart from the default configuration implementation Oak provides a public [CompositeTokenConfiguration], which is used to combined different implementations plugged at runtime.</p>
-<div class="section">
-<h4>Configuration Parameters<a name="Configuration_Parameters"></a></h4>
-
-<table border="0" class="table table-striped">
- <thead>
-
-<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>PARAM_TOKEN_EXPIRATION </td>
-
-<td>long </td>
-
-<td>2 * 3600 * 1000 (2 hours)</td>
- </tr>
-
-<tr class="a">
-
-<td>PARAM_TOKEN_LENGTH </td>
-
-<td>int </td>
-
-<td>8 </td>
- </tr>
-
-<tr class="b">
-
-<td>PARAM_TOKEN_REFRESH </td>
-
-<td>boolean </td>
-
-<td>true </td>
- </tr>
-
-<tr class="a">
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
- </tbody>
-</table></div>
-<div class="section">
-<h4>Examples<a name="Examples"></a></h4>
-<div class="section">
-<h5>Example JAAS Configuration<a name="Example_JAAS_Configuration"></a></h5>
-
-<div class="source">
-<pre>jackrabbit.oak {
- org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
- org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
- };
-</pre></div></div></div></div>
+<p>The configuration options of the default implementation are described in the <a href="token/default.html#configuration">Configuration</a> section.</p>
+<p><a name="pluggability"></a></p></div>
<div class="section">
<h3>Pluggability<a name="Pluggability"></a></h3>
-<p>The default security setup as present with Oak 1.0 is able to provide custom <tt>TokenProvider</tt> implementations and will automatically combine the different implementations using the <tt>CompositeTokenProvider</tt>.</p>
+<p>The default security setup as present with Oak 1.0 is able to deal with custom token management implementations and will collect multiple implementations within <tt>CompositeTokenConfiguration</tt> present with the <tt>SecurityProvider</tt>. The <tt>CompositeTokenConfiguration</tt> itself will combine the different <tt>TokenProvider</tt> implementations using the <tt>CompositeTokenProvider</tt>.</p>
<p>In an OSGi setup the following steps are required in order to add a custom token provider implementation:</p>
<ul>