You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/11/09 09:46:57 UTC
svn commit: r1846224 [7/8] - in /jackrabbit/site/live/oak/docs: ./ features/
query/ security/ security/accesscontrol/ security/authentication/
security/authentication/external/ security/authentication/token/
security/authorization/ security/permission/...
Modified: jackrabbit/site/live/oak/docs/security/privilege/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/default.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/default.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Privilege Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,7 +251,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Privilege_Management_:_The_Default_Implementation"></a>Privilege Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
@@ -249,14 +262,15 @@
<p>A comprehensive list of changes compared to Jackrabbit 2.x can be found in the corresponding <a href="differences.html">documentation</a>.</p></div>
<div class="section">
<h3><a name="Built-in_Privileges"></a>Built-in Privileges</h3>
-
<ul>
-
+
<li>
+
<p>All Privileges as defined by JSR 283</p>
-
-<div class="source">
-<div class="source"><pre class="prettyprint">jcr:read (NOTE: Aggregate since Oak 1.0)
+
+<div>
+<div>
+<pre class="source">jcr:read (NOTE: Aggregate since Oak 1.0)
jcr:modifyProperties (NOTE: Aggregate since Oak 1.0)
jcr:addChildNodes
jcr:removeNode
@@ -270,64 +284,62 @@ jcr:retentionManagement (NOTE: retention
jcr:lifecycleManagement (NOTE: lifecycle management not implemented in Oak 1.0)
jcr:write
jcr:all
-</pre></div></div></li>
-
+</pre></div></div>
+</li>
<li>
+
<p>All Privileges defined by JSR 333</p>
-
-<div class="source">
-<div class="source"><pre class="prettyprint">jcr:workspaceManagement (NOTE: wsp management not yet implemented)
+
+<div>
+<div>
+<pre class="source">jcr:workspaceManagement (NOTE: wsp management not yet implemented)
jcr:nodeTypeDefinitionManagement
jcr:namespaceManagement
-</pre></div></div></li>
-
+</pre></div></div>
+</li>
<li>
+
<p>All Privileges defined by Jackrabbit 2.x</p>
-
-<div class="source">
-<div class="source"><pre class="prettyprint">rep:write
+
+<div>
+<div>
+<pre class="source">rep:write
rep:privilegeManagement
-</pre></div></div></li>
-
+</pre></div></div>
+</li>
<li>
+
<p>New Privileges defined by OAK 1.0:</p>
-
-<div class="source">
-<div class="source"><pre class="prettyprint">rep:userManagement
+
+<div>
+<div>
+<pre class="source">rep:userManagement
rep:readNodes
rep:readProperties
rep:addProperties
rep:alterProperties
rep:removeProperties
rep:indexDefinitionManagement
-</pre></div></div></li>
+</pre></div></div>
+</li>
</ul>
<p>Please note the following differences with respect to Jackrabbit 2.x definitions:</p>
-
<ul>
-
+
<li><tt>jcr:read</tt> is now an aggregation of <tt>rep:readNodes</tt> and <tt>rep:readProperties</tt></li>
-
<li><tt>jcr:modifyProperties</tt> is now an aggregation of <tt>rep:addProperties</tt>, <tt>rep:alterProperties</tt> and <tt>rep:removeProperties</tt></li>
</ul>
<div class="section">
<h4><a name="New_Privileges"></a>New Privileges</h4>
<p>The new Privileges introduced with Oak 1.0 have the following effect:</p>
-
<ul>
-
+
<li><tt>rep:userManagement</tt>: Privilege required in order to write items that define user or group specific content.</li>
-
<li><tt>rep:readNodes</tt>: Privilege used to allow/deny read access to nodes (aggregate of <tt>jcr:read</tt>)</li>
-
<li><tt>rep:readProperties</tt>: Privilege used to allow/deny read access to properties (aggregate of <tt>jcr:read</tt>)</li>
-
<li><tt>rep:addProperties</tt>: Privilege required in order to create new properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
-
<li><tt>rep:alterProperties</tt>: Privilege required in order to change existing properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
-
<li><tt>rep:removeProperties</tt>: Privilege required in order to remove existing properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
-
<li><tt>rep:indexDefinitionManagement</tt>: Privilege required to create, modify or deleate index definitions.</li>
</ul></div>
<div class="section">
@@ -338,8 +350,9 @@ rep:indexDefinitionManagement
<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
<p>As of Oak 1.0 all privilege definitions are stored in the repository itself underneath <tt>/jcr:system/rep:privileges</tt>. The following privilege related built-in node types have been added in OAK 1.0 in order to represent built-in and custom privilege definitions.</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:Privileges]
+<div>
+<div>
+<pre class="source">[rep:Privileges]
+ * (rep:Privilege) = rep:Privilege protected ABORT
- rep:next (LONG) protected multiple mandatory
@@ -348,115 +361,60 @@ rep:indexDefinitionManagement
- rep:aggregates (NAME) protected multiple
- rep:bits (LONG) protected multiple mandatory
</pre></div></div>
+
<p>Note the protection status of all child items defined by these node type definitions as they prevent modification of the privilege definitions using regular JCR write operations.</p>
<p><a name="validation"></a></p></div>
<div class="section">
<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure is asserted by a dedicated <tt>PrivilegeValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>0041 </td>
-
-<td>Modification of existing privilege definition X </td>
- </tr>
-
+<td> 0041 </td>
+<td> Modification of existing privilege definition X </td></tr>
<tr class="a">
-
-<td>0042 </td>
-
-<td>Un-register privilege X </td>
- </tr>
-
+<td> 0042 </td>
+<td> Un-register privilege X </td></tr>
<tr class="b">
-
-<td>0043 </td>
-
-<td>Next bits not updated </td>
- </tr>
-
+<td> 0043 </td>
+<td> Next bits not updated </td></tr>
<tr class="a">
-
-<td>0044 </td>
-
-<td>Privilege store not initialized </td>
- </tr>
-
+<td> 0044 </td>
+<td> Privilege store not initialized </td></tr>
<tr class="b">
-
-<td>0045 </td>
-
-<td>Modification of existing privilege definition X </td>
- </tr>
-
+<td> 0045 </td>
+<td> Modification of existing privilege definition X </td></tr>
<tr class="a">
-
-<td>0046 </td>
-
-<td>Modification of existing privilege definition X </td>
- </tr>
-
+<td> 0046 </td>
+<td> Modification of existing privilege definition X </td></tr>
<tr class="b">
-
-<td>0047 </td>
-
-<td>Invalid declared aggregate name X </td>
- </tr>
-
+<td> 0047 </td>
+<td> Invalid declared aggregate name X </td></tr>
<tr class="a">
-
-<td>0048 </td>
-
-<td>PrivilegeBits are missing </td>
- </tr>
-
+<td> 0048 </td>
+<td> PrivilegeBits are missing </td></tr>
<tr class="b">
-
-<td>0049 </td>
-
-<td>PrivilegeBits already in used </td>
- </tr>
-
+<td> 0049 </td>
+<td> PrivilegeBits already in used </td></tr>
<tr class="a">
-
-<td>0050 </td>
-
-<td>Singular aggregation is equivalent to existing privilege.</td>
- </tr>
-
+<td> 0050 </td>
+<td> Singular aggregation is equivalent to existing privilege.</td></tr>
<tr class="b">
-
-<td>0051 </td>
-
-<td>Declared aggregate X is not a registered privilege </td>
- </tr>
-
+<td> 0051 </td>
+<td> Declared aggregate X is not a registered privilege </td></tr>
<tr class="a">
-
-<td>0052 </td>
-
-<td>Detected circular aggregation </td>
- </tr>
-
+<td> 0052 </td>
+<td> Detected circular aggregation </td></tr>
<tr class="b">
-
-<td>0053 </td>
-
-<td>Custom aggregate privilege X is already covered. </td>
- </tr>
- </tbody>
+<td> 0053 </td>
+<td> Custom aggregate privilege X is already covered. </td></tr>
+</tbody>
</table>
<p><a name="configuration"></a></p></div>
<div class="section">
Modified: jackrabbit/site/live/oak/docs/security/user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user.html (original)
+++ jackrabbit/site/live/oak/docs/security/user.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,7 +251,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="User_Management"></a>User Management</h2>
<p><a name="jcr_api"></a></p>
<div class="section">
@@ -249,63 +262,49 @@
<div class="section">
<h3><a name="Jackrabbit_API"></a>Jackrabbit API</h3>
<p>The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user’ package space:</p>
-
<ul>
-
+
<li><tt>UserManager</tt></li>
-
<li><tt>Authorizable</tt>
-
<ul>
-
+
<li><tt>User</tt></li>
-
<li><tt>Group</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li><tt>Impersonation</tt></li>
-
<li><tt>QueryBuilder</tt>
-
<ul>
-
+
<li><tt>Query</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<p><a name="api_extensions"></a></p></div>
<div class="section">
<h3><a name="API_Extensions"></a>API Extensions</h3>
<p>The Oak project introduces the following user management related public interfaces and classes:</p>
-
<ul>
-
+
<li><tt>AuthorizableType</tt>: ease handling with the different authorizable types.</li>
-
<li><tt>AuthorizableAction</tt> and <tt>AuthorizableActionProvider</tt>: see <a href="user/authorizableaction.html">Authorizable Actions</a> for details.</li>
-
-<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
-
+<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
<li><tt>GroupAction</tt> (via <tt>AuthorizableActionProvider</tt>): see <a href="user/groupaction.html">Group Actions</a> for details.</li>
-
<li><tt>UserAuthenticationFactory</tt>: see sections <a href="user/default.html#pluggability">pluggability</a> and <a href="authentication/default.html#user_authentication">user authentication</a> for additional details.</li>
</ul>
<p><a name="utilities"></a></p></div>
<div class="section">
<h3><a name="Utilities"></a>Utilities</h3>
<p><tt>org.apache.jackrabbit.oak.spi.security.user.*</tt></p>
-
<ul>
-
+
<li><tt>UserConstants</tt> : Constants (NOTE: OAK names/paths)</li>
-
<li><tt>UserIdCredentials</tt> : Simple credentials implementation that might be used for `User.getCredentials’ without exposing pw information.</li>
</ul>
<p><tt>org.apache.jackrabbit.oak.spi.security.user.util.*</tt></p>
-
<ul>
-
-<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.</li>
-
+
+<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.</li>
<li><tt>UserUtil</tt> : Utilities related to general user management tasks.</li>
</ul>
<p><a name="default_implementation"></a></p></div>
@@ -316,11 +315,9 @@
<div class="section">
<h3><a name="Configuration"></a>Configuration</h3>
<p>The Oak user management comes with a dedicated entry point called <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a>. This class is responsible for passing configuration options to the implementation and provides the following two methods:</p>
-
<ul>
-
+
<li><tt>getUserManager(Root, NamePathMapper)</tt>: get a new <tt>UserManager</tt> instance</li>
-
<li><tt>getUserPrincipalProvider(Root, NamePathMapper)</tt>: optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).</li>
</ul>
<div class="section">
@@ -335,29 +332,21 @@
<p><a name="further_reading"></a></p></div>
<div class="section">
<h3><a name="Further_Reading"></a>Further Reading</h3>
-
<ul>
-
+
<li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
-
<li><a href="user/default.html">User Management : The Default Implementation</a>
-
<ul>
-
+
<li><a href="user/membership.html">Group Membership</a></li>
-
<li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
-
<li><a href="user/authorizablenodename.html">Authorizable Node Name</a></li>
-
<li><a href="user/expiry.html">Password Expiry and Force Initial Password Change</a></li>
-
<li><a href="user/history.html">Password History</a></li>
- </ul></li>
-
-<li><a href="user/query.html">Searching Users and Groups</a></li>
</ul>
-<!-- hidden references --></div></div>
+</li>
+<li><a href="user/query.html">Searching Users and Groups</a></li>
+</ul><!-- hidden references --></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/default.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/default.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,22 +251,19 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="User_Management_:_The_Default_Implementation"></a>User Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
<p>The default user management implementation stores user/group information in the content repository. In contrast to Jackrabbit 2.x, which by default used a single, dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace.</p>
<p>Consequently the <tt>UserManager</tt> associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x <tt>UserPerWorkspaceUserManager</tt>).</p>
-
<ul>
-
-<li>The Oak implementation is build on the Oak API. This allows for double usage as extension to the JCR API as well as within the Oak layer (aka SPI).</li>
-
-<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing <tt>Session</tt> from which the class has been obtained.</li>
-
+
+<li>The Oak implementation is build on the Oak API. This allows for double usage as extension to the JCR API as well as within the Oak layer (aka SPI).</li>
+<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing <tt>Session</tt> from which the class has been obtained.</li>
<li>Changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
-
-<li>In case of any failure during user management related write operations the API consumer is in charge of specifically revert pending or invalid transient modifications or calling <tt>Session#refresh(false)</tt>.</li>
+<li>In case of any failure during user management related write operations the API consumer is in charge of specifically revert pending or invalid transient modifications or calling <tt>Session#refresh(false)</tt>.</li>
</ul></div>
<div class="section">
<h3><a name="Differences_wrt_Jackrabbit_2.x"></a>Differences wrt Jackrabbit 2.x</h3>
@@ -272,9 +281,11 @@
<p>In contrast to Jackrabbit 2.x the anonymous (or guest) user is optional. Creation will be skipped if the value of the <tt>PARAM_ANONYMOUS_ID</tt> configuration parameter is <tt>null</tt> or empty.</p>
<p>Note, that the anonymous user will always be created without specifying a password in order to prevent regular login with <tt>SimpleCredentials</tt>. The proper way to obtain a guest session is:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">Repository#login(new GuestCredentials(), wspName);
+<div>
+<div>
+<pre class="source">Repository#login(new GuestCredentials(), wspName);
</pre></div></div>
+
<p>See section <a href="../authentication.html">Authentication</a> for further information about guest login.</p></div></div>
<div class="section">
<h4><a name="Everyone_Group"></a>Everyone Group</h4>
@@ -286,19 +297,13 @@
<h4><a name="Reading_Authorizables"></a>Reading Authorizables</h4>
<div class="section">
<h5><a name="Handling_of_the_Authorizable_ID"></a>Handling of the Authorizable ID</h5>
-
<ul>
-
+
<li>As of Oak 1.0 the node type definition of <tt>rep:Authorizable</tt> defines a new property <tt>rep:authorizableId</tt> which is intended to store the ID of a user or group.</li>
-
<li>This property is protected and system maintained and cannot be changed after creation through user management API calls.</li>
-
<li>The default implementation comes with a dedicated property index for <tt>rep:authorizableId</tt> which asserts the uniqueness of that ID.</li>
-
<li>For backwards compatibility with Jackrabbit 2.x the ID specified during creation is also reflected in the <tt>jcr:uuid</tt> (protected and mandatory), which is used for the lookup.</li>
-
<li><tt>Authorizable#getID</tt> returns the string value contained in <tt>rep:authorizableID</tt> and for backwards compatibility falls back on the node name in case the <tt>rep:authorizableId</tt> property is missing.</li>
-
<li>The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface (see configuration section below). By default it uses the ID as name hint and includes a conversion to a valid JCR node name.</li>
</ul></div>
<div class="section">
@@ -306,11 +311,9 @@
<p>The implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for user and groups slightly differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</p></div></div>
<div class="section">
<h4><a name="Creating_Authorizables"></a>Creating Authorizables</h4>
-
<ul>
-
+
<li>The <tt>rep:password</tt> property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that <tt>User#changePassword</tt> does not allow to remove the password property.</li>
-
<li>Since version 1.1.0 Oak supports the new API to create dedicated system users <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3802">JCR-3802</a>.</li>
</ul>
<p><a name="query"></a></p></div>
@@ -325,22 +328,18 @@
<div class="section">
<h4><a name="Autosave_Behavior"></a>Autosave Behavior</h4>
<p>Due to the nature of the UserManager (see above) we decided to drop the auto-save behavior in the default implementation present with OAK. Consequently,</p>
-
<ul>
-
+
<li><tt>UserManager#autoSave(boolean)</tt> throws <tt>UnsupportedRepositoryOperationException</tt></li>
-
<li><tt>UserManager#isAutoSave()</tt> always returns <tt>false</tt></li>
</ul>
<p>See also <tt>PARAM_SUPPORT_AUTOSAVE</tt> below; while this should not be needed if application code has been written against the Jackrabbit API (and thus testing if auto-save mode is enabled or not) this configuration option can be used as last resort.</p></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
<p>As of Oak 1.0 user and group nodes can be imported both with Session and Workspace import. Other differences compared to Jackrabbit 2.x:</p>
-
<ul>
-
+
<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
-
<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
</ul></div>
<div class="section">
@@ -356,8 +355,9 @@
<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
<p>The following block lists the built-in node types related to user management tasks:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:Authorizable] > mix:referenceable, nt:hierarchyNode
+<div>
+<div>
+<pre class="source">[rep:Authorizable] > mix:referenceable, nt:hierarchyNode
abstract
+ * (nt:base) = nt:unstructured VERSION
- rep:principalName (STRING) protected mandatory
@@ -375,7 +375,7 @@
[rep:Impersonatable]
mixin
- rep:impersonators (STRING) protected multiple
-
+
/* @since oak 1.1.0 */
[rep:Password]
- * (UNDEFINED) protected
@@ -397,337 +397,173 @@
/* @since oak 1.0 */
[rep:MemberReferencesList]
+ * (rep:MemberReferences) = rep:MemberReferences protected COPY
-
+
/* @deprecated since oak 1.0 */
[rep:Members]
orderable
+ * (rep:Members) = rep:Members protected multiple
- * (WEAKREFERENCE) protected < 'rep:Authorizable'
</pre></div></div>
+
<p><a name="validation"></a></p></div>
<div class="section">
<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure is asserted by a dedicated <tt>UserValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>0020 </td>
-
-<td>Admin user cannot be disabled </td>
- </tr>
-
+<td> 0020 </td>
+<td> Admin user cannot be disabled </td></tr>
<tr class="a">
-
-<td>0021 </td>
-
-<td>Invalid jcr:uuid for authorizable (creation) </td>
- </tr>
-
+<td> 0021 </td>
+<td> Invalid jcr:uuid for authorizable (creation) </td></tr>
<tr class="b">
-
-<td>0022 </td>
-
-<td>Changing Id, principal name after creation </td>
- </tr>
-
+<td> 0022 </td>
+<td> Changing Id, principal name after creation </td></tr>
<tr class="a">
-
-<td>0023 </td>
-
-<td>Invalid jcr:uuid for authorizable (mod) </td>
- </tr>
-
+<td> 0023 </td>
+<td> Invalid jcr:uuid for authorizable (mod) </td></tr>
<tr class="b">
-
-<td>0024 </td>
-
-<td>Password may not be plain text </td>
- </tr>
-
+<td> 0024 </td>
+<td> Password may not be plain text </td></tr>
<tr class="a">
-
-<td>0025 </td>
-
-<td>Attempt to remove id, principalname or pw </td>
- </tr>
-
+<td> 0025 </td>
+<td> Attempt to remove id, principalname or pw </td></tr>
<tr class="b">
-
-<td>0026 </td>
-
-<td>Mandatory property rep:principalName missing </td>
- </tr>
-
+<td> 0026 </td>
+<td> Mandatory property rep:principalName missing </td></tr>
<tr class="a">
-
-<td>0027 </td>
-
-<td>The admin user cannot be removed </td>
- </tr>
-
+<td> 0027 </td>
+<td> The admin user cannot be removed </td></tr>
<tr class="b">
-
-<td>0028 </td>
-
-<td>Attempt to create outside of configured scope </td>
- </tr>
-
+<td> 0028 </td>
+<td> Attempt to create outside of configured scope </td></tr>
<tr class="a">
-
-<td>0029 </td>
-
-<td>Intermediate folders not rep:AuthorizableFolder </td>
- </tr>
-
+<td> 0029 </td>
+<td> Intermediate folders not rep:AuthorizableFolder </td></tr>
<tr class="b">
-
-<td>0030 </td>
-
-<td>Missing uuid for group (check for cyclic membership) </td>
- </tr>
-
+<td> 0030 </td>
+<td> Missing uuid for group (check for cyclic membership) </td></tr>
<tr class="a">
-
-<td><s>0031</s> </td>
-
-<td><s>Cyclic group membership</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6072">OAK-6072</a>) </td>
- </tr>
-
+<td> <s>0031</s> </td>
+<td> <s>Cyclic group membership</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6072">OAK-6072</a>) </td></tr>
<tr class="b">
-
-<td>0032 </td>
-
-<td>Attempt to set password with system user </td>
- </tr>
-
+<td> 0032 </td>
+<td> Attempt to set password with system user </td></tr>
<tr class="a">
-
-<td>0033 </td>
-
-<td>Attempt to add rep:pwd node to a system user </td>
- </tr>
- </tbody>
+<td> 0033 </td>
+<td> Attempt to add rep:pwd node to a system user </td></tr>
+</tbody>
</table>
<p><a name="configuration"></a></p></div>
<div class="section">
<h3><a name="Configuration"></a>Configuration</h3>
<p>The following user management specific methods are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a> as of OAK 1.0:</p>
-
<ul>
-
+
<li>getUserManager: Obtain a new user manager instance</li>
</ul>
<div class="section">
<h4><a name="Configuration_Parameters_supported_by_the_default_implementation"></a>Configuration Parameters supported by the default implementation</h4>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td><tt>PARAM_ADMIN_ID</tt> </td>
-
-<td>String </td>
-
-<td>“admin” </td>
- </tr>
-
+<td> <tt>PARAM_ADMIN_ID</tt> </td>
+<td> String </td>
+<td> “admin” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_OMIT_ADMIN_PW</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_OMIT_ADMIN_PW</tt> </td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="b">
-
-<td><tt>PARAM_ANONYMOUS_ID</tt> </td>
-
-<td>String </td>
-
-<td>“anonymous” (nullable) </td>
- </tr>
-
+<td> <tt>PARAM_ANONYMOUS_ID</tt> </td>
+<td> String </td>
+<td> “anonymous” (nullable) </td></tr>
<tr class="a">
-
-<td><tt>PARAM_USER_PATH</tt> </td>
-
-<td>String </td>
-
-<td>“/rep:security/rep:authorizables/rep:users” </td>
- </tr>
-
+<td> <tt>PARAM_USER_PATH</tt> </td>
+<td> String </td>
+<td> “/rep:security/rep:authorizables/rep:users” </td></tr>
<tr class="b">
-
-<td><tt>PARAM_GROUP_PATH</tt> </td>
-
-<td>String </td>
-
-<td>“/rep:security/rep:authorizables/rep:groups” </td>
- </tr>
-
+<td> <tt>PARAM_GROUP_PATH</tt> </td>
+<td> String </td>
+<td> “/rep:security/rep:authorizables/rep:groups” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_DEFAULT_DEPTH</tt> </td>
-
-<td>int </td>
-
-<td>2 </td>
- </tr>
-
+<td> <tt>PARAM_DEFAULT_DEPTH</tt> </td>
+<td> int </td>
+<td> 2 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
-
-<td>String </td>
-
-<td>“SHA-256” </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
+<td> String </td>
+<td> “SHA-256” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
-
-<td>int </td>
-
-<td>1000 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
+<td> int </td>
+<td> 1000 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
-
-<td>int </td>
-
-<td>8 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
+<td> int </td>
+<td> 8 </td></tr>
<tr class="a">
-
-<td><tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
-
-<td>AuthorizableNodeName </td>
-
-<td>AuthorizableNodeName#DEFAULT </td>
- </tr>
-
+<td> <tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
+<td> AuthorizableNodeName </td>
+<td> AuthorizableNodeName#DEFAULT </td></tr>
<tr class="b">
-
-<td><tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
-
-<td>AuthorizableActionProvider </td>
-
-<td>DefaultAuthorizableActionProvider </td>
- </tr>
-
+<td> <tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
+<td> AuthorizableActionProvider </td>
+<td> DefaultAuthorizableActionProvider </td></tr>
<tr class="a">
-
-<td><tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="b">
-
-<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-
-<td>String (“abort”, “ignore”, “besteffort”) </td>
-
-<td>“ignore” </td>
- </tr>
-
+<td> <tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+<td> String (“abort”, “ignore”, “besteffort”) </td>
+<td> “ignore” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
-
-<td>int </td>
-
-<td>0 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+<td> int </td>
+<td> 0 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
-
-<td>int (upper limit: 1000) </td>
-
-<td>0 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+<td> int (upper limit: 1000) </td>
+<td> 0 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_CACHE_EXPIRATION</tt> </td>
-
-<td>long </td>
-
-<td>0 </td>
- </tr>
-
+<td> <tt>PARAM_CACHE_EXPIRATION</tt> </td>
+<td> long </td>
+<td> 0 </td></tr>
<tr class="a">
-
-<td><tt>PARAM_ENABLE_RFC7613_USERCASE_MAPPED_PROFILE</tt></td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_ENABLE_RFC7613_USERCASE_MAPPED_PROFILE</tt></td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="b">
-
<td> </td>
-
<td> </td>
-
-<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table>
<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
-
<ul>
-
+
<li><tt>compatibleJR16</tt></li>
-
<li><tt>autoExpandTree</tt></li>
-
<li><tt>autoExpandSize</tt></li>
-
<li><tt>groupMembershipSplitSize</tt></li>
</ul>
<p>The optional <tt>cacheExpiration</tt> configuration option listed above is discussed in detail in section <a href="../principal/cache.html">Caching Results of Principal Resolution</a>. It is not related to user management s.str. but affects the implementation specific <tt>PrincipalProvider</tt> implementation exposed by <tt>UserConfiguration.getUserPrincipalProvider</tt>.</p>
@@ -735,25 +571,23 @@
<div class="section">
<h3><a name="Pluggability"></a>Pluggability</h3>
<p>Within the default user management implementation the following parts can be modified or extended at runtime by providing corresponding OSGi services or passing appropriate configuration parameters exposing the custom implementations:</p>
-
<ul>
-
+
<li><tt>AuthorizableActionProvider</tt>: Defines the authorizable actions, see <a href="authorizableaction.html">Authorizable Actions</a>.</li>
-
-<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository. See <a href="authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
-
+<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository. See <a href="authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
<li><tt>UserAuthenticationFactory</tt>: see below</li>
</ul>
<div class="section">
<h4><a name="UserAuthenticationFactory_:_Authenticating_Users"></a>UserAuthenticationFactory : Authenticating Users</h4>
-<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation. </p>
+<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation.</p>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_UserAuthenticationFactory"></a>Example UserAuthenticationFactory</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">@Component()
+<div>
+<div>
+<pre class="source">@Component()
@Service(UserAuthenticationFactory.class)
public class MyUserAuthenticationFactory implements UserAuthenticationFactory {
Modified: jackrabbit/site/live/oak/docs/security/user/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/differences.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/differences.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management : Differences to Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,99 +251,80 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<div class="section">
<h3><a name="User_Management_:_Differences_to_Jackrabbit_2.x"></a>User Management : Differences to Jackrabbit 2.x</h3>
<p>The default user management implementation present has the following characteristics that differ from the default behavior in Jackrabbit 2.x</p>
<div class="section">
<h4><a name="General"></a>General</h4>
-
<ul>
-
+
<li>changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
-
<li>In case of a failure <tt>Session#refresh</tt> is no longer called in order to prevent reverting other changes unrelated to the user management operation. Consequently it’s the responsibility of the API consumer to specifically revert pending or invalid transient modifications.</li>
</ul></div>
<div class="section">
<h4><a name="Differences_by_Interface"></a>Differences by Interface</h4>
<div class="section">
<h5><a name="UserManager"></a>UserManager</h5>
-
<ul>
-
+
<li>stores user/group information in the workspace associated with the editing Session</li>
-
-<li>the autosave feature is no longer supported by default; configuration option <tt>PARAM_SUPPORT_AUTOSAVE</tt> can be used to obtain backwards compatible behavior</li>
-
-<li>calling <tt>getAuthorizable</tt> with empty id or <tt>null</tt> id/principal will not throw a runtime exception but silently returns <tt>null</tt></li>
+<li>the autosave feature is no longer supported by default; configuration option <tt>PARAM_SUPPORT_AUTOSAVE</tt> can be used to obtain backwards compatible behavior</li>
+<li>calling <tt>getAuthorizable</tt> with empty id or <tt>null</tt> id/principal will not throw a runtime exception but silently returns <tt>null</tt></li>
</ul></div>
<div class="section">
<h5><a name="Authorizable"></a>Authorizable</h5>
-
<ul>
-
-<li>Equality and HashCode : the implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for authorizables differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</li>
-
-<li>Authorizable ID: the ID of authorizables is stored separately in a <tt>rep:authorizableId</tt> property. This value is returned upon <tt>Authorizable#getID</tt>. For backwards compatibility it falls back on the node name in case the ID property is missing.</li>
-
-<li>Node Name: The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface. Default: ID as name hint. See section <a href="authorizablenodename.html">Authorizable Node Name Generation</a> for details.</li>
+
+<li>Equality and HashCode : the implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for authorizables differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</li>
+<li>Authorizable ID: the ID of authorizables is stored separately in a <tt>rep:authorizableId</tt> property. This value is returned upon <tt>Authorizable#getID</tt>. For backwards compatibility it falls back on the node name in case the ID property is missing.</li>
+<li>Node Name: The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface. Default: ID as name hint. See section <a href="authorizablenodename.html">Authorizable Node Name Generation</a> for details.</li>
</ul></div>
<div class="section">
<h5><a name="User"></a>User</h5>
-
<ul>
-
+
<li>Creation: The password is no longer mandatory upon user creation.</li>
</ul></div>
<div class="section">
<h5><a name="Group"></a>Group</h5>
-
<ul>
-
-<li>Creation: <tt>createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
-
-<li>Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section <a href="membership.html">Group Membership</a> for a detailed description.</li>
+
+<li>Creation: <tt>createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
+<li>Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section <a href="membership.html">Group Membership</a> for a detailed description.</li>
</ul>
<p><a name="query"></a></p></div>
<div class="section">
<h5><a name="QueryBuilder"></a>QueryBuilder</h5>
<p>The user query is expected to work as in Jackrabbit 2.x with the following notable bug fixes:</p>
-
<ul>
-
-<li><tt>QueryBuilder#setScope(String groupID, boolean declaredOnly)</tt> now also works properly for the everyone group (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-949">OAK-949</a>)</li>
-
-<li><tt>QueryBuilder#impersonates(String principalName)</tt> works properly for the admin principal which are specially treated in the implementation of the <tt>Impersonation</tt> interface (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1183">OAK-1183</a>).</li>
+
+<li><tt>QueryBuilder#setScope(String groupID, boolean declaredOnly)</tt> now also works properly for the everyone group (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-949">OAK-949</a>)</li>
+<li><tt>QueryBuilder#impersonates(String principalName)</tt> works properly for the admin principal which are specially treated in the implementation of the <tt>Impersonation</tt> interface (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1183">OAK-1183</a>).</li>
</ul></div></div>
<div class="section">
<h4><a name="Additional_Functionality"></a>Additional Functionality</h4>
<div class="section">
<h5><a name="XML_Import"></a>XML Import</h5>
-
<ul>
-
-<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
-
+
+<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
-
<li>Oak also supports workspace import for authorizables</li>
</ul></div>
<div class="section">
<h5><a name="Built-in_Users"></a>Built-in Users</h5>
-
<ul>
-
+
<li>admin user can be initialized without password (<tt>PARAM_OMIT_ADMIN_PW</tt> config option)</li>
-
<li>anonymous user is optional (missing <tt>PARAM_ANONYMOUS_ID</tt> config option)</li>
-
<li>anonymous user is always initialized without password.</li>
</ul></div>
<div class="section">
<h5><a name="Group_representing_the_Everyone_Principal"></a>Group representing the Everyone Principal</h5>
-
<ul>
-
+
<li>the implementation of the optional special group representing the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html">everyone</a> principal is consistent throughout all group membership related methods.</li>
</ul></div>
<div class="section">
@@ -341,56 +334,44 @@
<div class="section">
<h4><a name="Node_Type_Definitions"></a>Node Type Definitions</h4>
<p>The built-in node types related to user management tasks have been modified as follows.</p>
-
<ul>
-
+
<li><i>rep:Authorizable</i>
-
<ul>
-
+
<li>new protected property <tt>rep:authorizableId</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li><i>rep:Group</i>
-
<ul>
-
+
<li>extends from <tt>rep:MemberReferences</tt> which provides the multivalued property <tt>rep:members</tt></li>
-
<li>the child node definition <tt>rep:members</tt> has been deprecated and is no longer used</li>
-
<li>new child node definition <tt>rep:membersList</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<p>The following node type definitions have been added:</p>
-
<ul>
-
+
<li><i>rep:MemberReferences</i> : provides the multivalued <tt>rep:members</tt> property.</li>
-
<li><i>rep:MemberReferencesList</i></li>
</ul>
<p>The following node type definition has been deprecated and will no longer be used:</p>
-
<ul>
-
+
<li><i>rep:Members</i></li>
</ul></div>
<div class="section">
<h4><a name="Configuration"></a>Configuration</h4>
<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
-
<ul>
-
+
<li>“compatibleJR16”</li>
-
<li>“autoExpandTree”</li>
-
<li>“autoExpandSize”</li>
-
<li>“groupMembershipSplitSize”</li>
-</ul>
-<!-- hidden references --></div></div></div>
+</ul><!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/expiry.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/expiry.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/expiry.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/expiry.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Password Expiry and Force Initial Password Change</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,7 +251,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Password_Expiry_and_Force_Initial_Password_Change"></a>Password Expiry and Force Initial Password Change</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -249,70 +262,55 @@
<p>Administrators may configure passwords to expire within a configurable amount of time (days). A user whose password has expired will no longer be able to obtain a session/login.</p></div>
<div class="section">
<h3><a name="Force_Initial_Password_Change"></a>Force Initial Password Change</h3>
-<p>An administrator may configure the system such that a user is forced to set a new password upon first login. This is a special form of Password Expiry above, in that upon creation a user account’s password is expired by default. Upon initial login, the user will not be able to obtain a session/login and the password needs to be changed prior to a next attempt. For specifying the new password, the initial password has to be provided.</p></div>
+<p>An administrator may configure the system such that a user is forced to set a new password upon first login. This is a special form of Password Expiry above, in that upon creation a user account’s password is expired by default. Upon initial login, the user will not be able to obtain a session/login and the password needs to be changed prior to a next attempt. For specifying the new password, the initial password has to be provided.</p>
+<p><a href="configuration"></a></p></div>
<div class="section">
<h3><a name="Configuration"></a>Configuration</h3>
<p>An administrator may enable password expiry and initial password change via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default both features are disabled.</p>
<p>The following configuration options are supported:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th>
+<th> Description </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
-
-<td>int </td>
-
-<td>0 </td>
-
-<td>Number of days until the password expires. </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+<td> int </td>
+<td> 0 </td>
+<td> Number of days until the password expires. </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
-
-<td>boolean flag to enable initial pw change. </td>
- </tr>
- </tbody>
+<td> <tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+<td> boolean </td>
+<td> false </td>
+<td> boolean flag to enable initial pw change. </td></tr>
+<tr class="b">
+<td> <tt>PARAM_PASSWORD_EXPIRY_FOR_ADMIN</tt> </td>
+<td> boolean </td>
+<td> false </td>
+<td> flag to enable pw expiry for admin user. </td></tr>
+</tbody>
</table>
<p>Note:</p>
-
<ul>
-
+
<li>Maximum Password Age (<tt>maxPasswordAge</tt>) will only be enabled when a value greater 0 is set (expiration time in days).</li>
-
<li>Change Password On First Login (<tt>initialPasswordChange</tt>): When enabled, forces users to change their password upon first login.</li>
-</ul></div>
+</ul>
+<p><a href="how"></a></p></div>
<div class="section">
<h3><a name="How_it_works"></a>How it works</h3>
<div class="section">
<h4><a name="Definition_of_Expired_Password"></a>Definition of Expired Password</h4>
<p>An expired password is defined as follows:</p>
-
<ul>
-
-<li>The current date-time is after or on the date-time + maxPasswordAge specified in a <tt>rep:passwordLastModified</tt> property</li>
-
-<li>OR: Expiry and/or Enforce Password Change is enabled, but no <tt>rep:passwordLastModified</tt> property exists</li>
+
+<li>The current date-time is after or on the date-time + maxPasswordAge specified in a <tt>rep:passwordLastModified</tt> property</li>
+<li>OR: Expiry and/or Enforce Password Change is enabled, but no <tt>rep:passwordLastModified</tt> property exists</li>
</ul>
<p>For the above, a password node <tt>rep:pw</tt> and a property <tt>rep:passwordLastModified</tt>, governed by a new <tt>rep:Password</tt> node type and located in the user’s home, have been introduced, leaving open future enhancements to password management (such as password policies, history, et al):</p></div>
<div class="section">
@@ -320,19 +318,23 @@
<div class="section">
<h5><a name="Node_Type_rep:Password"></a>Node Type rep:Password</h5>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:Password]
+<div>
+<div>
+<pre class="source">[rep:Password]
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h5><a name="Node_rep:pwd_and_Property_rep:passwordLastModified"></a>Node rep:pwd and Property rep:passwordLastModified</h5>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:User] > rep:Authorizable, rep:Impersonatable
+<div>
+<div>
+<pre class="source">[rep:User] > rep:Authorizable, rep:Impersonatable
+ rep:pwd (rep:Password) = rep:Password protected
...
</pre></div></div>
+
<p>The <tt>rep:pw</tt> node and the <tt>rep:passwordLastModified</tt> property are defined protected in order to guard against the user modifying (overcoming) her password expiry. The new sub-node also has the advantage of allowing repository consumers to e.g. register specific commit hooks / actions on such a node.</p>
<p>In the future the <tt>rep:password</tt> property on the user node may be migrated to the <tt>rep:pw</tt> sub-node.</p></div></div>
<div class="section">
@@ -357,19 +359,16 @@
<p>This method of changing password via the normal login call only works if a user’s password is in fact expired and cannot be used for regular password changes (attribute is ignored, use <tt>User#changePassword</tt> directly instead).</p>
<p>Should the <a href="history.html">Password History feature</a> be enabled, and - for the above password change - a password already in the history be used, the change will fail and the login still throw a <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/CredentialExpiredException.html">CredentialExpiredException</a>. In order for consumers of the exception to become aware that the credentials are still considered expired, and that the password was not changed due to the new password having been found in the password history, the credentials object is fitted with an additional attribute with name <tt>PasswordHistoryException</tt>.</p>
<p>This attribute may contain the following two values:</p>
-
<ul>
-
+
<li><i>“New password was found in password history.”</i> or</li>
-
<li><i>"“New password is identical to the current password.”</i></li>
</ul></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
<p>When users are imported via the Oak JCR XML importer, the expiry relevant nodes and property are supported. If the XML specifies a <tt>rep:pw</tt> node and optionally a <tt>rep:passwordLastModified</tt> property, these are imported, irrespective of the password expiry or force initial password change being enabled in the configuration. If they’re enabled, the imported property will be used in the normal login process as described above. If not enabled, the imported property will have no effect.</p>
<p>On the other hand, if the imported user already exists, potentially existing <tt>rep:passwordLastModified</tt> properties will be overwritten with the value from the import. If password expiry is enabled, this may cause passwords to expire earlier or later than anticipated, governed by the new value. Also, an import may create such a property where none previously existed, thus effectively cancelling the need to change the password on first login - if the feature is enabled.</p>
-<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p>
-<!-- hidden references --></div></div></div>
+<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p><!-- hidden references --></div></div></div>
</div>
</div>
</div>