You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/11/09 09:44:20 UTC
svn commit: r1846222 [14/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication with External Login Module : Examples</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,125 +239,144 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Authentication_with_External_Login_Module_:_Examples"></a>Authentication with External Login Module : Examples</h2>
-<ul>
+<ul>
+
<li><a href="#standard">Integration with Standard Oak Authentication</a></li>
+
<li><a href="#preauth">Integration with Pre-Authentication and Login Module Chain</a></li>
</ul>
-<a name="standard"></a>
-### Integration with Standard Oak Authentication
-
+<p><a name="standard"></a></p>
<div class="section">
+<h3><a name="Integration_with_Standard_Oak_Authentication"></a>Integration with Standard Oak Authentication</h3>
<div class="section">
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
-<div>
-<div>
-<pre class="source"> Example {
+<div class="source">
+<div class="source"><pre class="prettyprint"> Example {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
sync.handlerName="your-synchandler_name"
idp.name="your_idp_name";
};
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4>
<div class="section">
<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
-<ul>
+<ul>
+
<li>
-
-<p>The <tt>TokenLoginModule</tt> is in charge of handling repository authentication request with <tt>TokenCredentials</tt>:</p>
+<p>The <tt>TokenLoginModule</tt> is in charge of handling repository authentication request with <tt>TokenCredentials</tt>:</p>
+
<ul>
-
+
<li><i>Login Success</i>: If token-login succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list. This means that it will not hit the <tt>ExternalIdentityProvider</tt> and will not re-sync an external user as long as the login token is valid.</li>
+
<li><i>Login Failure</i>: If it fails (e.g. other type of <tt>Credentials</tt>) the authentication will proceed down the <tt>LoginModule</tt> list.</li>
+
<li><i>Commit</i>: If the login failed the login module will test if the <tt>Credentials</tt> passed to the login ask for generation of a new login token. If this login succeeded it will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
-</ul>
+ </ul>
<p>NOTE: In this setup the <tt>TokenLoginModule</tt> is expected to only handle subsequent authentication request after having issued a login token. The latter is achieved by providing <tt>Credentials</tt> attributes that force the <tt>TokenLoginModule</tt> to generate a new login token in the <i>commit</i> phase. The application should then use that login toke for subsequent requests.</p>
-<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for details and for a description of the default implementation.</p>
-</li>
+<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for details and for a description of the default implementation.</p></li>
+
<li>
-
-<p>The <tt>LoginModuleImpl</tt> is in charge of handling authentication request for users managed and created through the repository’s user management API; i.e. users that are not defined by an <tt>ExternalIdentityProvider</tt>. This includes built-in system users like the administrator, the guest-user (aka anonymous) or <tt>SystemUsers</tt>. It also handles impersonation logins.</p>
+<p>The <tt>LoginModuleImpl</tt> is in charge of handling authentication request for users managed and created through the repository’s user management API; i.e. users that are not defined by an <tt>ExternalIdentityProvider</tt>. This includes built-in system users like the administrator, the guest-user (aka anonymous) or <tt>SystemUsers</tt>. It also handles impersonation logins.</p>
+
<ul>
-
-<li><i>Login Success</i>: If regular user authentication (or impersonation) succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list i.e. omits unnecessarily trying to authenticate a local user against the external IDP.</li>
-<li><i>Login Failure</i>: If the authentication fails (e.g. no local user that could have uid/pw matching the passed <tt>Credentials</tt>), it will continue down the <tt>LoginModule</tt> list.</li>
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
-</ul>
-<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>local</i> users will end up being handled by this module or fail.</p>
-</li>
+
+<li><i>Login Success</i>: If regular user authentication (or impersonation) succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list i.e. omits unnecessarily trying to authenticate a local user against the external IDP.</li>
+
+<li><i>Login Failure</i>: If the authentication fails (e.g. no local user that could have uid/pw matching the passed <tt>Credentials</tt>), it will continue down the <tt>LoginModule</tt> list.</li>
+
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+ </ul>
+<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>local</i> users will end up being handled by this module or fail.</p></li>
+
<li>
-
-<p>The <tt>ExternalLoginModule</tt> is in charge of handling authentication request for users managed by an <tt>ExternalIdentityProvider</tt>.</p>
+<p>The <tt>ExternalLoginModule</tt> is in charge of handling authentication request for users managed by an <tt>ExternalIdentityProvider</tt>.</p>
+
<ul>
-
-<li><i>Login Success</i>: If user authentication against the IDP succeeds the module synchronizes the external user into the repository according to the logic defined in the configure <tt>SyncHandler</tt>. If the user has been synced before it might be updated. If and how often a user gets re-synced is an implementation detail of the <tt>SyncHandler</tt>.</li>
-<li><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid <tt>Credentials</tt>), the whole login will fail because the <tt>ExternalLoginModule</tt> is configured to be <i>required</i> and the last module in the chain.</li>
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
-</ul>
-<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>external</i> users will end up being handled by this module (including connection to the IDP) or fail.</p>
-</li>
+
+<li><i>Login Success</i>: If user authentication against the IDP succeeds the module synchronizes the external user into the repository according to the logic defined in the configure <tt>SyncHandler</tt>. If the user has been synced before it might be updated. If and how often a user gets re-synced is an implementation detail of the <tt>SyncHandler</tt>.</li>
+
+<li><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid <tt>Credentials</tt>), the whole login will fail because the <tt>ExternalLoginModule</tt> is configured to be <i>required</i> and the last module in the chain.</li>
+
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+ </ul>
+<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>external</i> users will end up being handled by this module (including connection to the IDP) or fail.</p></li>
</ul></div>
<div class="section">
<h5><a name="Login_with_Different_Credentials"></a>Login with Different Credentials</h5>
<div class="section">
<h6><a name="GuestCredentials"></a>GuestCredentials</h6>
-<ul>
+<ul>
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+
+<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="SimpleCredentials"></a>SimpleCredentials</h6>
-<ul>
+<ul>
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user. It is not expected to succeed for synced external users,which should not have their password synced. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authenticating an external against the external IDP including sync is successful. If none of the other modules succeeded the <tt>ExternalLoginModule</tt> is required to succeed.</li>
+
+<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user. It is not expected to succeed for synced external users,which should not have their password synced. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+
+<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authenticating an external against the external IDP including sync is successful. If none of the other modules succeeded the <tt>ExternalLoginModule</tt> is required to succeed.</li>
</ul></div>
<div class="section">
<h6><a name="TokenCredentials"></a>TokenCredentials</h6>
-<ul>
-<li><tt>TokenLoginModule</tt> supports <tt>TokenCredentials</tt> and will succeed if the credentials are valid. If it succeeds authentication doesn’t move down the module list. If it fails overall authentication is expected to fail as the subsequent modules are not expected to support <tt>TokenCredentials</tt>.</li>
-<li><tt>LoginModuleImpl</tt> does not support <tt>TokenCredentials</tt> and will fail.</li>
-<li><tt>ExternalLoginModule</tt> is not expected to support <tt>TokenCredentials</tt> and thus overall authentication is expected to fail if <tt>TokenLoginModule</tt> failed.</li>
+<ul>
+
+<li><tt>TokenLoginModule</tt> supports <tt>TokenCredentials</tt> and will succeed if the credentials are valid. If it succeeds authentication doesn’t move down the module list. If it fails overall authentication is expected to fail as the subsequent modules are not expected to support <tt>TokenCredentials</tt>.</li>
+
+<li><tt>LoginModuleImpl</tt> does not support <tt>TokenCredentials</tt> and will fail.</li>
+
+<li><tt>ExternalLoginModule</tt> is not expected to support <tt>TokenCredentials</tt> and thus overall authentication is expected to fail if <tt>TokenLoginModule</tt> failed.</li>
</ul></div>
<div class="section">
<h6><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h6>
-<ul>
+<ul>
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+
+<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="Other_Credentials"></a>Other Credentials</h6>
-<ul>
+<ul>
+
<li>Overall login success only if the <tt>ExternalLoginModule</tt> supports these credentials</li>
+
<li><tt>TokenLoginModule</tt> will ignore</li>
+
<li><tt>LoginModuleImpl</tt> will ignore</li>
-<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
+
+<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
</ul>
-<a name="preauth"></a>
-### Integration with Pre-Authentication and Login Module Chain
-</div></div></div>
+<p><a name="preauth"></a></p></div></div></div></div>
+<div class="section">
+<h3><a name="Integration_with_Pre-Authentication_and_Login_Module_Chain"></a>Integration with Pre-Authentication and Login Module Chain</h3>
<div class="section">
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
-<div>
-<div>
-<pre class="source"> Example {
+<div class="source">
+<div class="source"><pre class="prettyprint"> Example {
your.org.PreAuthenticationLoginModule optional;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl optional;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule sufficient
@@ -377,105 +384,131 @@
idp.name="your_idp_name";
};
</pre></div></div>
-
<p>See <a href="../preauthentication.html#withloginchain">Pre-Authenticated Login</a> for an example <tt>LoginModule</tt> that illustrates how the pre-authentication is being pushed to the shared stated.</p>
<p><i>Note:</i> This configuration has been slightly adjusted from the example in <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3508">OAK-3508</a> marking the pre-auth login to be <i>optional</i>. This highlights the fact that subsequent <tt>LoginModule</tt>s are in charge of respecting the <tt>PreAuthenticatedLogin</tt> marker and properly populating the <tt>Subject</tt> in the second <i>commit</i> phase.</p>
-<p>Also, in the example implementation the login never succeeds (in which case <i>sufficient</i> would actually work as well). However, if it ever succeeded the <tt>PreAuthenticatedLogin</tt> marker would be meaningless and the pre-auth module in fact would have to populate the <tt>Subject</tt> i.e. relying on details defined and handled by other <tt>LoginModule</tt>s.</p></div>
+<p>Also, in the example implementation the login never succeeds (in which case <i>sufficient</i> would actually work as well). However, if it ever succeeded the <tt>PreAuthenticatedLogin</tt> marker would be meaningless and the pre-auth module in fact would have to populate the <tt>Subject</tt> i.e. relying on details defined and handled by other <tt>LoginModule</tt>s. </p></div>
<div class="section">
<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4>
<div class="section">
<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
-<ul>
+<ul>
+
<li>
-
-<p>The custom pre-auth module is in charge of handling custom pre-auth <tt>Credentials</tt> shared between the code performing the authentication outside of the scope of the repository and this module. It’s only task is to create the <tt>PreAuthenticatedLogin</tt> marker and push it to the shared stated to inform subsequent modules, which will always be consulted due to the <i>optional</i> flag.</p>
+<p>The custom pre-auth module is in charge of handling custom pre-auth <tt>Credentials</tt> shared between the code performing the authentication outside of the scope of the repository and this module. It’s only task is to create the <tt>PreAuthenticatedLogin</tt> marker and push it to the shared stated to inform subsequent modules, which will always be consulted due to the <i>optional</i> flag.</p>
+
<ul>
-
-<li><i>Login Success</i>: not desired as we want subsequent modules to verify if there is a matching identity for the <tt>PreAuthenticatedLogin</tt> and later on populate the subject.</li>
-<li><i>Login Failure</i>: the default passing over the responsibility the other modules in the chain.</li>
+
+<li><i>Login Success</i>: not desired as we want subsequent modules to verify if there is a matching identity for the <tt>PreAuthenticatedLogin</tt> and later on populate the subject.</li>
+
+<li><i>Login Failure</i>: the default passing over the responsibility the other modules in the chain.</li>
+
<li><i>Commit</i>: Nothing to do.</li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
-<p>The <tt>LoginModuleImpl</tt> will try to resolve the repository user associated with the <tt>PreAuthenticatedLogin</tt> or perform regular login with the login <tt>Credentials</tt> if no <tt>PreAuthenticatedLogin</tt> is present.</p>
+<p>The <tt>LoginModuleImpl</tt> will try to resolve the repository user associated with the <tt>PreAuthenticatedLogin</tt> or perform regular login with the login <tt>Credentials</tt> if no <tt>PreAuthenticatedLogin</tt> is present. </p>
+
<ul>
-
-<li><i>Login Success</i>: If there exists a valid user for the given <tt>PreAuthenticatedLogin</tt> or <tt>Credentials</tt> login will always succeed in case of a pre-auth login. Otherwise credentials are regularly evaluated (e.g. password validation). The authentication will continue down the chain due to the <i>optional</i> flag.</li>
-<li><i>Login Failure</i>: If no matching user exists or if the user is not valid (e.g. disabled). In case of regular authentication it will fail if the <tt>Credentials</tt> cannot be validated. Then authentication it will again continue down the <tt>LoginModule</tt> list.</li>
+
+<li><i>Login Success</i>: If there exists a valid user for the given <tt>PreAuthenticatedLogin</tt> or <tt>Credentials</tt> login will always succeed in case of a pre-auth login. Otherwise credentials are regularly evaluated (e.g. password validation). The authentication will continue down the chain due to the <i>optional</i> flag.</li>
+
+<li><i>Login Failure</i>: If no matching user exists or if the user is not valid (e.g. disabled). In case of regular authentication it will fail if the <tt>Credentials</tt> cannot be validated. Then authentication it will again continue down the <tt>LoginModule</tt> list.</li>
+
<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
-</ul>
-</li>
+ </ul></li>
+
<li>
-
-<p>The <tt>ExternalLoginModule</tt> will try to resolve the <tt>PreAuthenticatedLogin</tt> or alternatively the <tt>Credentials</tt> to a <tt>SyncedIdentity</tt>.</p>
+<p>The <tt>ExternalLoginModule</tt> will try to resolve the <tt>PreAuthenticatedLogin</tt> or alternatively the <tt>Credentials</tt> to a <tt>SyncedIdentity</tt>.</p>
+
<ul>
-
-<li>If no <tt>SyncedIdentity</tt> exists the user is retrieved from external IDP and eventually synced into the repository. In case no <tt>PreAuthenticatedLogin</tt> is present retrieving identity additionally includes credentials validation.</li>
-<li>If there exists a <tt>SyncedIdentity</tt> the module will validate it. In case of <tt>PreAuthenticatedLogin</tt> it checks if the identity needs to be synced again.</li>
-<li><i>Login Success</i>: If there exists a valid external identity on the IDP and it has be synced with the repository.</li>
-<li><i>Login Failure</i>: If no matching/valid identity exists on the IDP or if there exists a <tt>SyncedIdentity</tt> that doesn’t belong to the IDP or we have a <tt>PreAuthenticatedLogin</tt> marker and the <tt>SyncedIdentity</tt> doesn’t need a re-sync.</li>
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
-</ul>
-</li>
+
+<li>If no <tt>SyncedIdentity</tt> exists the user is retrieved from external IDP and eventually synced into the repository. In case no <tt>PreAuthenticatedLogin</tt> is present retrieving identity additionally includes credentials validation.</li>
+
+<li>If there exists a <tt>SyncedIdentity</tt> the module will validate it. In case of <tt>PreAuthenticatedLogin</tt> it checks if the identity needs to be synced again.</li>
+
+<li><i>Login Success</i>: If there exists a valid external identity on the IDP and it has be synced with the repository.</li>
+
+<li><i>Login Failure</i>: If no matching/valid identity exists on the IDP or if there exists a <tt>SyncedIdentity</tt> that doesn’t belong to the IDP or we have a <tt>PreAuthenticatedLogin</tt> marker and the <tt>SyncedIdentity</tt> doesn’t need a re-sync.</li>
+
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+ </ul></li>
</ul></div>
<div class="section">
<h5><a name="Login_with_Different_Credentials"></a>Login with Different Credentials</h5>
<div class="section">
<h6><a name="Custom_Pre-Auth_Credentials"></a>Custom Pre-Auth Credentials</h6>
-<ul>
+<ul>
+
<li>Custom pre-auth module will push <tt>PreAuthenticatedLogin</tt> on the shared state</li>
-<li>Overall login suceeds if any of the subsequent modules is able to deal with the <tt>PreAuthenticatedLogin</tt>.</li>
+
+<li>Overall login suceeds if any of the subsequent modules is able to deal with the <tt>PreAuthenticatedLogin</tt>.</li>
</ul></div>
<div class="section">
<h6><a name="GuestCredentials"></a>GuestCredentials</h6>
-<ul>
+<ul>
+
<li>Custom pre-auth module will ignore</li>
+
<li>Overall login success if the subsequent modules allow for login with <tt>GuestCredentials</tt></li>
-<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository.</li>
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+
+<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository.</li>
+
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="SimpleCredentials"></a>SimpleCredentials</h6>
-<ul>
+<ul>
+
<li>Custom pre-auth module will ignore</li>
+
<li>Overall login success if the subsequent modules allow for login with <tt>SimpleCredentials</tt></li>
-<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user.</li>
-<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authentication against the external IDP including sync is successful.</li>
+
+<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user.</li>
+
+<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authentication against the external IDP including sync is successful.</li>
</ul></div>
<div class="section">
<h6><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h6>
-<ul>
+<ul>
+
<li>Custom pre-auth module will ignore</li>
+
<li>Overall login success if the subsequent modules allow for login with <tt>ImpersonationCredentials</tt></li>
-<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed.</li>
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+
+<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed.</li>
+
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="Other_Credentials"></a>Other Credentials</h6>
-<ul>
+<ul>
+
<li>Overall login success only if the <tt>ExternalLoginModule</tt> supports these credentials</li>
+
<li>Custom pre-auth module will ignore</li>
+
<li><tt>LoginModuleImpl</tt> will ignore</li>
-<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
+
+<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
</ul></div></div>
<div class="section">
<h5><a name="FAQ"></a>FAQ</h5>
<div class="section">
<h6><a name="Why_are_the_custom_PreAuthCredentials_not_public"></a>Why are the custom ‘PreAuthCredentials’ not public?</h6>
-<p>The custom <tt>Credentials</tt> shared between the code performing the authentication (outside of the repository) and the custom <i>PreAuthenticationLoginModule</i> implementation must neither be public nor shared with other implementations in order to prevent un-authenticated login.</p></div>
+<p>The custom <tt>Credentials</tt> shared between the code performing the authentication (outside of the repository) and the custom <i>PreAuthenticationLoginModule</i> implementation must neither be public nor shared with other implementations in order to prevent un-authenticated login.</p></div>
<div class="section">
<h6><a name="Why_is_the_LoginModuleImpl_not_flagged_SUFFICIENT"></a>Why is the ‘LoginModuleImpl’ not flagged SUFFICIENT?</h6>
<p>If <tt>LoginModuleImpl</tt> was defined to be <i>sufficient</i> external identities would never be synced again if the <tt>PreAuthenticatedLogin</tt> marker is present in the shared state.</p></div>
<div class="section">
<h6><a name="Why_is_the_ExternalLoginModule_not_flagged_REQUIRED"></a>Why is the ‘ExternalLoginModule’ not flagged REQUIRED?</h6>
-<p>If <tt>ExternalLoginModule</tt> was required to succeed, login for <i>local</i> users was no longer possible. It also would mean that pre-authenticated login for a <tt>SyncedIdentity</tt> that doesn’t needs a re-sync would not longer be possible and would ultimately fail the repository authentication.</p><!-- references --></div></div></div></div></div>
+<p>If <tt>ExternalLoginModule</tt> was required to succeed, login for <i>local</i> users was no longer possible. It also would mean that pre-authenticated login for a <tt>SyncedIdentity</tt> that doesn’t needs a re-sync would not longer be possible and would ultimately fail the repository authentication.</p>
+<!-- references --></div></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/faq.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/faq.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/faq.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/faq.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – External Authentication : FAQ</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,27 +239,41 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="External_Authentication_:_FAQ"></a>External Authentication : FAQ</h2>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Question </th>
-<th> Answer </th>
-<th> References </th></tr>
-</thead><tbody>
-
+
+<th>Question </th>
+
+<th>Answer </th>
+
+<th>References </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> Why am I no longer able to change the <tt>rep:externalId</tt>? </td>
-<td> Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property <tt>rep:externalId</tt> which is used to link a given synced user/group account to the corresponding entry on the external IDP. </td>
-<td> See <a href="defaultusersync.html">documentation</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> </td></tr>
+
+<td>Why am I no longer able to change the <tt>rep:externalId</tt>? </td>
+
+<td>Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property <tt>rep:externalId</tt> which is used to link a given synced user/group account to the corresponding entry on the external IDP. </td>
+
+<td>See <a href="defaultusersync.html">documentation</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> </td>
+ </tr>
+
<tr class="a">
-<td> Why does a User or Group created with a content package not get synced with the IDP? </td>
-<td> Only users/groups with a <tt>rep:externalId</tt> linking them to the external IDP will be respected during the default sync mechanism. </td>
-<td> See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5304">OAK-5304</a> </td></tr>
-</tbody>
+
+<td>Why does a User or Group created with a content package not get synced with the IDP? </td>
+
+<td>Only users/groups with a <tt>rep:externalId</tt> linking them to the external IDP will be respected during the default sync mechanism. </td>
+
+<td>See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5304">OAK-5304</a> </td>
+ </tr>
+ </tbody>
</table></div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication with the External Login Module</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,33 +239,40 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Authentication_with_the_External_Login_Module"></a>Authentication with the External Login Module</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>The purpose of the external login module is to provide a base implementation that allows easy integration of 3rd party authentication and identity systems, such as <a href="ldap.html">LDAP</a>. The general mode of the external login module is to use the external system as authentication source and as a provider for users and groups that may also be synchronized into the repository.</p>
<p>what it does:</p>
-<ul>
+<ul>
+
<li>facilitate the use of a 3rd party system for authentication</li>
+
<li>simplify populating the oak user manager with identities from a 3rd party system</li>
</ul>
<p>what it does not:</p>
-<ul>
+<ul>
+
<li>provide a transparent oak user manager</li>
+
<li>provide a transparent oak principal provider.</li>
+
<li>offer services for background synchronization of users and groups</li>
</ul>
-<a name="details"></a>
-### Implementation Details
-The external identity and login handling is split into 3 parts:
+<p><a name="details"></a></p></div>
+<div class="section">
+<h3><a name="Implementation_Details"></a>Implementation Details</h3>
+<p>The external identity and login handling is split into 3 parts:</p>
<ul>
-
+
<li><b>External Login Module</b>: LoginModule implementation that represents the connection between JAAS login mechanism, the external identity provider and the synchronization handler.</li>
+
<li><b>External Identity Provider</b> (IDP): This is a service implementing the <tt>ExternalIdentityProvider</tt> interface and is responsible to retrieve and authenticate identities towards an external system (e.g. LDAP).</li>
+
<li><b>User and Group Synchronization</b>: This is a service implementing the <tt>SyncHandler</tt> interface and is responsible to actually managing the external identities within the Oak user management. A very trivial implementation might just create users and groups for external ones on demand.</li>
</ul>
<p>This modularization allows to reuse the same external login module for different combinations of IDPs and synchronization handlers. Although in practice, systems usually have 1 of each.</p>
@@ -297,31 +292,41 @@ The external identity and login handling
<h5><a name="Authentication_in_Detail"></a>Authentication in Detail</h5>
<p>The details of the external authentication are as follows:</p>
<p><i>Phase 1: Login</i></p>
-<ul>
+<ul>
+
<li>if the user exists in the repository and any of the following conditions is met <b>return <tt>false</tt></b>
+
<ul>
-
+
<li>user is not an externally synced <i>or</i></li>
+
<li>user belongs to a different IDP than configured for the <tt>ExternalLoginModule</tt> <i>or</i></li>
+
<li><a href="preauthentication.html"><tt>PreAuthenticatedLogin</tt></a> is present on the shared state <i>and</i> the external user doesn’t require an updating sync (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3508">OAK-3508</a>)</li>
-</ul>
-</li>
+ </ul></li>
+
<li>if the user exists in the 3rd party system but the credentials don’t match it <b>throws <tt>LoginException</tt></b></li>
+
<li>if the user exists in the 3rd party system and the credentials match
+
<ul>
-
+
<li>put the credentials in the shared and private state</li>
+
<li>possibly sync the user</li>
+
<li>and <b>returns <tt>true</tt></b></li>
-</ul>
-</li>
+ </ul></li>
+
<li>if the user does not exist in the 3rd party system, checks if it needs to remove the user and then it <b>returns <tt>false</tt></b></li>
</ul>
<p><i>Phase 2: Commit</i></p>
-<ul>
+<ul>
+
<li>if there is no credentials in the private state, it <b>returns <tt>false</tt></b></li>
+
<li>if there are credentials in the private state propagate the subject and <b>return <tt>true</tt></b></li>
</ul>
<p>See section <a href="external/externallogin_examples.html">Example Configurations</a> for some common setup scenarios.</p></div></div>
@@ -333,58 +338,106 @@ The external identity and login handling
<h4><a name="User_and_Group_Synchronization"></a>User and Group Synchronization</h4>
<p>The synchronization of users and groups is triggered by the external login module, after a user is successfully authenticated against the IDP or if it’s no longer present on the IDP.</p>
<p>See section <a href="usersync.html">User Synchronization</a> for further details and a description of the default implementation.</p>
-<a name="configuration"></a>
-### Configuration
-</div>
+<p><a name="configuration"></a></p></div></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The external authentication module comes with the following configuration parameters for the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModuleFactory.html">ExternalLoginModuleFactory</a>/[ExternalLoginModule].</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Parameter </th>
-<th> Type </th>
-<th> Default </th>
-<th> Description </th></tr>
-</thead><tbody>
-
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> <tt>PARAM_IDP_NAME</tt> </td>
-<td> String </td>
-<td> - </td>
-<td> Name of the external IDP to be retrieved from the <tt>ExternalIdentityProviderManager</tt> </td></tr>
+
+<td><tt>PARAM_IDP_NAME</tt> </td>
+
+<td>String </td>
+
+<td>- </td>
+
+<td>Name of the external IDP to be retrieved from the <tt>ExternalIdentityProviderManager</tt> </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_SYNC_HANDLER_NAME</tt> </td>
-<td> String </td>
-<td> - </td>
-<td> Name of the sync handler to be retrieved from the <tt>SyncManager</tt> </td></tr>
+
+<td><tt>PARAM_SYNC_HANDLER_NAME</tt> </td>
+
+<td>String </td>
+
+<td>- </td>
+
+<td>Name of the sync handler to be retrieved from the <tt>SyncManager</tt> </td>
+ </tr>
+
<tr class="b">
-<td> </td>
-<td> </td>
-<td> </td>
-<td> </td></tr>
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+
<tr class="a">
-<td> <i>Optional (OSGi-setup)</i> </td>
-<td> </td>
-<td> </td>
-<td> </td></tr>
+
+<td><i>Optional (OSGi-setup)</i> </td>
+
+<td> </td>
+
+<td> </td>
+
+<td> </td>
+ </tr>
+
<tr class="b">
-<td> <tt>JAAS_RANKING</tt> </td>
-<td> int </td>
-<td> 50 </td>
-<td> Ranking of the <tt>ExternalLoginModule</tt> in the JAAS configuration, see <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td></tr>
+
+<td><tt>JAAS_RANKING</tt> </td>
+
+<td>int </td>
+
+<td>50 </td>
+
+<td>Ranking of the <tt>ExternalLoginModule</tt> in the JAAS configuration, see <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td>
+ </tr>
+
<tr class="a">
-<td> <tt>JAAS_CONTROL_FLAG</tt> </td>
-<td> String </td>
-<td> SUFFICIENT </td>
-<td> See <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">LoginModuleControlFlag</a> for supported values. </td></tr>
+
+<td><tt>JAAS_CONTROL_FLAG</tt> </td>
+
+<td>String </td>
+
+<td>SUFFICIENT </td>
+
+<td>See <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">LoginModuleControlFlag</a> for supported values. </td>
+ </tr>
+
<tr class="b">
-<td> <tt>JAAS_REALM_NAME</tt> </td>
-<td> String </td>
-<td> - </td>
-<td> See <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td></tr>
-</tbody>
+
+<td><tt>JAAS_REALM_NAME</tt> </td>
+
+<td>String </td>
+
+<td>- </td>
+
+<td>See <a class="externalLink" href="http://svn.apache.org/repos/asf/felix/trunk/jaas/src/main/java/org/apache/felix/jaas/LoginModuleFactory.java">LoginModuleFactory</a> </td>
+ </tr>
+ </tbody>
</table>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
@@ -392,9 +445,8 @@ The external identity and login handling
<h6><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h6>
<p>The following JAAS configuration shows how the <tt>ExternalLoginModule</tt> could be used in a setup that not solely uses third party login (Note: JAAS configuration equivalents of the parameters defined by <tt>org.apache.felix.jaas.LoginModuleFactory</tt> are omitted):</p>
-<div>
-<div>
-<pre class="source">jackrabbit.oak {
+<div class="source">
+<div class="source"><pre class="prettyprint">jackrabbit.oak {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
@@ -402,22 +454,25 @@ The external identity and login handling
idp.name="ldap";
};
</pre></div></div>
-<a name="pluggability"></a>
-### Pluggability
-
+<p><a name="pluggability"></a></p></div></div></div></div>
+<div class="section">
+<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The design of the <tt>ExternalLoginModule</tt> allows for customization of the key features associated with third party authentication. In an OSGi-based setup these are covered by references within the <tt>ExternalLoginModuleFactory</tt>:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>: Mandatory, unary reference for the <tt>ExternalIdentityProvider</tt> lookup; see <a href="identitymanagement.html">External Identity Management</a> for details.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncManager.html">SyncManager</a>: Mandatory, unary reference for the <tt>SyncHandler</tt> lookup; see <a href="usersync.html">User/Group Synchronization</a> for details.</li>
</ul>
<p>The default implementations (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalIDPManagerImpl.html">ExternalIDPManagerImpl</a> and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/SyncManagerImpl.html">SyncManagerImpl</a>) extend <tt>AbstractServiceTracker</tt> and will automatically keep track of new <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a> services, respectively.</p>
-<p>Since Oak 1.5.1 support for different or multiple types of <tt>Credentials</tt> can easily be plugged by providing an <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> that additionally implements <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>. This is an optional extension point for each IDP; if missing the <tt>ExternalLoginModule</tt> will fall back to a default implementation and assume the IDP only supports <tt>SimpleCredentials</tt>. See details below.</p></div></div></div>
+<p>Since Oak 1.5.1 support for different or multiple types of <tt>Credentials</tt> can easily be plugged by providing an <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> that additionally implements <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>. This is an optional extension point for each IDP; if missing the <tt>ExternalLoginModule</tt> will fall back to a default implementation and assume the IDP only supports <tt>SimpleCredentials</tt>. See details below.</p>
<div class="section">
<h4><a name="Supported_Credentials"></a>Supported Credentials</h4>
<p>The following steps are required in order to change or extend the set credential classes supported by the <tt>ExternalLoginModule</tt>:</p>
-<ul>
+<ul>
+
<li>Extend your <tt>ExternalIdentityProvider</tt> to additionally implement the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a> interface.</li>
</ul>
<p>Don’t forget to make sure that <tt>ExternalIdentityProvider.authenticate(Credentials)</tt> handles the same set of supported credentials!</p>
@@ -426,9 +481,8 @@ The external identity and login handling
<div class="section">
<h6><a name="Example_CredentialsSupport"></a>Example CredentialsSupport</h6>
-<div>
-<div>
-<pre class="source"> @Component()
+<div class="source">
+<div class="source"><pre class="prettyprint"> @Component()
@Service(ExternalIdentityProvider.class, CredentialsSupport.class)
public class MyIdentityProvider implements ExternalIdentityProvider, CredentialsSupport {
@@ -457,9 +511,9 @@ The external identity and login handling
// our credentials never contain additional attributes
return ImmutableMap.of();
}
-
+
//-------------------------------------< ExternalIdentityProvider >---
-
+
@CheckForNull
@Override
public ExternalUser authenticate(@Nonnull Credentials credentials) {
@@ -476,7 +530,7 @@ The external identity and login handling
}
[...]
-
+
//----------------------------------------------< SCR Integration >---
@Activate
private void activate() {
Modified: jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – External Identity Management</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,26 +239,31 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="External_Identity_Management"></a>External Identity Management</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
<p>Jackrabbit Oak provides interfaces and some base classes to ease custom implementation of the external authentication with optional user/group synchronization to the repository.</p></div>
<div class="section">
<h3><a name="Identity_Management_API"></a>Identity Management API</h3>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>: factory for the <tt>ExternalIdentityProvider</tt></li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>: used to authenticate against the third party system. Additionally provides method to obtain information about external user/group accounts such as needed for the <a href="usersync.html">synchronization</a> into the repository.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentity.html">ExternalIdentity</a>: base interface for an external user/group
+
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalUser.html">ExternalUser</a></li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalGroup.html">ExternalGroup</a></li>
-</ul>
-</li>
+ </ul></li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>: reference to an external user/group consisting of id and provider name.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/PrincipalNameResolver.html">PrincipalNameResolver</a>: optimized lookup of principal name from <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>; see section <a href="external/dynamic.html">Dynamic Membership</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5210">OAK-5210</a> for details)</li>
</ul></div>
<div class="section">
@@ -282,10 +275,13 @@
<div class="section">
<h4><a name="Custom_External_Identity_Management"></a>Custom External Identity Management</h4>
<p>In order to plug a custom implementation of the external identity management the following steps are required:</p>
-<ul>
-<li>Write your own implementation <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> including your implementations of the external identities. <i>Note:</i> If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>.</li>
-<li>Deploy the bundle containing your implementation such that the IDP gets tracked by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>. In an non-OSGi environment you have to register it manually</li>
+<ul>
+
+<li>Write your own implementation <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a> including your implementations of the external identities. <i>Note:</i> If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>.</li>
+
+<li>Deploy the bundle containing your implementation such that the IDP gets tracked by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a>. In an non-OSGi environment you have to register it manually</li>
+
<li>Link your identity provider to the <tt>ExternalLoginModule</tt> by configuring the IDP name accordingly (see section <a href="externalloginmodule.html#configuration">Configuration</a>)</li>
</ul>
<div class="section">
@@ -293,8 +289,9 @@
<p>See <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/exercise/security/authentication/external/CustomExternalIdentityProvider.java">CustomExternalIdentityProvider</a> in the <tt>oak-exercise</tt> module for a very simplistic implementation for an OSGi-based Oak setup.</p></div></div>
<div class="section">
<h4><a name="Custom_ExternalIdentityProviderManager"></a>Custom ExternalIdentityProviderManager</h4>
-<p>Since <tt>oak-auth-external</tt> provides a default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> a custom identity management doesn’t need provide a separate implementation of this interface.</p>
-<p>If you wish to provider your own <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> in an OSGi environment, please make sure it gets properly referenced by the <tt>ExternalLoginModuleFactory</tt>.</p><!-- references --></div></div></div>
+<p>Since <tt>oak-auth-external</tt> provides a default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> a custom identity management doesn’t need provide a separate implementation of this interface. </p>
+<p>If you wish to provider your own <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html">ExternalIdentityProviderManager</a> in an OSGi environment, please make sure it gets properly referenced by the <tt>ExternalLoginModuleFactory</tt>.</p>
+<!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/ldap.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/ldap.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/ldap.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/ldap.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-17
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180817" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – LDAP Integration</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-17<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,7 +155,6 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
@@ -179,11 +172,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>