You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by mr...@apache.org on 2018/08/22 09:33:51 UTC
svn commit: r1838623 [14/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User and Group Synchronization : The Default Implementation</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,7 +251,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="User_and_Group_Synchronization_:_The_Default_Implementation"></a>User and Group Synchronization : The Default Implementation</h2>
<div class="section">
<h3><a name="Default_Implementation_of_Sync_API"></a>Default Implementation of Sync API</h3>
@@ -253,32 +266,27 @@
<div class="section">
<h4><a name="SyncContext"></a>SyncContext</h4>
<p>Oak provides the following implementations of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> interface:</p>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a>: base implementation that synchronizes external user and group accounts into the repository</li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicSyncContext.html">DynamicSyncContext</a>: derived implementation that provides special handling for external groups.</li>
</ul>
<div class="section">
<h5><a name="DefaultSyncContext"></a>DefaultSyncContext</h5>
<p>All users/groups synchronized by this context will get the following properties set. These properties allow to run separate task for periodical update and make sure the authorizables can later on be identified as external users.</p>
-
<ul>
-
+
<li><tt>rep:externalId</tt> : This allows to identify the external users, know the associated IDP and distinguish them from others.</li>
-
<li><tt>rep:lastSynced</tt> : Sync timestamp to mark the external user/group valid for the configurable time (to reduce expensive syncing). Once expired, they will be validated against the 3rd party system again.</li>
</ul>
<p>NOTE: Since Oak 1.5.8 the system-maintained property <tt>rep:externalId</tt> is protected and can not be altered using regular JCR and Jackrabbit API, irrespective of the permission setup of the editing session. For backwards compatibility this protection can be turned off. See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> for further details.</p>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> is exported as part of the ‘basic’ package space and may be used to provide custom implementations.</p></div>
<div class="section">
<h5><a name="DynamicSyncContext"></a>DynamicSyncContext</h5>
-<p>Extending from the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> this implementation that provides special handling for external groups in case the <a href="#dynamic_membership">Dynamic Group Membership</a> option is enabled in the <a href="#configuration">Configuration</a>.</p>
+<p>Extending from the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> this implementation that provides special handling for external groups in case the <a href="#dynamic_membership">Dynamic Group Membership</a> option is enabled in the <a href="#configuration">Configuration</a>.</p>
<p>In addition to the properties mentioned above this implementation will additionally create a multivalued STRING property that caches the group principal names of the external user accounts:</p>
-
<ul>
-
+
<li><tt>rep:externalPrincipalNames</tt> : Optional system-maintained property related to <a href="#dynamic_membership">Dynamic Group Membership</a></li>
</ul></div></div>
<div class="section">
@@ -287,244 +295,137 @@
<div class="section">
<h4><a name="SyncedIdentity"></a>SyncedIdentity</h4>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncedIdentity.html">DefaultSyncedIdentity</a> is exported as part of the ‘basic’ package space. It maps the ID of a synchronized user/group account to the external identity references represented by <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>.</p>
-<p><a name="dynamic_membership"></a></p></div></div>
-<div class="section">
-<h3><a name="Dynamic_Group_Membership"></a>Dynamic Group Membership</h3>
+<a name="dynamic_membership"></a>
+### Dynamic Group Membership
+
<p>As of Oak 1.5.3 the default sync handler comes with an addition configuration option that allows to enable dynamic group membership resolution for external users. Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external groups are synchronized (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4101">OAK-4101</a>).</p>
-<p>The details and effects on other security related modules are described in section <a href="dynamic.html">Dynamic Membership</a>. </p>
-<p><a name="xml_import"></a></p>
-<div class="section">
-<h4><a name="XML_Import"></a>XML Import</h4>
+<p>The details and effects on other security related modules are described in section <a href="dynamic.html">Dynamic Membership</a>.</p>
+<a name="xml_import"></a>
+#### XML Import
+
<p>The protected nature of the <tt>rep:externalPrincipalNames</tt> is also reflected during XML import of user accounts:</p>
<p>External users with a <tt>rep:externalPrincipalNames</tt> property will get regularly imported. However, any non-system driven import will omit the <tt>rep:externalPrincipalNames</tt> and additional remove the <tt>rep:lastSynced</tt> property in order to force a re-sync of the external user by the system upon the next login or when triggered through the JMX console. Depending on the <i>User Dynamic Membership</i> configuration value on the target system the sync will then result in a full sync of group membership or will re-create the <tt>rep:externalPrincipalNames</tt> property.</p>
-<p><a name="validation"></a></p></div>
-<div class="section">
-<h4><a name="Validation"></a>Validation</h4>
+<a name="validation"></a>
+#### Validation
+
<div class="section">
<h5><a name="rep:externalPrincipalNames"></a>rep:externalPrincipalNames</h5>
-<p>As of Oak 1.5.3 a dedicated <tt>Validator</tt> implementation asserts that the protected, system-maintained property <tt>rep:externalPrincipalNames</tt> is only written by the internal system session. </p>
+<p>As of Oak 1.5.3 a dedicated <tt>Validator</tt> implementation asserts that the protected, system-maintained property <tt>rep:externalPrincipalNames</tt> is only written by the internal system session.</p>
<p>This prevents users to unintentionally or maliciously manipulating the information linking to the external identity provider in particular their external identity and the set of external group principals associated with their account.</p>
<p>Additionally the validator asserts the consistency of the properties defined with external user/group accounts.</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>0070 </td>
-
-<td>Attempt to create, modify or remove the system property ‘rep:externalPrincipalNames’ </td>
- </tr>
-
-<tr class="a">
-
-<td>0071 </td>
-
-<td>Attempt to write ‘rep:externalPrincipalNames’ with a type other than Type.STRINGS </td>
- </tr>
-
-<tr class="b">
-
-<td>0072 </td>
-
-<td>Property ‘rep:externalPrincipalNames’ requires ‘rep:externalId’ to be present on the Node. </td>
- </tr>
-
-<tr class="a">
-
-<td>0073 </td>
-
-<td>Property ‘rep:externalId’ cannot be removed if ‘rep:externalPrincipalNames’ is present. </td>
- </tr>
- </tbody>
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> 0070 </td>
+<td> Attempt to create, modify or remove the system property ‘rep:externalPrincipalNames’ </td></tr>
+<tr class="a">
+<td> 0071 </td>
+<td> Attempt to write ‘rep:externalPrincipalNames’ with a type other than Type.STRINGS </td></tr>
+<tr class="b">
+<td> 0072 </td>
+<td> Property ‘rep:externalPrincipalNames’ requires ‘rep:externalId’ to be present on the Node. </td></tr>
+<tr class="a">
+<td> 0073 </td>
+<td> Property ‘rep:externalId’ cannot be removed if ‘rep:externalPrincipalNames’ is present. </td></tr>
+</tbody>
</table></div>
<div class="section">
<h5><a name="rep:externalId"></a>rep:externalId</h5>
<p>If protection of the <tt>rep:externalId</tt> property is enabled (since Oak 1.5.8) the validator performs the following checks:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>0074 </td>
-
-<td>Attempt to add, modify or remove the system maintained property ‘rep:externalId’. </td>
- </tr>
-
-<tr class="a">
-
-<td>0075 </td>
-
-<td>Property ‘rep:externalId’ may only have a single value of type STRING. </td>
- </tr>
- </tbody>
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> 0074 </td>
+<td> Attempt to add, modify or remove the system maintained property ‘rep:externalId’. </td></tr>
+<tr class="a">
+<td> 0075 </td>
+<td> Property ‘rep:externalId’ may only have a single value of type STRING. </td></tr>
+</tbody>
</table>
-<p><a name="configuration"></a></p></div></div></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
+<a name="configuration"></a>
+### Configuration
+</div></div>
<div class="section">
<h4><a name="Configuration_of_the_DefaultSyncHandler"></a>Configuration of the DefaultSyncHandler</h4>
<p>The default <tt>SyncHandler</tt> implementations are configured via <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a>:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Name </th>
-
-<th>Property </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>Sync Handler Name </td>
-
-<td><tt>handler.name</tt> </td>
-
-<td>Name of this sync configuration. This is used to reference this handler by the login modules. </td>
- </tr>
-
-<tr class="a">
-
-<td>User auto membership </td>
-
-<td><tt>user.autoMembership</tt> </td>
-
-<td>List of groups that a synced user is added to automatically </td>
- </tr>
-
-<tr class="b">
-
-<td>User Expiration Time </td>
-
-<td><tt>user.expirationTime</tt> </td>
-
-<td>Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td>
- </tr>
-
-<tr class="a">
-
-<td>User Membership Expiration </td>
-
-<td><tt>user.membershipExpTime</tt> </td>
-
-<td>Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td>
- </tr>
-
-<tr class="b">
-
-<td>User membership nesting depth </td>
-
-<td><tt>user.membershipNestingDepth</tt> </td>
-
-<td>Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td>
- </tr>
-
-<tr class="a">
-
-<td>User Dynamic Membership </td>
-
-<td><tt>user.dynamicMembership</tt> </td>
-
-<td>Enabling dynamic membership for external users. </td>
- </tr>
-
-<tr class="b">
-
-<td>User Path Prefix </td>
-
-<td><tt>user.pathPrefix</tt> </td>
-
-<td>The path prefix used when creating new users. </td>
- </tr>
-
-<tr class="a">
-
-<td>User property mapping </td>
-
-<td><tt>user.propertyMapping</tt> </td>
-
-<td>List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td>
- </tr>
-
-<tr class="b">
-
-<td>Disable missing users </td>
-
-<td><tt>user.disableMissing</tt> </td>
-
-<td>By default, users that no longer exist on the external provider will be locally removed. Set this property to <tt>true</tt> to [disable](<a class="externalLink" href="https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)">https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)</a>) them instead and have them re-enabled if they become available again. </td>
- </tr>
-
-<tr class="a">
-
-<td>Group auto membership </td>
-
-<td><tt>group.autoMembership</tt> </td>
-
-<td>List of groups that a synced group is added to automatically </td>
- </tr>
-
-<tr class="b">
-
-<td>Group Expiration Time </td>
-
-<td><tt>group.expirationTime</tt> </td>
-
-<td>Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td>
- </tr>
-
-<tr class="a">
-
-<td>Group Path Prefix </td>
-
-<td><tt>group.pathPrefix</tt> </td>
-
-<td>The path prefix used when creating new groups. </td>
- </tr>
-
-<tr class="b">
-
-<td>Group property mapping </td>
-
-<td><tt>group.propertyMapping</tt> </td>
-
-<td>List mapping definition of local properties from external ones. </td>
- </tr>
-
+<th> Name </th>
+<th> Property </th>
+<th> Description </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> Sync Handler Name </td>
+<td> <tt>handler.name</tt> </td>
+<td> Name of this sync configuration. This is used to reference this handler by the login modules. </td></tr>
+<tr class="a">
+<td> User auto membership </td>
+<td> <tt>user.autoMembership</tt> </td>
+<td> List of groups that a synced user is added to automatically </td></tr>
+<tr class="b">
+<td> User Expiration Time </td>
+<td> <tt>user.expirationTime</tt> </td>
+<td> Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td></tr>
+<tr class="a">
+<td> User Membership Expiration </td>
+<td> <tt>user.membershipExpTime</tt> </td>
+<td> Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td></tr>
+<tr class="b">
+<td> User membership nesting depth </td>
+<td> <tt>user.membershipNestingDepth</tt> </td>
+<td> Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td></tr>
+<tr class="a">
+<td> User Dynamic Membership </td>
+<td> <tt>user.dynamicMembership</tt> </td>
+<td> Enabling dynamic membership for external users. </td></tr>
+<tr class="b">
+<td> User Path Prefix </td>
+<td> <tt>user.pathPrefix</tt> </td>
+<td> The path prefix used when creating new users. </td></tr>
+<tr class="a">
+<td> User property mapping </td>
+<td> <tt>user.propertyMapping</tt> </td>
+<td> List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td></tr>
+<tr class="b">
+<td> Disable missing users </td>
+<td> <tt>user.disableMissing</tt> </td>
+<td> By default, users that no longer exist on the external provider will be locally removed. Set this property to <tt>true</tt> to <a class="externalLink" href="https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)">disable</a> them instead and have them re-enabled if they become available again. </td></tr>
+<tr class="a">
+<td> Group auto membership </td>
+<td> <tt>group.autoMembership</tt> </td>
+<td> List of groups that a synced group is added to automatically </td></tr>
+<tr class="b">
+<td> Group Expiration Time </td>
+<td> <tt>group.expirationTime</tt> </td>
+<td> Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td></tr>
+<tr class="a">
+<td> Group Path Prefix </td>
+<td> <tt>group.pathPrefix</tt> </td>
+<td> The path prefix used when creating new groups. </td></tr>
+<tr class="b">
+<td> Group property mapping </td>
+<td> <tt>group.propertyMapping</tt> </td>
+<td> List mapping definition of local properties from external ones. </td></tr>
<tr class="a">
-
-<td> </td>
-
<td> </td>
-
<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table></div>
<div class="section">
<h4><a name="Configuration_of_the_Apache_Jackrabbit_Oak_External_PrincipalConfiguration"></a>Configuration of the ‘Apache Jackrabbit Oak External PrincipalConfiguration’</h4>
@@ -532,41 +433,25 @@
<p>The recommended way to assert a proper init, is to add ‘org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration’ as additional value to the <tt>requiredServicePids</tt> configuration option of the <tt>SecurityProviderRegistration</tt> <i>(“Apache Jackrabbit Oak SecurityProvider”)</i>.</p>
<p>See section <a href="../../introduction.html">Introduction to Oak Security</a> for further details on the <tt>SecurityProviderRegistration</tt>.</p>
<p>The <tt>ExternalPrincipalConfiguration</tt> defines the following configuration options:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Name </th>
-
-<th>Property </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>External Identity Protection </td>
-
-<td><tt>protectExternalId</tt> </td>
-
-<td>Enables protection of the system maintained <tt>rep:externalId</tt> properties </td>
- </tr>
-
+<th> Name </th>
+<th> Property </th>
+<th> Description </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> External Identity Protection </td>
+<td> <tt>protectExternalId</tt> </td>
+<td> Enables protection of the system maintained <tt>rep:externalId</tt> properties </td></tr>
<tr class="a">
-
<td> </td>
-
<td> </td>
-
-<td> </td>
- </tr>
- </tbody>
-</table>
-<!-- references --></div></div></div>
+<td> </td></tr>
+</tbody>
+</table><!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User and Group Synchronization : Dynamic Membership</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,18 +251,16 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="User_and_Group_Synchronization_:_Dynamic_Membership"></a>User and Group Synchronization : Dynamic Membership</h2>
-<p>As of Oak 1.5.3 the default sync handler comes with an additional configuration option (see section <a href="defaultusersync.html#configuration">Configuration</a> that allows to enable dynamic group membership resolution for external users. </p>
+<p>As of Oak 1.5.3 the default sync handler comes with an additional configuration option (see section <a href="defaultusersync.html#configuration">Configuration</a> that allows to enable dynamic group membership resolution for external users.</p>
<p>Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external groups are synchronized (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4101">OAK-4101</a>) and how automatic group membership is being handled (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4087">OAK-4087</a>)</p>
<p>The key benefits of dynamic membership resolution are:</p>
-
<ul>
-
+
<li>avoiding duplicate user management effort wrt to membership handling both in the external IDP and the repository</li>
-
<li>avoid storing/updating auto-membership which is assigned to all external users</li>
-
<li>ease principal resolution upon repository login</li>
</ul>
<div class="section">
@@ -259,49 +269,38 @@
<p>With the default <tt>SyncHandler</tt> this configuration option will show the following effects:</p>
<div class="section">
<h5><a name="External_Groups"></a>External Groups</h5>
-
<ul>
-
+
<li>If enabled the handler will use an alternative <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> to synchronize external groups (<tt>DynamicSyncContext</tt>).</li>
-
-<li>Instead of synchronizing groups into the user management, this <tt>DynamicSyncContext</tt> will additionally set the property <tt>rep:externalPrincipalNames</tt> on the synchronized external user</li>
-
-<li><tt>rep:externalPrincipalNames</tt> is a system maintained multivalued property of type ‘STRING’ storing the names of the <tt>java.security.acl.Group</tt>-principals a given external user is member of (both declared and inherited according to the configured membership nesting depth)</li>
-
-<li>External groups will no longer be synchronised into the repository’s user management but will only be available as <tt>Principal</tt>s (see section <i>User Management</i> below).</li>
+<li>Instead of synchronizing groups into the user management, this <tt>DynamicSyncContext</tt> will additionally set the property <tt>rep:externalPrincipalNames</tt> on the synchronized external user</li>
+<li><tt>rep:externalPrincipalNames</tt> is a system maintained multivalued property of type ‘STRING’ storing the names of the <tt>java.security.acl.Group</tt>-principals a given external user is member of (both declared and inherited according to the configured membership nesting depth)</li>
+<li>External groups will no longer be synchronised into the repository’s user management but will only be available as <tt>Principal</tt>s (see section <i>User Management</i> below).</li>
</ul>
<p>Note: as a further improvement the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/PrincipalNameResolver.html">PrincipalNameResolver</a> interface was introduced in Oak 1.6.1 to allow for optimized resolution of a principal names from a given <tt>ExternalIdentityRef</tt>. In order to benefit from that shortcut a given implementation of <tt>ExternalIdentityProvider</tt> needs to also implement <tt>PrincipalNameResolver</tt>. See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5210">OAK-5210</a>.</p></div>
<div class="section">
<h5><a name="Automatic_Membership"></a>Automatic Membership</h5>
-
<ul>
-
+
<li>If enabled automatic membership assignment for existing, local groups will not longer be written to the repository</li>
-
-<li>Instead the <tt>ExternalPrincipalConfiguration</tt> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> will keep track of the mapping between registered <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a>s (i.e. auto-membership configuration) and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>s. This allows to determine auto-membership based on the <tt>rep:externalId</tt> stored with the user accounts.</li>
-
-<li>The <tt>PrincipalProvider</tt> associated with this dedicated principal configuration will expand the collection of <tt>Principal</tt>s generated for the following calls with the automatically assigned principals:
-
+<li>Instead the <tt>ExternalPrincipalConfiguration</tt> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> will keep track of the mapping between registered <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a>s (i.e. auto-membership configuration) and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>s. This allows to determine auto-membership based on the <tt>rep:externalId</tt> stored with the user accounts.</li>
+<li>The <tt>PrincipalProvider</tt> associated with this dedicated principal configuration will expand the collection of <tt>Principal</tt>s generated for the following calls with the automatically assigned principals:
<ul>
-
+
<li><tt>PrincipalProvider.getGroupMembership(Principal)</tt></li>
-
<li><tt>PrincipalProvider.getPrincipals(String)</tt></li>
- </ul></li>
-
-<li>Configured auto-membership groupIds that cannot be resolved to an existing <tt>o.a.j.api.security.user.Group</tt> will be ignored in accordance to the default behavior.</li>
-
-<li>Consequently, the <tt>PrincipalProvider</tt> relies on other <tt>PrincipalProvider</tt> implementations to <i>own</i> these group principals and will not expose them upon other calls (e.g. <tt>PrincipalProvider.getPrincipal(String)</tt>.</li>
-
-<li>Any changes to the auto-membership configuration will be immediately reflected to new instances of the <tt>PrincipalProvider</tt>.</li>
-
-<li>Note, that in the initial version (Oak 1.6) only the <tt>user.autoMembership</tt> configuration is respected (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5194">OAK-5194</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5195">OAK-5195</a>)</li>
+</ul>
+</li>
+<li>Configured auto-membership groupIds that cannot be resolved to an existing <tt>o.a.j.api.security.user.Group</tt> will be ignored in accordance to the default behavior.</li>
+<li>Consequently, the <tt>PrincipalProvider</tt> relies on other <tt>PrincipalProvider</tt> implementations to <i>own</i> these group principals and will not expose them upon other calls (e.g. <tt>PrincipalProvider.getPrincipal(String)</tt>.</li>
+<li>Any changes to the auto-membership configuration will be immediately reflected to new instances of the <tt>PrincipalProvider</tt>.</li>
+<li>Note, that in the initial version (Oak 1.6) only the <tt>user.autoMembership</tt> configuration is respected (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5194">OAK-5194</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5195">OAK-5195</a>)</li>
</ul></div></div>
<div class="section">
<h4><a name="Effect_of_Dynamic_Membership_on_other_Security_Modules"></a>Effect of Dynamic Membership on other Security Modules</h4>
<div class="section">
<h5><a name="Principal_Management"></a>Principal Management</h5>
-<p>The dynamic (principal) membership features comes with a dedicated <tt>PrincipalConfiguration</tt> implementation (i.e. [ExternalPrincipalConfiguration]) that is in charge of securing<br />the <tt>rep:externalPrincipalNames</tt> properties (see also section <a href="defaultusersync.html#validation">Validation</a> and <a href="defaultusersync.html#configuration">Configuration</a>). </p>
+<p>The dynamic (principal) membership features comes with a dedicated <tt>PrincipalConfiguration</tt> implementation (i.e. [ExternalPrincipalConfiguration]) that is in charge of securing<br />
+the <tt>rep:externalPrincipalNames</tt> properties (see also section <a href="defaultusersync.html#validation">Validation</a> and <a href="defaultusersync.html#configuration">Configuration</a>).</p>
<p>Additionally the [ExternalPrincipalConfiguration] provides a <tt>PrincipalProvider</tt> implementation which makes external (group) principals available to the repository’s authentication and authorization using the <tt>rep:externalPrincipalNames</tt> as a persistent cache to avoid expensive lookup on the IDP. This also makes external <tt>Principal</tt>s retrievable and searchable through the Jackrabbit principal management API (see section <a href="../../principal.html">Principal Management</a> for a comprehensive description).</p>
<p>Please note the following implementation detail wrt accessibility of group principals: A given external principal will be accessible though the principal management API if it can be read from any of the <tt>rep:externalPrincipalNames</tt> properties present using a dedicated query.</p></div>
<div class="section">
@@ -314,8 +313,7 @@
<p>The authentication setup provided by Oak is not affected by the dynamic membership handling as long as the configured <tt>LoginModule</tt> implementations rely on the <tt>PrincipalProvider</tt> for principal resolution and the <tt>ExternalPrincipalConfiguration</tt> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> is properly registered with the <tt>SecurityProvider</tt> (see section <a href="defaultusersync.html#configuration">Configuration</a>).</p></div>
<div class="section">
<h5><a name="Authorization"></a>Authorization</h5>
-<p>The authorization modules shipped with Oak only depend on <tt>Principal</tt>s (and not on user management functionality) and are therefore not affected by the dynamic membership configuration.</p>
-<!-- references --></div></div></div></div>
+<p>The authorization modules shipped with Oak only depend on <tt>Principal</tt>s (and not on user management functionality) and are therefore not affected by the dynamic membership configuration.</p><!-- references --></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication with External Login Module : Examples</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,144 +251,125 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Authentication_with_External_Login_Module_:_Examples"></a>Authentication with External Login Module : Examples</h2>
-
<ul>
-
+
<li><a href="#standard">Integration with Standard Oak Authentication</a></li>
-
<li><a href="#preauth">Integration with Pre-Authentication and Login Module Chain</a></li>
</ul>
-<p><a name="standard"></a></p>
+<a name="standard"></a>
+### Integration with Standard Oak Authentication
+
<div class="section">
-<h3><a name="Integration_with_Standard_Oak_Authentication"></a>Integration with Standard Oak Authentication</h3>
<div class="section">
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
-<div class="source">
-<div class="source"><pre class="prettyprint"> Example {
+<div>
+<div>
+<pre class="source"> Example {
org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule required
sync.handlerName="your-synchandler_name"
idp.name="your_idp_name";
};
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4>
<div class="section">
<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
-
<ul>
-
+
<li>
-<p>The <tt>TokenLoginModule</tt> is in charge of handling repository authentication request with <tt>TokenCredentials</tt>:</p>
-
+
+<p>The <tt>TokenLoginModule</tt> is in charge of handling repository authentication request with <tt>TokenCredentials</tt>:</p>
<ul>
-
+
<li><i>Login Success</i>: If token-login succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list. This means that it will not hit the <tt>ExternalIdentityProvider</tt> and will not re-sync an external user as long as the login token is valid.</li>
-
<li><i>Login Failure</i>: If it fails (e.g. other type of <tt>Credentials</tt>) the authentication will proceed down the <tt>LoginModule</tt> list.</li>
-
<li><i>Commit</i>: If the login failed the login module will test if the <tt>Credentials</tt> passed to the login ask for generation of a new login token. If this login succeeded it will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul>
+</ul>
<p>NOTE: In this setup the <tt>TokenLoginModule</tt> is expected to only handle subsequent authentication request after having issued a login token. The latter is achieved by providing <tt>Credentials</tt> attributes that force the <tt>TokenLoginModule</tt> to generate a new login token in the <i>commit</i> phase. The application should then use that login toke for subsequent requests.</p>
-<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for details and for a description of the default implementation.</p></li>
-
+<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for details and for a description of the default implementation.</p>
+</li>
<li>
-<p>The <tt>LoginModuleImpl</tt> is in charge of handling authentication request for users managed and created through the repository’s user management API; i.e. users that are not defined by an <tt>ExternalIdentityProvider</tt>. This includes built-in system users like the administrator, the guest-user (aka anonymous) or <tt>SystemUsers</tt>. It also handles impersonation logins.</p>
-
+
+<p>The <tt>LoginModuleImpl</tt> is in charge of handling authentication request for users managed and created through the repository’s user management API; i.e. users that are not defined by an <tt>ExternalIdentityProvider</tt>. This includes built-in system users like the administrator, the guest-user (aka anonymous) or <tt>SystemUsers</tt>. It also handles impersonation logins.</p>
<ul>
-
-<li><i>Login Success</i>: If regular user authentication (or impersonation) succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list i.e. omits unnecessarily trying to authenticate a local user against the external IDP.</li>
-
-<li><i>Login Failure</i>: If the authentication fails (e.g. no local user that could have uid/pw matching the passed <tt>Credentials</tt>), it will continue down the <tt>LoginModule</tt> list.</li>
-
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul>
-<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>local</i> users will end up being handled by this module or fail.</p></li>
-
+
+<li><i>Login Success</i>: If regular user authentication (or impersonation) succeeds the <i>sufficient</i> flag makes sure authentication does not proceed down the <tt>LoginModule</tt> list i.e. omits unnecessarily trying to authenticate a local user against the external IDP.</li>
+<li><i>Login Failure</i>: If the authentication fails (e.g. no local user that could have uid/pw matching the passed <tt>Credentials</tt>), it will continue down the <tt>LoginModule</tt> list.</li>
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+</ul>
+<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>local</i> users will end up being handled by this module or fail.</p>
+</li>
<li>
-<p>The <tt>ExternalLoginModule</tt> is in charge of handling authentication request for users managed by an <tt>ExternalIdentityProvider</tt>.</p>
-
+
+<p>The <tt>ExternalLoginModule</tt> is in charge of handling authentication request for users managed by an <tt>ExternalIdentityProvider</tt>.</p>
<ul>
-
-<li><i>Login Success</i>: If user authentication against the IDP succeeds the module synchronizes the external user into the repository according to the logic defined in the configure <tt>SyncHandler</tt>. If the user has been synced before it might be updated. If and how often a user gets re-synced is an implementation detail of the <tt>SyncHandler</tt>.</li>
-
-<li><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid <tt>Credentials</tt>), the whole login will fail because the <tt>ExternalLoginModule</tt> is configured to be <i>required</i> and the last module in the chain.</li>
-
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul>
-<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>external</i> users will end up being handled by this module (including connection to the IDP) or fail.</p></li>
+
+<li><i>Login Success</i>: If user authentication against the IDP succeeds the module synchronizes the external user into the repository according to the logic defined in the configure <tt>SyncHandler</tt>. If the user has been synced before it might be updated. If and how often a user gets re-synced is an implementation detail of the <tt>SyncHandler</tt>.</li>
+<li><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid <tt>Credentials</tt>), the whole login will fail because the <tt>ExternalLoginModule</tt> is configured to be <i>required</i> and the last module in the chain.</li>
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+</ul>
+<p>NOTE: if no login token is generated upon first login, any subsequent login for <i>external</i> users will end up being handled by this module (including connection to the IDP) or fail.</p>
+</li>
</ul></div>
<div class="section">
<h5><a name="Login_with_Different_Credentials"></a>Login with Different Credentials</h5>
<div class="section">
<h6><a name="GuestCredentials"></a>GuestCredentials</h6>
-
<ul>
-
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="SimpleCredentials"></a>SimpleCredentials</h6>
-
<ul>
-
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user. It is not expected to succeed for synced external users,which should not have their password synced. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-
-<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authenticating an external against the external IDP including sync is successful. If none of the other modules succeeded the <tt>ExternalLoginModule</tt> is required to succeed.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user. It is not expected to succeed for synced external users,which should not have their password synced. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authenticating an external against the external IDP including sync is successful. If none of the other modules succeeded the <tt>ExternalLoginModule</tt> is required to succeed.</li>
</ul></div>
<div class="section">
<h6><a name="TokenCredentials"></a>TokenCredentials</h6>
-
<ul>
-
-<li><tt>TokenLoginModule</tt> supports <tt>TokenCredentials</tt> and will succeed if the credentials are valid. If it succeeds authentication doesn’t move down the module list. If it fails overall authentication is expected to fail as the subsequent modules are not expected to support <tt>TokenCredentials</tt>.</li>
-
-<li><tt>LoginModuleImpl</tt> does not support <tt>TokenCredentials</tt> and will fail.</li>
-
-<li><tt>ExternalLoginModule</tt> is not expected to support <tt>TokenCredentials</tt> and thus overall authentication is expected to fail if <tt>TokenLoginModule</tt> failed.</li>
+
+<li><tt>TokenLoginModule</tt> supports <tt>TokenCredentials</tt> and will succeed if the credentials are valid. If it succeeds authentication doesn’t move down the module list. If it fails overall authentication is expected to fail as the subsequent modules are not expected to support <tt>TokenCredentials</tt>.</li>
+<li><tt>LoginModuleImpl</tt> does not support <tt>TokenCredentials</tt> and will fail.</li>
+<li><tt>ExternalLoginModule</tt> is not expected to support <tt>TokenCredentials</tt> and thus overall authentication is expected to fail if <tt>TokenLoginModule</tt> failed.</li>
</ul></div>
<div class="section">
<h6><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h6>
-
<ul>
-
+
<li><tt>TokenLoginModule</tt> will ignore</li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed. If it succeeds authentication doesn’t move down to <tt>ExternalLoginModule</tt>.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="Other_Credentials"></a>Other Credentials</h6>
-
<ul>
-
+
<li>Overall login success only if the <tt>ExternalLoginModule</tt> supports these credentials</li>
-
<li><tt>TokenLoginModule</tt> will ignore</li>
-
<li><tt>LoginModuleImpl</tt> will ignore</li>
-
-<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
+<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
</ul>
-<p><a name="preauth"></a></p></div></div></div></div>
-<div class="section">
-<h3><a name="Integration_with_Pre-Authentication_and_Login_Module_Chain"></a>Integration with Pre-Authentication and Login Module Chain</h3>
+<a name="preauth"></a>
+### Integration with Pre-Authentication and Login Module Chain
+</div></div></div>
<div class="section">
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
-<div class="source">
-<div class="source"><pre class="prettyprint"> Example {
+<div>
+<div>
+<pre class="source"> Example {
your.org.PreAuthenticationLoginModule optional;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl optional;
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule sufficient
@@ -384,131 +377,105 @@
idp.name="your_idp_name";
};
</pre></div></div>
+
<p>See <a href="../preauthentication.html#withloginchain">Pre-Authenticated Login</a> for an example <tt>LoginModule</tt> that illustrates how the pre-authentication is being pushed to the shared stated.</p>
<p><i>Note:</i> This configuration has been slightly adjusted from the example in <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-3508">OAK-3508</a> marking the pre-auth login to be <i>optional</i>. This highlights the fact that subsequent <tt>LoginModule</tt>s are in charge of respecting the <tt>PreAuthenticatedLogin</tt> marker and properly populating the <tt>Subject</tt> in the second <i>commit</i> phase.</p>
-<p>Also, in the example implementation the login never succeeds (in which case <i>sufficient</i> would actually work as well). However, if it ever succeeded the <tt>PreAuthenticatedLogin</tt> marker would be meaningless and the pre-auth module in fact would have to populate the <tt>Subject</tt> i.e. relying on details defined and handled by other <tt>LoginModule</tt>s. </p></div>
+<p>Also, in the example implementation the login never succeeds (in which case <i>sufficient</i> would actually work as well). However, if it ever succeeded the <tt>PreAuthenticatedLogin</tt> marker would be meaningless and the pre-auth module in fact would have to populate the <tt>Subject</tt> i.e. relying on details defined and handled by other <tt>LoginModule</tt>s.</p></div>
<div class="section">
<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4>
<div class="section">
<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
-
<ul>
-
+
<li>
-<p>The custom pre-auth module is in charge of handling custom pre-auth <tt>Credentials</tt> shared between the code performing the authentication outside of the scope of the repository and this module. It’s only task is to create the <tt>PreAuthenticatedLogin</tt> marker and push it to the shared stated to inform subsequent modules, which will always be consulted due to the <i>optional</i> flag.</p>
-
+
+<p>The custom pre-auth module is in charge of handling custom pre-auth <tt>Credentials</tt> shared between the code performing the authentication outside of the scope of the repository and this module. It’s only task is to create the <tt>PreAuthenticatedLogin</tt> marker and push it to the shared stated to inform subsequent modules, which will always be consulted due to the <i>optional</i> flag.</p>
<ul>
-
-<li><i>Login Success</i>: not desired as we want subsequent modules to verify if there is a matching identity for the <tt>PreAuthenticatedLogin</tt> and later on populate the subject.</li>
-
-<li><i>Login Failure</i>: the default passing over the responsibility the other modules in the chain.</li>
-
+
+<li><i>Login Success</i>: not desired as we want subsequent modules to verify if there is a matching identity for the <tt>PreAuthenticatedLogin</tt> and later on populate the subject.</li>
+<li><i>Login Failure</i>: the default passing over the responsibility the other modules in the chain.</li>
<li><i>Commit</i>: Nothing to do.</li>
- </ul></li>
-
+</ul>
+</li>
<li>
-<p>The <tt>LoginModuleImpl</tt> will try to resolve the repository user associated with the <tt>PreAuthenticatedLogin</tt> or perform regular login with the login <tt>Credentials</tt> if no <tt>PreAuthenticatedLogin</tt> is present. </p>
-
+
+<p>The <tt>LoginModuleImpl</tt> will try to resolve the repository user associated with the <tt>PreAuthenticatedLogin</tt> or perform regular login with the login <tt>Credentials</tt> if no <tt>PreAuthenticatedLogin</tt> is present.</p>
<ul>
-
-<li><i>Login Success</i>: If there exists a valid user for the given <tt>PreAuthenticatedLogin</tt> or <tt>Credentials</tt> login will always succeed in case of a pre-auth login. Otherwise credentials are regularly evaluated (e.g. password validation). The authentication will continue down the chain due to the <i>optional</i> flag.</li>
-
-<li><i>Login Failure</i>: If no matching user exists or if the user is not valid (e.g. disabled). In case of regular authentication it will fail if the <tt>Credentials</tt> cannot be validated. Then authentication it will again continue down the <tt>LoginModule</tt> list.</li>
-
+
+<li><i>Login Success</i>: If there exists a valid user for the given <tt>PreAuthenticatedLogin</tt> or <tt>Credentials</tt> login will always succeed in case of a pre-auth login. Otherwise credentials are regularly evaluated (e.g. password validation). The authentication will continue down the chain due to the <i>optional</i> flag.</li>
+<li><i>Login Failure</i>: If no matching user exists or if the user is not valid (e.g. disabled). In case of regular authentication it will fail if the <tt>Credentials</tt> cannot be validated. Then authentication it will again continue down the <tt>LoginModule</tt> list.</li>
<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul></li>
-
+</ul>
+</li>
<li>
-<p>The <tt>ExternalLoginModule</tt> will try to resolve the <tt>PreAuthenticatedLogin</tt> or alternatively the <tt>Credentials</tt> to a <tt>SyncedIdentity</tt>.</p>
-
+
+<p>The <tt>ExternalLoginModule</tt> will try to resolve the <tt>PreAuthenticatedLogin</tt> or alternatively the <tt>Credentials</tt> to a <tt>SyncedIdentity</tt>.</p>
<ul>
-
-<li>If no <tt>SyncedIdentity</tt> exists the user is retrieved from external IDP and eventually synced into the repository. In case no <tt>PreAuthenticatedLogin</tt> is present retrieving identity additionally includes credentials validation.</li>
-
-<li>If there exists a <tt>SyncedIdentity</tt> the module will validate it. In case of <tt>PreAuthenticatedLogin</tt> it checks if the identity needs to be synced again.</li>
-
-<li><i>Login Success</i>: If there exists a valid external identity on the IDP and it has be synced with the repository.</li>
-
-<li><i>Login Failure</i>: If no matching/valid identity exists on the IDP or if there exists a <tt>SyncedIdentity</tt> that doesn’t belong to the IDP or we have a <tt>PreAuthenticatedLogin</tt> marker and the <tt>SyncedIdentity</tt> doesn’t need a re-sync.</li>
-
-<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
- </ul></li>
+
+<li>If no <tt>SyncedIdentity</tt> exists the user is retrieved from external IDP and eventually synced into the repository. In case no <tt>PreAuthenticatedLogin</tt> is present retrieving identity additionally includes credentials validation.</li>
+<li>If there exists a <tt>SyncedIdentity</tt> the module will validate it. In case of <tt>PreAuthenticatedLogin</tt> it checks if the identity needs to be synced again.</li>
+<li><i>Login Success</i>: If there exists a valid external identity on the IDP and it has be synced with the repository.</li>
+<li><i>Login Failure</i>: If no matching/valid identity exists on the IDP or if there exists a <tt>SyncedIdentity</tt> that doesn’t belong to the IDP or we have a <tt>PreAuthenticatedLogin</tt> marker and the <tt>SyncedIdentity</tt> doesn’t need a re-sync.</li>
+<li><i>Commit</i>: If the login succeeded the login module will populate the <tt>Subject</tt> with <tt>Principal</tt>s, <tt>Credentials</tt> and <tt>AuthInfo</tt>.</li>
+</ul>
+</li>
</ul></div>
<div class="section">
<h5><a name="Login_with_Different_Credentials"></a>Login with Different Credentials</h5>
<div class="section">
<h6><a name="Custom_Pre-Auth_Credentials"></a>Custom Pre-Auth Credentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will push <tt>PreAuthenticatedLogin</tt> on the shared state</li>
-
-<li>Overall login suceeds if any of the subsequent modules is able to deal with the <tt>PreAuthenticatedLogin</tt>.</li>
+<li>Overall login suceeds if any of the subsequent modules is able to deal with the <tt>PreAuthenticatedLogin</tt>.</li>
</ul></div>
<div class="section">
<h6><a name="GuestCredentials"></a>GuestCredentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will ignore</li>
-
<li>Overall login success if the subsequent modules allow for login with <tt>GuestCredentials</tt></li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>GuestCredentials</tt>; success depends on the existence of a valid guest user in the repository.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>GuestCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="SimpleCredentials"></a>SimpleCredentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will ignore</li>
-
<li>Overall login success if the subsequent modules allow for login with <tt>SimpleCredentials</tt></li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user.</li>
-
-<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authentication against the external IDP including sync is successful.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>SimpleCredentials</tt> and it will succeed if the credentials are successfully validated against a local repository user.</li>
+<li><tt>ExternalLoginModule</tt> by default support <tt>SimpleCredentials</tt> and will succeed if authentication against the external IDP including sync is successful.</li>
</ul></div>
<div class="section">
<h6><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h6>
-
<ul>
-
+
<li>Custom pre-auth module will ignore</li>
-
<li>Overall login success if the subsequent modules allow for login with <tt>ImpersonationCredentials</tt></li>
-
-<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed.</li>
-
-<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
+<li><tt>LoginModuleImpl</tt> by default supports <tt>ImpersonationCredentials</tt> and it will succeed if impersonation for the target user is allowed.</li>
+<li><tt>ExternalLoginModule</tt> by default doesn’t support <tt>ImpersonationCredentials</tt> but may do if a suitable <tt>CredentialsSupport</tt> is configured.</li>
</ul></div>
<div class="section">
<h6><a name="Other_Credentials"></a>Other Credentials</h6>
-
<ul>
-
+
<li>Overall login success only if the <tt>ExternalLoginModule</tt> supports these credentials</li>
-
<li>Custom pre-auth module will ignore</li>
-
<li><tt>LoginModuleImpl</tt> will ignore</li>
-
-<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
+<li><tt>ExternalLoginModule</tt> will only succeed if configured with a suitable <tt>CredentialsSupport</tt> that ensures that authentication against the external IDP is successful.</li>
</ul></div></div>
<div class="section">
<h5><a name="FAQ"></a>FAQ</h5>
<div class="section">
<h6><a name="Why_are_the_custom_PreAuthCredentials_not_public"></a>Why are the custom ‘PreAuthCredentials’ not public?</h6>
-<p>The custom <tt>Credentials</tt> shared between the code performing the authentication (outside of the repository) and the custom <i>PreAuthenticationLoginModule</i> implementation must neither be public nor shared with other implementations in order to prevent un-authenticated login.</p></div>
+<p>The custom <tt>Credentials</tt> shared between the code performing the authentication (outside of the repository) and the custom <i>PreAuthenticationLoginModule</i> implementation must neither be public nor shared with other implementations in order to prevent un-authenticated login.</p></div>
<div class="section">
<h6><a name="Why_is_the_LoginModuleImpl_not_flagged_SUFFICIENT"></a>Why is the ‘LoginModuleImpl’ not flagged SUFFICIENT?</h6>
<p>If <tt>LoginModuleImpl</tt> was defined to be <i>sufficient</i> external identities would never be synced again if the <tt>PreAuthenticatedLogin</tt> marker is present in the shared state.</p></div>
<div class="section">
<h6><a name="Why_is_the_ExternalLoginModule_not_flagged_REQUIRED"></a>Why is the ‘ExternalLoginModule’ not flagged REQUIRED?</h6>
-<p>If <tt>ExternalLoginModule</tt> was required to succeed, login for <i>local</i> users was no longer possible. It also would mean that pre-authenticated login for a <tt>SyncedIdentity</tt> that doesn’t needs a re-sync would not longer be possible and would ultimately fail the repository authentication.</p>
-<!-- references --></div></div></div></div></div>
+<p>If <tt>ExternalLoginModule</tt> was required to succeed, login for <i>local</i> users was no longer possible. It also would mean that pre-authenticated login for a <tt>SyncedIdentity</tt> that doesn’t needs a re-sync would not longer be possible and would ultimately fail the repository authentication.</p><!-- references --></div></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/faq.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/faq.html?rev=1838623&r1=1838622&r2=1838623&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/faq.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/faq.html Wed Aug 22 09:33:49 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-22
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20180822" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – External Authentication : FAQ</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-08-22<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,41 +251,27 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="External_Authentication_:_FAQ"></a>External Authentication : FAQ</h2>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Question </th>
-
-<th>Answer </th>
-
-<th>References </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Question </th>
+<th> Answer </th>
+<th> References </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>Why am I no longer able to change the <tt>rep:externalId</tt>? </td>
-
-<td>Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property <tt>rep:externalId</tt> which is used to link a given synced user/group account to the corresponding entry on the external IDP. </td>
-
-<td>See <a href="defaultusersync.html">documentation</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> </td>
- </tr>
-
+<td> Why am I no longer able to change the <tt>rep:externalId</tt>? </td>
+<td> Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property <tt>rep:externalId</tt> which is used to link a given synced user/group account to the corresponding entry on the external IDP. </td>
+<td> See <a href="defaultusersync.html">documentation</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> </td></tr>
<tr class="a">
-
-<td>Why does a User or Group created with a content package not get synced with the IDP? </td>
-
-<td>Only users/groups with a <tt>rep:externalId</tt> linking them to the external IDP will be respected during the default sync mechanism. </td>
-
-<td>See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5304">OAK-5304</a> </td>
- </tr>
- </tbody>
+<td> Why does a User or Group created with a content package not get synced with the IDP? </td>
+<td> Only users/groups with a <tt>rep:externalId</tt> linking them to the external IDP will be respected during the default sync mechanism. </td>
+<td> See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4397">OAK-4397</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5304">OAK-5304</a> </td></tr>
+</tbody>
</table></div>
</div>
</div>