You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2014/09/24 14:24:02 UTC
svn commit: r1627294 [2/7] - in /jackrabbit/site/live/oak/docs: ./ META-INF/
architecture/ coldstandby/ nodestore/ oak_api/ plugins/ security/
security/accesscontrol/ security/authentication/ security/permission/
security/principal/ security/privilege/...
Added: jackrabbit/site/live/oak/docs/differences_accesscontrol.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_accesscontrol.html?rev=1627294&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_accesscontrol.html (added)
+++ jackrabbit/site/live/oak/docs/differences_accesscontrol.html Wed Sep 24 12:23:59 2014
@@ -0,0 +1,554 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - AccessControl Management : Differences wrt Jackrabbit 2.x</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="license.html" title="License">License</a>
+</li>
+
+ <li> <a href="downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<div class="section">
+<h3>AccessControl Management : Differences wrt Jackrabbit 2.x<a name="AccessControl_Management_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>1. Characteristics of the Default Implementation<a name="a1._Characteristics_of_the_Default_Implementation"></a></h4>
+<div class="section">
+<h5>General<a name="General"></a></h5>
+<p>In general the authorization related code in OAK clearly separates between access control management (such as defined by the JCR and Jackrabbit API) and the internal permission evaluation (see also <a href="differences_permissions.html">Permission Evaluation</a>).</p>
+<p>The default implementation of the access control management corresponds to the resource-based implementation present with Jackrabbit 2.x. The former principal-base access control management is no longer available but it’s functionality has been incorporated both in the default ac management implementation and the permission evaluation.</p></div>
+<div class="section">
+<h5>JCR API<a name="JCR_API"></a></h5>
+<div class="section">
+<h6>AccessControlManager#hasPrivilege and #getPrivileges<a name="AccessControlManagerhasPrivilege_and_getPrivileges"></a></h6>
+<p>As of OAK those methods throw <tt>PathNotFoundException</tt> if the corresponding node is not accessible by the editing session. This is in accordance with the behavior mandated by JSR 283 and a bug in Jackrabbit 2.x.</p></div>
+<div class="section">
+<h6>AccessControlManager#getEffectivePolicies<a name="AccessControlManagergetEffectivePolicies"></a></h6>
+<p>In contrast to Jackrabbit 2.x the editing session is used to retrieve the effective policies and the policies returned by these methods are guarantueed to only return information that is otherwise accessible by the session. The corresponding methods in Jackrabbit 2.x use to throw an exception in this situation.</p></div>
+<div class="section">
+<h6>AccessControlPolicy<a name="AccessControlPolicy"></a></h6>
+<p>OAK introduces a new type of policy that enforces regular read-access for everyone on the trees that hold this new <tt>ReadPolicy</tt> [0]. The main usage of this new policy is to ensure backwards compatible behavior of repository level information (node types, namespace, privileges) that are now kept within the content repository. In Jackrabbit 2.x this information was stored in the file system without the ability to apply or enforce regular access control such as present with items in the repository.</p>
+<p>Currently these special read policies are defined as part of the overall security configuration and cannot be managed/edited using regular access control management API (see (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-951">OAK-951</a>)).</p></div>
+<div class="section">
+<h6>AccessControlEntry<a name="AccessControlEntry"></a></h6>
+<p>Validation: as of OAK the implementation of the <tt>AccessControlEntry</tt> interface is no longer in charge of validating the specified privileges. While some validation is still performed in the corresponding <tt>AccessControlList</tt> methods, the complete validation is delegated to the commit phase and executed by a specific <tt>Validator</tt> implementation.</p>
+<p>The default behavior with respect to principal validation is compliant with the specification and the same as in Jackrabbit 2.x.: Adding an ACE for an principal unknown to the repository will fail. However in order to be consistent with the ability have a more relaxed behavior upon XML import that validation will be relaxed if the import behavior is being changed to allow for unknown principals (see (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>)) and the section Import below.</p>
+<p>Restrictions: as of OAK the optional restrictions present with a given <tt>JackrabbitAccessControlEntry</tt> can be multivalued (see below).</p></div></div>
+<div class="section">
+<h5>Jackrabbit API<a name="Jackrabbit_API"></a></h5>
+<div class="section">
+<h6>Principal-based Access Control<a name="Principal-based_Access_Control"></a></h6>
+<p>The principal-based access control management as present in Jackrabbit-core is no longer present with OAK. The main benefit of the principal-based approach has been incorporated with the changes in the default <a href="differences_permissions.html">permission evaluation</a>). In addition the default access control manager implementation supports all methods defined by <tt>JackrabbitAccessControlManager</tt>; i.e. editing access control information by principal is possible as long as the editing session has sufficient permission on the target node(s). Similarly, the per principal policies exposed to a given session will always respect that access rights of that session.</p></div>
+<div class="section">
+<h6>Restrictions<a name="Restrictions"></a></h6>
+<p>The implementation of the additional restrictions associated with an ACE has been modified/extended as follows:</p>
+
+<ul>
+
+<li>Separate restriction management API (see below) on the OAK level that allows to ease plugging custom restrictions.</li>
+
+<li>Changed node type definition for storing restrictions in the default implementation.
+
+<ul>
+
+<li>as of OAK restrictions are collected underneath a separate child node “rep:restrictions”</li>
+
+<li>restrictions can be multi-valued (see <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3637">JCR-3637</a>, <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3641">JCR-3641</a>)</li>
+
+<li>backwards compatible behavior for restrictions stored underneath the ACE node directly</li>
+ </ul></li>
+
+<li>New restrictions:
+
+<ul>
+
+<li>“rep:ntNames”, which allows to limit the affected ACE to nodes of the specified node type(s)</li>
+
+<li>“rep:prefixes”, which allows to limit the effect to item names that have a specific namespace prefix.</li>
+ </ul></li>
+</ul></div></div>
+<div class="section">
+<h5>Import<a name="Import"></a></h5>
+<p>The import of access control content via JCR XML import has been extended to respect the <tt>o.a.j.oak.spi.xml.ImportBehavior</tt> flags instead of just performing a best effort import.</p>
+<p>Currently the <tt>ImportBehavior</tt> is only used to switch between different ways of handling principals unknown to the repository. For consistency and in order to match the validation requirements as specified by <tt>AccessControlList#addAccessControlEntry</tt> the default behavior is ABORT (while in Jackrabbit 2.x the behavior always was BESTEFFORT).</p>
+<p>The different <tt>ImportBehavior</tt> flags are implemented as follows: - <tt>ABORT</tt>: throws an <tt>AccessControlException</tt> if the principal is unknown - <tt>IGNORE</tt>: ignore the entry defining the unknown principal - <tt>BESTEFFORT</tt>: import the access control entry with an unknown principal.</p>
+<p>In order to get the same best effort behavior as present with Jackrabbit 2.x the configuration parameters of the <tt>AuthorizationConfiguration</tt> must contain the following entry:</p>
+
+<div class="source">
+<pre>importBehavior = "besteffort"
+</pre></div>
+<p>See also (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>))</p></div></div>
+<div class="section">
+<h4>2. Node Types<a name="a2._Node_Types"></a></h4>
+<p>As mentioned above the node type definitions have been extended to match the new functionality related to restrictions. The node type definition for access control entries:</p>
+
+<div class="source">
+<pre>[rep:ACE]
+ - rep:principalName (STRING) protected mandatory
+ - rep:privileges (NAME) protected mandatory multiple
+ - rep:nodePath (PATH) protected /* deprecated in favor of restrictions */
+ - rep:glob (STRING) protected /* deprecated in favor of restrictions */
+ - * (UNDEFINED) protected /* deprecated in favor of restrictions */
+ + rep:restrictions (rep:Restrictions) = rep:Restrictions protected
+</pre></div>
+<p>The new node type definition for restrictions:</p>
+
+<div class="source">
+<pre>/**
+ * @since oak 1.0
+ */
+[rep:Restrictions]
+ - * (UNDEFINED) protected
+ - * (UNDEFINED) protected multiple
+</pre></div></div>
+<div class="section">
+<h4>3. API Extensions and Public Classes<a name="a3._API_Extensions_and_Public_Classes"></a></h4>
+<p>org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol [1]</p>
+
+<ul>
+
+<li><tt>AbstractAccessControlList</tt></li>
+
+<li><tt>ImmutableACL</tt></li>
+
+<li><tt>ACE</tt></li>
+</ul>
+<p>org.apache.jackrabbit.oak.spi.security.authorization.restriction [2]</p>
+
+<ul>
+
+<li><tt>RestrictionProvider</tt>:</li>
+
+<li><tt>RestrictionDefinition</tt></li>
+
+<li><tt>RestrictionPattern</tt></li>
+
+<li><tt>Restriction</tt></li>
+</ul></div>
+<div class="section">
+<h4>4. Configuration<a name="a4._Configuration"></a></h4>
+<p>The following access control related configuration options are present with the <tt>AuthorizationConfiguration</tt> as of OAK 1.0 [3]</p>
+
+<ul>
+
+<li><tt>getAccessControlManager</tt></li>
+
+<li><tt>getRestrictionProvider</tt></li>
+</ul>
+<p>Differences to Jackrabbit 2.x:</p>
+
+<ul>
+
+<li>The “omit-default-permission” configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak.</li>
+
+<li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
+</ul></div>
+<div class="section">
+<h4>5. Important Note<a name="a5._Important_Note"></a></h4>
+<p>The following modification is most likely to have an effect on existing applications:</p>
+
+<ul>
+
+<li><tt>AccessControlManager#hasPrivilege()</tt> and <tt>AccessControlManager#getPrivileges()</tt> will throw a <tt>PathNotFoundException</tt> if the node for the specified path is not accessible. The Jackrabbit 2 implementation is wrong and we fixed that in OAK (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-886">OAK-886</a>). If the new behaviour turns out to be a problem with existing applications we might consider adding backward compatible behaviour.</li>
+</ul></div>
+<div class="section">
+<h4>6. References<a name="a6._References"></a></h4>
+<p>[0] <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-951">https://issues.apache.org/jira/browse/OAK-951</a></p>
+<p>[1] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/</a></p>
+<p>[2] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/</a></p>
+<p>[3] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java</a></p></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Added: jackrabbit/site/live/oak/docs/differences_authentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_authentication.html?rev=1627294&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_authentication.html (added)
+++ jackrabbit/site/live/oak/docs/differences_authentication.html Wed Sep 24 12:23:59 2014
@@ -0,0 +1,594 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - Authentication : Differences wrt Jackrabbit 2.x</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="license.html" title="License">License</a>
+</li>
+
+ <li> <a href="downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<div class="section">
+<h3>Authentication : Differences wrt Jackrabbit 2.x<a name="Authentication_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>1. Characteristics of the Default Implementation<a name="a1._Characteristics_of_the_Default_Implementation"></a></h4>
+<div class="section">
+<h5>Null Login<a name="Null_Login"></a></h5>
+<p>As of Oak 1.0 <tt>Repository#login()</tt> and <tt>Repository#login(null, wspName)</tt> is no longer treated as guest login. This behavior of Jackrabbit-core is violating the specification, which defines that null-login should be used for those cases where the authentication process is handled outside of the repository (-> see pre-authentication below).</p>
+<p>In order to get a full backwards compatible behavior OAK provides a specific <tt>GuestLoginModule</tt> [0] that can be added to the JAAS (or corresponding OSGI) configuration.</p>
+<p>Example JAAS Configuration:</p>
+
+<div class="source">
+<pre>jackrabbit.oak {
+ org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule optional;
+ org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
+};
+</pre></div></div>
+<div class="section">
+<h5>Guest Login<a name="Guest_Login"></a></h5>
+<p>With respect to guest login (aka anonymous login) the OAK content repository out of the box contains the following modifications:</p>
+
+<ul>
+
+<li>null login != guest login</li>
+
+<li>no anonymous login with uid/pw</li>
+</ul>
+<p>As explained in 1) the null login will not longer fall back to a guest login unless explicitly configured (-> <tt>GuestLoginModule</tt>). The proper way to obtain an guest session as of OAK is as specified by JSR 283:</p>
+
+<div class="source">
+<pre>String wspName = null;
+Session anonymous = repository.login(new GuestCredentials(), wspName);
+</pre></div>
+<p>Similarly, the special treatment that jackrabbit core applied for the guest (anonymous) user has been omitted altogether in OAK. In the default setup the anonymous user will created without any password. Therefore explicitly uid/pw login using the anonymous userId will no longer work. This behavior is now consistent with the default login of any other user which doesn’t have a password set.</p></div>
+<div class="section">
+<h5>Pre-Authentication in the LoginContextProvider<a name="Pre-Authentication_in_the_LoginContextProvider"></a></h5>
+<p>Like in Jackrabbit-core the repository internal authentication verification can be skipped by calling <tt>Repository#login()</tt> or <tt>Repository#login(null, wspName)</tt>. In this case the repository implementation expects the verification to be performed prior to the login call.</p>
+<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p>
+<p>Since the <tt>LoginContextProvider</tt> is a configurable with the authentication setup OAK users also have the following options by providing a custom <tt>LoginContextProvider</tt>:</p>
+
+<ul>
+
+<li>Disable pre-authentication by not trying to retrieve a pre-authenticated <tt>Subject</tt>.</li>
+
+<li>Add support for extending the pre-authenticated subject by always passing writable subjects to the <tt>JaasLoginContext</tt></li>
+
+<li>Dropping JAAS altogether by providing a custom implementation of the <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
+</ul>
+<p>Example how to use the pre-auth:</p>
+
+<div class="source">
+<pre>String userId = "test";
+/**
+ Retrive valid principals e.g. by calling jackrabbit API
+ - PrincipalManager#getPrincipal and/or #getGroupMembership
+ or from Oak SPI
+ - PrincipalProvider#getPrincipals(String userId)
+ */
+Set<? extends Principal> principals = getPrincipals(userId);
+AuthInfo authInfo = new AuthInfoImpl(userId, Collections.<String, Object>emptyMap(), principals);
+Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.<Object>emptySet());
+Session session;
+try {
+ session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {
+ @Override
+ public Session run() throws Exception {
+ return login(null, null);
+ }
+ }, null);
+} catch (PrivilegedActionException e) {
+ throw new RepositoryException("failed to retrieve session.", e);
+}
+</pre></div></div></div>
+<div class="section">
+<h4>2. Impersonation<a name="a2._Impersonation"></a></h4>
+<div class="section">
+<h5>Self-Impersonation (aka Cloning a Session)<a name="Self-Impersonation_aka_Cloning_a_Session"></a></h5>
+<p>As of OAK 1.0 the latest changes made to JSR 333 with respect to <tt>Session#impersonate</tt> have been adopted [3]: Any attempt to impersonate the same session (self-impersonation) will succeed as long as the user is still valid.</p></div>
+<div class="section">
+<h5>Impersonation Credentials<a name="Impersonation_Credentials"></a></h5>
+<p>The OAK implementation of <tt>Session#impersonate</tt> no longer uses <tt>SimpleCredentials</tt> to transport the original <tt>Subject</tt> but rather performs the login with dedicated <tt>ImpersonationCredentials</tt> [4].</p>
+<p>With this change the impersonation feature no longer relies on <tt>SimpleCredentials</tt> being passed to <tt>Session#impersonate</tt> call. Instead the specified credentials are passed to a new instance of <tt>ImpersonationCredentials</tt> delegating the evaluation and validation of the specified <tt>Credentials</tt> to the configured login module(s).</p>
+<p>This modification will not affect applications that used JCR API to impersonate a given session. However the following example which ‘manually’ builds impersonation credentials the way jackrabbit core was handling it will no longer work to impersonate an existing session:</p>
+
+<div class="source">
+<pre> SessionImpl sImpl = (SessionImpl) mySession;
+ SimpleCredentials jrImpCreds = new SimpleCredentials("someUserId, new char[0]);
+ creds.setAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE, sImpl.getSubject());
+ Session impersonated = sImpl.getRepository().login(jrImpCreds, sImpl.getWorkspace().getName());
+</pre></div></div></div>
+<div class="section">
+<h4>3. Token based Authentication<a name="a3._Token_based_Authentication"></a></h4>
+<p>The token based authentication has been completely refactor in OAK.</p>
+
+<ul>
+
+<li>Dedicated API for managing login tokens [5]</li>
+
+<li>Pluggable configuration of the new token management API</li>
+
+<li>Complete separation of token based authentication from regular uid/pw authentication into a separate <tt>LoginModule</tt> [6]</li>
+</ul>
+<p>The default implementation differs from jackrabbit as follows - token node is referenceable with a dedicated node type (rep:Token) - expiration and key properties are mandatory and protected - expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the login attributes and falls back to the same configuration parameter.</p>
+<p>The definition of the new built-in node type “rep:Token”: [rep:Token] > mix:referenceable - rep:token.key (STRING) protected mandatory - rep:token.exp (DATE) protected mandatory - * (UNDEFINED) protected - * (UNDEFINED) multiple protected</p>
+<p>Please note the following difference with respect to Jackrabbit core: - the <tt>TokenLoginModule</tt> is responsible for creating new login tokens. Other login modules should not attempt to do so. - token characteristics such as expiration time only need to be configured with the <tt>TokenLoginModule</tt> - Other <tt>LoginModule</tt> implementations consequently no longer need to have the same config options set.</p></div>
+<div class="section">
+<h4>4. External Authentication<a name="a4._External_Authentication"></a></h4>
+<p>While the default setup in OAK is solely relying on repository functionality to ensure proper authentication it quite common to authenticate against different systems (e.g. LDAP). For those setups that wish to combine initial authentication against a third party system with repository functionality, OAK provides some basic implementation and extension points [7] and ship an example setup for LDAP authentication.</p>
+<p>This is aimed to become the replacement for <tt>com.day.crx.security.ldap.LDAPLoginModule</tt> [8], which relies on jackrabbit internals and will no longer work with OAK.</p></div>
+<div class="section">
+<h4>5. API Extensions<a name="a5._API_Extensions"></a></h4>
+<p>The OAK project introduces the following authenticated related service provider interfaces:</p>
+<p>org.apache.jackrabbit.oak.spi.security.authentication:</p>
+
+<ul>
+
+<li><tt>LoginContextProvider</tt>: Configurable provider of the <tt>LoginContext</tt> (see below)</li>
+
+<li><tt>LoginContext</tt>: Interface version of the JAAS LoginContext aimed to ease integration with non-JAAS components</li>
+
+<li><tt>Authentication</tt>: Aimed to validate credentials during the first phase of the (JAAS) login process.</li>
+</ul>
+<p>org.apache.jackrabbit.oak.spi.security.authentication.token:</p>
+
+<ul>
+
+<li><tt>TokenConfiguration</tt>: Interface to obtain a <tt>TokenProvider</tt> instance.</li>
+
+<li><tt>TokenProvider</tt>: Interface to manage login tokens.</li>
+
+<li><tt>TokenInfo</tt>: Information related to a login token and token validity.</li>
+</ul>
+<p>org.apache.jackrabbit.oak.spi.security.authentication.external:</p>
+
+<ul>
+
+<li>interfaces to ease custom implementation of the external authentication with optional user/group synchronization to the repository (see [7]).</li>
+</ul></div>
+<div class="section">
+<h4>6. Configuration<a name="a6._Configuration"></a></h4>
+<div class="section">
+<h5>AuthenticationConfiguration [9]:<a name="AuthenticationConfiguration_9:"></a></h5>
+
+<ul>
+
+<li><tt>getLoginContextProvider</tt> -> configuration of the login context</li>
+</ul></div>
+<div class="section">
+<h5>TokenConfiguration [10]:<a name="TokenConfiguration_10:"></a></h5>
+
+<ul>
+
+<li><tt>getTokenProvider</tt></li>
+</ul></div>
+<div class="section">
+<h5>Utilities<a name="Utilities"></a></h5>
+<p>There also exists a utility class that allows to obtain different <tt>javax.security.auth.login.Configuration</tt> for the most common setup [11]:</p>
+
+<ul>
+
+<li>
+<p><tt>ConfigurationUtil#getDefaultConfiguration</tt>: default OAK configuration supporting uid/pw login configures <tt>LoginModuleImpl</tt> only</p></li>
+
+<li>
+<p><tt>ConfigurationUtil#getJackrabbit2Configuration</tt>: backwards compatible configuration that provides the functionality covered by jackrabbit-core DefaultLoginModule, namely:</p>
+
+<ul>
+
+<li><tt>GuestLoginModule</tt>: null login falls back to anonymous</li>
+
+<li><tt>TokenLoginModule</tt>: covers token base authentication</li>
+
+<li><tt>LoginModuleImpl</tt>: covering regular uid/pw login</li>
+ </ul></li>
+</ul></div></div>
+<div class="section">
+<h4>7. References<a name="a7._References"></a></h4>
+<p>[0] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.java</a></p>
+<p>[1] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java</a></p>
+<p>[2] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContext.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContext.java</a></p>
+<p>[3] <a class="externalLink" href="https://java.net/jira/browse/JSR_333-27">https://java.net/jira/browse/JSR_333-27</a></p>
+<p>[4] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java</a></p>
+<p>[5] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/</a></p>
+<p>[6] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java</a></p>
+<p>[7] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/</a></p>
+<p>[8] <a class="externalLink" href="http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html">http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html</a></p>
+<p>[9] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.java</a></p>
+<p>[10] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenConfiguration.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenConfiguration.java</a></p>
+<p>[11] <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ConfigurationUtil.java">http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ConfigurationUtil.java</a></p></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file
Added: jackrabbit/site/live/oak/docs/differences_permission.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_permission.html?rev=1627294&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_permission.html (added)
+++ jackrabbit/site/live/oak/docs/differences_permission.html Wed Sep 24 12:23:59 2014
@@ -0,0 +1,584 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-04-15
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140415" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Jackrabbit Oak - Permission Evaluation : Differences wrt Jackrabbit 2.x</title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+
+ </head>
+ <body class="topBarEnabled">
+
+
+
+
+
+
+ <a href="http://github.com/apache/jackrabbit-oak">
+ <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+ src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+ alt="Fork me on GitHub">
+ </a>
+
+
+
+
+
+ <div id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+
+ <ul class="nav">
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="index.html" title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="license.html" title="License">License</a>
+</li>
+
+ <li> <a href="downloads.html" title="Downloads">Downloads</a>
+</li>
+
+ <li> <a href="from_here.html" title="From here">From here</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="overview.html" title="Overview">Overview</a>
+</li>
+
+ <li> <a href="nodestate.html" title="The node state model">The node state model</a>
+</li>
+
+ <li> <a href="microkernel.html" title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+
+ <li> <a href="query.html" title="Query">Query</a>
+</li>
+
+ <li> <a href="blobstore.html" title="BlobStore">BlobStore</a>
+</li>
+
+ <li> <a href="security/overview.html" title="Security">Security</a>
+</li>
+
+ <li> <a href="clustering.html" title="Clustering">Clustering</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="use_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+
+ <li> <a href="osgi_config.html" title="Configuring Oak">Configuring Oak</a>
+</li>
+
+ <li> <a href="known_issues.html" title="Known Issues">Known Issues</a>
+</li>
+
+ <li> <a href="dos_and_donts.html" title="Dos and don'ts">Dos and don'ts</a>
+</li>
+
+ <li> <a href="when_things_go_wrong.html" title="When things go wrong">When things go wrong</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="dev_getting_started.html" title="Getting Started">Getting Started</a>
+</li>
+
+ <li> <a href="participating.html" title="Participating">Participating</a>
+</li>
+
+ <li> <a href="apidocs/index.html" title="API docs">API docs</a>
+</li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+
+ <li> <a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+
+ <li> <a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+ </ul>
+ </li>
+ </ul>
+
+
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <div id="bannerLeft">
+ <h2>Oak Documentation</h2>
+ </div>
+ </div>
+ <div class="pull-right"> </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-04-15</li>
+ <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Jackrabbit Oak">
+ <i class="none"></i>
+ Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="license.html" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+
+ <li>
+
+ <a href="downloads.html" title="Downloads">
+ <i class="none"></i>
+ Downloads</a>
+ </li>
+
+ <li>
+
+ <a href="from_here.html" title="From here">
+ <i class="none"></i>
+ From here</a>
+ </li>
+ <li class="nav-header">Concepts and architecture</li>
+
+ <li>
+
+ <a href="overview.html" title="Overview">
+ <i class="none"></i>
+ Overview</a>
+ </li>
+
+ <li>
+
+ <a href="nodestate.html" title="The node state model">
+ <i class="none"></i>
+ The node state model</a>
+ </li>
+
+ <li>
+
+ <a href="microkernel.html" title="NodesStore and MicroKernel">
+ <i class="none"></i>
+ NodesStore and MicroKernel</a>
+ </li>
+
+ <li>
+
+ <a href="query.html" title="Query">
+ <i class="none"></i>
+ Query</a>
+ </li>
+
+ <li>
+
+ <a href="blobstore.html" title="BlobStore">
+ <i class="none"></i>
+ BlobStore</a>
+ </li>
+
+ <li>
+
+ <a href="security/overview.html" title="Security">
+ <i class="none"></i>
+ Security</a>
+ </li>
+
+ <li>
+
+ <a href="clustering.html" title="Clustering">
+ <i class="none"></i>
+ Clustering</a>
+ </li>
+ <li class="nav-header">Using Oak</li>
+
+ <li>
+
+ <a href="use_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="differences.html" title="Differences to Jackrabbit 2">
+ <i class="none"></i>
+ Differences to Jackrabbit 2</a>
+ </li>
+
+ <li>
+
+ <a href="osgi_config.html" title="Configuring Oak">
+ <i class="none"></i>
+ Configuring Oak</a>
+ </li>
+
+ <li>
+
+ <a href="known_issues.html" title="Known Issues">
+ <i class="none"></i>
+ Known Issues</a>
+ </li>
+
+ <li>
+
+ <a href="dos_and_donts.html" title="Dos and don'ts">
+ <i class="none"></i>
+ Dos and don'ts</a>
+ </li>
+
+ <li>
+
+ <a href="when_things_go_wrong.html" title="When things go wrong">
+ <i class="none"></i>
+ When things go wrong</a>
+ </li>
+ <li class="nav-header">Developing Oak</li>
+
+ <li>
+
+ <a href="dev_getting_started.html" title="Getting Started">
+ <i class="none"></i>
+ Getting Started</a>
+ </li>
+
+ <li>
+
+ <a href="participating.html" title="Participating">
+ <i class="none"></i>
+ Participating</a>
+ </li>
+
+ <li>
+
+ <a href="apidocs/index.html" title="API docs">
+ <i class="none"></i>
+ API docs</a>
+ </li>
+ <li class="nav-header">Links</li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+ <i class="none"></i>
+ Apache Jackrabbit Oak</a>
+ </li>
+
+ <li>
+
+ <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+ <i class="none"></i>
+ Apache Jackrabbit</a>
+ </li>
+ </ul>
+
+
+
+ <hr class="divider" />
+
+ <div id="poweredBy">
+
+ <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+
+ <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+ <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+ <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. --><div class="section">
+<div class="section">
+<h3>Permission Evaluation : Differences wrt Jackrabbit 2.x<a name="Permission_Evaluation_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>1. Characteristics of the Default Implementation<a name="a1._Characteristics_of_the_Default_Implementation"></a></h4>
+<div class="section">
+<h5>General<a name="General"></a></h5>
+<p>In general the permission evaluation related code in Oak is intended to be more clearly separated from the access control management such as defined by the JCR and Jackrabbit API. While permission evaluation is considered to be an internal feature of the Oak core module, the package <tt>org.apache.jackrabbit.oak.spi.security.authorization.permission</tt> provides some extensions points that allow to plug custom extensions or implementations of the permission evaluation.</p></div>
+<div class="section">
+<h5>JCR API<a name="JCR_API"></a></h5>
+<div class="section">
+<h6><tt>Session#hasPermission</tt> and <tt>Session#checkPermission</tt><a name="SessionhasPermission_and_SessioncheckPermission"></a></h6>
+<p>Since Oak the permission related API calls not only allow to pass the action strings defined by JCR specification (see constants defined in <tt>Session.java</tt>) but also handles the names of the permission defined by Oak (see <tt>Permissions#getString(long permissions)</tt>).</p></div></div>
+<div class="section">
+<h5>Mapping of JCR Actions to Permissions<a name="Mapping_of_JCR_Actions_to_Permissions"></a></h5>
+<p>`ACTION_READ’:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.READ_ACCESS_CONTROL</tt></li>
+
+<li>regular nodes: <tt>Permissions.READ_NODE</tt></li>
+
+<li>regular properties: <tt>Permissions.READ_PROPERTY</tt></li>
+
+<li>non-existing items: <tt>Permissions.READ</tt></li>
+</ul>
+<p><tt>ACTION_ADD_NODE</tt>:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
+<li>regular nodes: <tt>Permissions.ADD_NODE</tt></li>
+</ul>
+<p><tt>ACTION_REMOVE</tt>:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
+<li>regular nodes: <tt>Permissions.REMOVE_NODE</tt></li>
+
+<li>regular properties: <tt>Permissions.REMOVE_PROPERTY</tt></li>
+
+<li>non-existing nodes: <tt>Permissions.REMOVE</tt></li>
+</ul>
+<p><tt>ACTION_SET_PROPERTY</tt>:</p>
+
+<ul>
+
+<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
+<li>regular properties: <tt>Permissions.MODIFY_PROPERTY</tt></li>
+
+<li>non-existing properties: <tt>Permissions.ADD_PROPERTY</tt></li>
+</ul></div>
+<div class="section">
+<h5>Permissions<a name="Permissions"></a></h5>
+<p>The set of permissions supported by Oak are listed in <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java">Permissions</a>. The following changes have been compared compared to Jackrabbit 2.x:</p>
+
+<ul>
+
+<li><tt>READ_NODE</tt>: permission to read a node</li>
+
+<li><tt>READ_PROPERTY</tt>: permission to read a property</li>
+
+<li><tt>ADD_PROPERTY</tt>: permission to create a new property</li>
+
+<li><tt>MODIFY_PROPERTY</tt>: permission to change an existing property</li>
+
+<li><tt>REMOVE</tt>: aggregation of <tt>REMOVE_NODE</tt> and <tt>REMOVE_PROPERTY</tt></li>
+
+<li><tt>USER_MANAGEMENT</tt>: permission to execute user management related tasks such as e.g. creating or removing user/group, changing user password and editing group membership.</li>
+
+<li><tt>INDEX_DEFINITION_MANAGEMENT</tt>: permission to create, modify and remove the oak:index node and it’s subtree which is expected to contain the index definitions.</li>
+</ul>
+<p>The following permissions are now an aggregation of new permissions:</p>
+
+<ul>
+
+<li><tt>READ</tt>: aggregates <tt>READ_NODE</tt> and <tt>READ_PROPERTY</tt></li>
+
+<li><tt>SET_PROPERTY</tt>: aggregates <tt>ADD_PROPERTY</tt>, <tt>MODIFY_PROPERTY</tt> and <tt>REMOVE_PROPERTY</tt></li>
+</ul></div></div>
+<div class="section">
+<h4>2. Permission Evaluation<a name="a2._Permission_Evaluation"></a></h4>
+<div class="section">
+<h5>Reading<a name="Reading"></a></h5>
+<p>Due to the fine grained read permissions Oak read access can be separately granted/denied for nodes and properties. See also the section about extended restriction management in <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-792">OAK-792</a>. Granting the <tt>jcr:read</tt> privilege will result in a backwards compatible read access for nodes and their properties, while specifying <tt>rep:readNodes</tt> or <tt>rep:readProperties</tt> privileges allows separately granting or denying access to nodes and properties (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-910">OAK-910</a> for changes in the privilege definitions). Together with the restrictions this new behavior now allows to individually grant/deny access to properties that match a given name/path/nodetype (and as a possible extension even property value).</p>
+<p>The only break in terms of backwards compatibility is the accessibility of version content underneath <tt>/jcr:system/jcr:versionStore</tt>. As of Oak the access to version content depends on the read permissions present with the versionable node while Jackrabbit 2.x doesn’t apply any special rule. These changes are covered by <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-444">OAK-444</a> and address the concerns summarized in <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-2963">JCR-2963</a>.</p></div>
+<div class="section">
+<h5>Property Modification<a name="Property_Modification"></a></h5>
+<p>Since Oak the former <tt>SET_PROPERTY</tt> permission has been split such to allow for more fined grained control on writing JCR properties. In particular Oak clearly distinguishes between creating a new property that didn’t exist before, modifying or removing an existing property. This will allow to cover those cases where a given subject is only allowed to create content but doesn’t have the ability to modify/delete it later on.</p></div>
+<div class="section">
+<h5>Node Removal<a name="Node_Removal"></a></h5>
+<p>As of Oak <tt>Node#remove()</tt> only requires sufficient permissions to remove the target node. In contrast to Jackrabbit 2.x the validation will not traverse the tree and verify remove permission on all child nodes/properties. In order to obtain backwards compatible behavior with respect to tree removal the permission evaluation can be configured to traverse down the hierarchy upon removal. This config flag is a best effort approach but doesn’t guarantee an identical behavior.</p></div>
+<div class="section">
+<h5>Rename<a name="Rename"></a></h5>
+<p>Due to the nature of the diff mechanism in Oak it is not possible to distinguish between <tt>JackrabbitNode#rename</tt> and a move with subsequent reordering. Consequently the permission evaluation will no longer apply the special handling for the renaming as it was present in Jackrabbit 2.x (renaming just required the ability to modify the child collection of the parent node).</p></div>
+<div class="section">
+<h5>Move<a name="Move"></a></h5>
+<p>Due to the nature of the diff mechanism in Oak it is no longer possible to treat move operations the same way as it was implemented in Jackrabbit 2.x. The current permission evaluation attempts to provide a best-effort handling to achieve a similar behavior that it was present in Jackrabbit 2.x.</p>
+<p>The current implementation has the following limitations with respect to multiple move operations within a given set of transient operations:</p>
+
+<ul>
+
+<li>Move operations that replace an node that has been moved away will not be detected as modification by the diff mechanism and regular permission checks for on the subtree will be performed.</li>
+
+<li>Moving an ancestor of a node that has been moved will only detect the second move and will enforce regular permissions checks on the child that has been moved in a first step.</li>
+</ul>
+<p>For API consumers and applications running on Jackrabbit Oak this means that combinations of multiple moves can not always be properly resolved. Consequently permissions will be evaluated as if the modifications did not include move (in general being more restrictive): If the move leads to changes that are detected by the diff mechanism, regular permissions will be evaluated for all items that appear to be added, removed or modified, while a regular move operations just requires <tt>REMOVE_NODE</tt> permission on the source, <tt>ADD_NODE</tt> and <tt>NODE_TYPE_MANAGEMENT</tt> permissions at the destination.</p></div>
+<div class="section">
+<h5>User Management<a name="User_Management"></a></h5>
+<p>By default user management operations require the specific user mgt related permission to be granted for the editing subject. This permission (including a corresponding privilege) has been introduced with Oak 1.0. For backwards compatibility with Jackrabbit 2.x this behavior can be turned off by setting the corresponding configuration flag.</p></div>
+<div class="section">
+<h5>Version Management<a name="Version_Management"></a></h5>
+<p>Reading and writing items in the version store does not follow the regular permission evaluation but depends on access rights present on the corresponding versionable node. In case the version information does no longer have a versionable node in this workspace that original path is used to evaluate the effective permissions that would apply to that node if the version was restored. Note, that as in Jackrabbit VERSION_MANAGEMENT permission instead of the regular JCR write permissions is required in order to execute version operations and thus modify the version store. These changes are covered by <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-444">OAK-444</a> and address the concerns summarized in <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-2963">JCR-2963</a>.</p></div>
+<div class="section">
+<h5>Query Index Definitions<a name="Query_Index_Definitions"></a></h5>
+<p>Writing query index definitions requires the specific index definition management which is enforce on nodes named “oak:index” and the subtree defined by them. Note that the corresponding items are not protected in the JCR sense. Consequently any other modification in these subtrees like e.g. changing the primary type or adding mixin types is governed by the corresponding privileges.</p></div></div>
+<div class="section">
+<h4>3. Administrative Principals<a name="a3._Administrative_Principals"></a></h4>
+<p>The following principals always have full access to the whole content repository irrespective of the access control content:</p>
+
+<ul>
+
+<li><tt>SystemPrincipal</tt></li>
+
+<li>All instances of <tt>AdminPrincipal</tt></li>
+
+<li>All principals whose name matches the configured administrative principal names (see Configuration section below). This configuration only applies to the permission evaluation and is currently not reflected in other security models nor methods that deal with the administrator (i.e. <tt>User#isAdmin</tt>).</li>
+</ul></div>
+<div class="section">
+<h4>4. Node Types<a name="a4._Node_Types"></a></h4>
+
+<div class="source">
+<pre>[rep:PermissionStore]
+ - rep:accessControlledPath (STRING) protected IGNORE
+ - rep:numPermissions (LONG) protected IGNORE
+ - rep:modCount (LONG) protected IGNORE
+ + * (rep:PermissionStore) = rep:PermissionStore protected IGNORE
+ + * (rep:Permissions) = rep:Permissions protected IGNORE
+
+[rep:Permissions]
+ - * (UNDEFINED) protected IGNORE
+ - * (UNDEFINED) protected multiple IGNORE
+ + * (rep:Permissions) = rep:Permissions protected IGNORE
+
+[rep:VersionablePaths]
+ mixin
+ - * (PATH) protected ABORT
+</pre></div></div>
+<div class="section">
+<h4>5. API Extensions<a name="a5._API_Extensions"></a></h4>
+<p>org.apache.jackrabbit.oak.spi.security.authorization.permission</p>
+
+<ul>
+
+<li><tt>PermissionProvider</tt>: Main entry point for Oak internal permission evaluation.</li>
+
+<li><tt>Permissions</tt>: The permissions defined, respected and evaluated by the repository.</li>
+
+<li><tt>PermissionConstants</tt>: Constants used throughout the permission evaluation.</li>
+</ul></div>
+<div class="section">
+<h4>6. Configuration<a name="a6._Configuration"></a></h4>
+<p>Configuration Parameters supported by the default implementation</p>
+
+<ul>
+
+<li><tt>PARAM_PERMISSIONS_JR2</tt>: Enables backwards compatible behavior for the permissions listed in the parameter value. Currently the following values are allowed: <tt>USER_MANAGEMENT</tt> and <tt>REMOVE_NODE</tt>. The parameter value must contain the permission names separated by ‘,’.</li>
+
+<li><tt>PARAM_READ_PATHS</tt>: default set of paths that are always readable to all principals irrespective of other permissions defined at that path or inherited from other nodes.</li>
+
+<li><tt>PARAM_ADMINISTRATIVE_PRINCIPALS</tt>: The names of the additional principals that have full permission and for which the permission evaluation can be skipped altogether.</li>
+</ul>
+<p>Differences to Jackrabbit 2.x The <tt>omit-default-permission</tt> configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak. Since there are no permissions installed by default this flag has become superfluous.</p>
+<!-- hidden references --></div></div></div>
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row span12">Copyright © 2012-2014
+ <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+ All Rights Reserved.
+
+ </div>
+
+
+
+
+
+
+ <div id="ohloh" class="pull-right">
+ <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+ </div>
+ </div>
+ </footer>
+ </body>
+</html>
\ No newline at end of file