You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by an...@apache.org on 2023/02/21 14:07:28 UTC
svn commit: r1907790 [16/17] - in /jackrabbit/site/live/oak/docs: ./ architecture/ coldstandby/ features/ nodestore/ nodestore/document/ nodestore/segment/ oak-mongo-js/ oak-mongo-js/fonts/ oak-mongo-js/scripts/ oak-mongo-js/scripts/prettify/ oak-mongo...
Added: jackrabbit/site/live/oak/docs/security/authentication/external/bestpractices.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/bestpractices.html?rev=1907790&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/bestpractices.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/bestpractices.html Tue Feb 21 14:07:26 2023
@@ -0,0 +1,434 @@
+<!DOCTYPE html>
+
+
+<!--
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/bestpractices.md at 2023-02-21
+ | Rendered using Apache Maven Fluido Skin 1.11.1
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1" />
+ <meta name="generator" content="Apache Maven Doxia Site Renderer 1.11.1" />
+ <title>Jackrabbit Oak – Best Practices for External Authentication</title>
+ <link rel="stylesheet" href="../../../css/apache-maven-fluido-1.11.1.min.css" />
+ <link rel="stylesheet" href="../../../css/site.css" />
+ <link rel="stylesheet" href="../../../css/print.css" media="print" />
+ <script src="../../../js/apache-maven-fluido-1.11.1.min.js"></script>
+
+ <!-- Matomo -->
+ <script>
+ var _paq = window._paq = window._paq || [];
+ _paq.push(['disableCookies']);
+ _paq.push(['trackPageView']);
+ _paq.push(['enableLinkTracking']);
+
+ (function() {
+ var u="https://analytics.apache.org";
+ _paq.push(['setTrackerUrl', u+'/matomo.php']);
+ _paq.push(['setSiteId', '4']);
+ var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+ g.async=true; g.src=u+'/matomo.js'; s.parentNode.insertBefore(g,s);
+ })();
+ </script>
+ <!-- End Matomo Code -->
+ </head>
+ <body class="topBarEnabled">
+ <a class="github-fork-ribbon right-top" href="https://github.com/apache/jackrabbit-oak" data-ribbon="Fork me on GitHub" title="Fork me on GitHub">Fork me on GitHub</a>
+ <header id="topbar" class="navbar navbar-fixed-top ">
+ <div class="navbar-inner">
+ <div class="container-fluid">
+ <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </a>
+<a class="brand" href="../../../" title="Oak logo"><img src="../../../oak_logo.png" alt="Oak logo" />
+</a>
+ <ul class="nav">
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../index.html" title="Jackrabbit Oak">Jackrabbit Oak</a></li>
+ <li><a href="../../../license.html" title="License">License</a></li>
+ <li><a href="../../../downloads.html" title="Downloads">Downloads</a></li>
+ <li><a href="../../../roadmap.html" title="Roadmap">Roadmap</a></li>
+ <li><a href="../../../articles.html" title="Articles">Articles</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../architecture/overview.html" title="Overview">Overview</a></li>
+ <li><a href="../../../architecture/nodestate.html" title="The Node State Model">The Node State Model</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="https://s.apache.org/jcr-2.0-spec/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
+ <li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li class="dropdown-submenu">
+<a href="../../../nodestore/overview.html" title="Node Storage">Node Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../nodestore/documentmk.html" title="Document NodeStore">Document NodeStore</a></li>
+ <li><a href="../../../nodestore/segment/overview.html" title="Segment NodeStore">Segment NodeStore</a></li>
+ <li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
+ </ul>
+ </li>
+ <li class="dropdown-submenu">
+<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ <li><a href="../../../features/direct-binary-access-upload-file.html" title="Direct Binary Access Upload File">Direct Binary Access Upload File</a></li>
+ </ul>
+ </li>
+ <li class="dropdown-submenu">
+<a href="../../../query/query.html" title="Query">Query</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../query/query-engine.html" title="Query Engine">Query Engine</a></li>
+ <li><a href="../../../query/grammar-xpath.html" title="XPath Grammar">XPath Grammar</a></li>
+ <li><a href="../../../query/grammar-sql2.html" title="SQL-2 Grammar">SQL-2 Grammar</a></li>
+ <li><a href="../../../query/query-troubleshooting.html" title="Troubleshooting">Troubleshooting</a></li>
+ <li><a href="../../../query/indexing.html" title="Indexing">Indexing</a></li>
+ <li><a href="../../../query/oak-run-indexing.html" title="Indexing with Oak-Run">Indexing with Oak-Run</a></li>
+ <li><a href="../../../query/lucene.html" title="Lucene Index">Lucene Index</a></li>
+ <li><a href="../../../query/elastic.html" title="Elastic Index">Elastic Index</a></li>
+ <li><a href="../../../query/property-index.html" title="Property Index">Property Index</a></li>
+ <li><a href="../../../query/solr.html" title="Solr Index">Solr Index</a></li>
+ </ul>
+ </li>
+ <li class="dropdown-submenu">
+<a href="../../../security/overview.html" title="Security">Security</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../security/introduction.html" title="Introduction">Introduction</a></li>
+ <li><a href="../../../security/reports.html" title="Reports">Reports</a></li>
+ <li><a href="../../../security/authentication.html" title="Authentication">Authentication</a></li>
+ <li><a href="../../../security/authorization.html" title="Authorization">Authorization</a></li>
+ <li><a href="../../../security/principal.html" title="Principal Management">Principal Management</a></li>
+ <li><a href="../../../security/user.html" title="User Management">User Management</a></li>
+ </ul>
+ </li>
+ <li><a href="../../../features/atomic-counter.html" title="Atomic Counter">Atomic Counter</a></li>
+ <li><a href="../../../features/observation.html" title="Observation">Observation</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../use_getting_started.html" title="Getting Started">Getting Started</a></li>
+ <li><a href="../../../construct.html" title="Repository Construction">Repository Construction</a></li>
+ <li><a href="../../../osgi_config.html" title="Configuring Oak">Configuring Oak</a></li>
+ <li><a href="../../../command_line.html" title="Command Line Tools">Command Line Tools</a></li>
+ <li><a href="../../../migration.html" title="Migration">Migration</a></li>
+ <li><a href="../../../differences.html" title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a></li>
+ <li><a href="../../../known_issues.html" title="Known Issues">Known Issues</a></li>
+ <li><a href="../../../constraints.html" title="Constraints">Constraints</a></li>
+ <li><a href="../../../dos_and_donts.html" title="Dos and Don'ts">Dos and Don'ts</a></li>
+ <li><a href="../../../coldstandby/coldstandby.html" title="Cold Standby">Cold Standby</a></li>
+ <li><a href="../../../FAQ.html" title="FAQ">FAQ</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="../../../dev_getting_started.html" title="Getting Started">Getting Started</a></li>
+ <li><a href="../../../participating.html" title="Participating">Participating</a></li>
+ <li><a href="../../../oakathons.html" title="Oakathons">Oakathons</a></li>
+ <li><a href="../../../developing-with-git.html" title="Developing with Git">Developing with Git</a></li>
+ <li><a href="../../../diagnostic-builds.html" title="Cutting diagnostic builds">Cutting diagnostic builds</a></li>
+ <li><a href="../../../branching.html" title="Branching off a new stable">Branching off a new stable</a></li>
+ <li><a href="../../../attribution.html" title="Attribution">Attribution</a></li>
+ <li><a href="../../../release-schedule.html" title="Release Schedule">Release Schedule</a></li>
+ </ul>
+ </li>
+ <li class="dropdown">
+ <a class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="http://jackrabbit.apache.org/oak" title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a></li>
+ <li><a href="http://jackrabbit.apache.org/" title="Apache Jackrabbit">Apache Jackrabbit</a></li>
+ </ul>
+ </li>
+ </ul>
+ </div>
+ </div>
+ </header>
+ <div class="container-fluid">
+ <header>
+ <div id="banner">
+ <div class="pull-left"><div id="bannerLeft"><h1>Oak Documentation</h1>
+</div>
+</div>
+ <div class="pull-right"></div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+ <li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
+ <li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
+ <li class="active ">Best Practices for External Authentication <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/external/bestpractices.md"><img src="../../../images/accessories-text-editor.png" title="Edit" /></a></li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
+ </ul>
+ </div>
+ </header>
+ <div class="row-fluid">
+ <header id="leftColumn" class="span2">
+ <nav class="well sidebar-nav">
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+ <li><a href="../../../index.html" title="Jackrabbit Oak"><span class="none"></span>Jackrabbit Oak</a></li>
+ <li><a href="../../../license.html" title="License"><span class="none"></span>License</a></li>
+ <li><a href="../../../downloads.html" title="Downloads"><span class="none"></span>Downloads</a></li>
+ <li><a href="../../../roadmap.html" title="Roadmap"><span class="none"></span>Roadmap</a></li>
+ <li><a href="../../../articles.html" title="Articles"><span class="none"></span>Articles</a></li>
+ <li class="nav-header">Concepts and Architecture</li>
+ <li><a href="../../../architecture/overview.html" title="Overview"><span class="none"></span>Overview</a></li>
+ <li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a></li>
+ <li class="nav-header">Main APIs</li>
+ <li><a href="https://s.apache.org/jcr-2.0-spec/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a></li>
+ <li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a></li>
+ <li class="nav-header">Features and Plugins</li>
+ <li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a></li>
+ <li><a href="../../../nodestore/document/rdb-document-store.html" title="RDB DocumentStore"><span class="none"></span>RDB DocumentStore</a></li>
+ <li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a></li>
+ <li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a></li>
+ <li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a></li>
+ <li><a href="../../../clustering.html" title="Clustering"><span class="none"></span>Clustering</a></li>
+ </ul></li>
+ <li><a href="../../../nodestore/segment/overview.html" title="Segment NodeStore"><span class="none"></span>Segment NodeStore</a></li>
+ <li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a></li>
+ </ul></li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a></li>
+ <li><a href="../../../features/direct-binary-access-upload-file.html" title="Direct Binary Access Upload File"><span class="none"></span>Direct Binary Access Upload File</a></li>
+ </ul></li>
+ <li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a></li>
+ <li><a href="../../../query/grammar-xpath.html" title="XPath Grammar"><span class="none"></span>XPath Grammar</a></li>
+ <li><a href="../../../query/grammar-sql2.html" title="SQL-2 Grammar"><span class="none"></span>SQL-2 Grammar</a></li>
+ <li><a href="../../../query/query-troubleshooting.html" title="Troubleshooting"><span class="none"></span>Troubleshooting</a></li>
+ <li><a href="../../../query/indexing.html" title="Indexing"><span class="none"></span>Indexing</a></li>
+ <li><a href="../../../query/oak-run-indexing.html" title="Indexing with Oak-Run"><span class="none"></span>Indexing with Oak-Run</a></li>
+ <li><a href="../../../query/lucene.html" title="Lucene Index"><span class="none"></span>Lucene Index</a></li>
+ <li><a href="../../../query/elastic.html" title="Elastic Index"><span class="none"></span>Elastic Index</a></li>
+ <li><a href="../../../query/property-index.html" title="Property Index"><span class="none"></span>Property Index</a></li>
+ <li><a href="../../../query/solr.html" title="Solr Index"><span class="none"></span>Solr Index</a></li>
+ </ul></li>
+ <li><a href="../../../security/overview.html" title="Security"><span class="icon-chevron-down"></span>Security</a>
+ <ul class="nav nav-list">
+ <li><a href="../../../security/introduction.html" title="Introduction"><span class="none"></span>Introduction</a></li>
+ <li><a href="../../../security/reports.html" title="Reports"><span class="none"></span>Reports</a></li>
+ <li><a href="../../../security/authentication.html" title="Authentication"><span class="icon-chevron-right"></span>Authentication</a></li>
+ <li><a href="../../../security/authorization.html" title="Authorization"><span class="icon-chevron-right"></span>Authorization</a></li>
+ <li><a href="../../../security/principal.html" title="Principal Management"><span class="icon-chevron-right"></span>Principal Management</a></li>
+ <li><a href="../../../security/user.html" title="User Management"><span class="icon-chevron-right"></span>User Management</a></li>
+ </ul></li>
+ <li><a href="../../../features/atomic-counter.html" title="Atomic Counter"><span class="none"></span>Atomic Counter</a></li>
+ <li><a href="../../../features/observation.html" title="Observation"><span class="none"></span>Observation</a></li>
+ <li class="nav-header">Using Oak</li>
+ <li><a href="../../../use_getting_started.html" title="Getting Started"><span class="none"></span>Getting Started</a></li>
+ <li><a href="../../../construct.html" title="Repository Construction"><span class="none"></span>Repository Construction</a></li>
+ <li><a href="../../../osgi_config.html" title="Configuring Oak"><span class="none"></span>Configuring Oak</a></li>
+ <li><a href="../../../command_line.html" title="Command Line Tools"><span class="none"></span>Command Line Tools</a></li>
+ <li><a href="../../../migration.html" title="Migration"><span class="none"></span>Migration</a></li>
+ <li><a href="../../../differences.html" title="Differences to Jackrabbit 2"><span class="none"></span>Differences to Jackrabbit 2</a></li>
+ <li><a href="../../../known_issues.html" title="Known Issues"><span class="none"></span>Known Issues</a></li>
+ <li><a href="../../../constraints.html" title="Constraints"><span class="none"></span>Constraints</a></li>
+ <li><a href="../../../dos_and_donts.html" title="Dos and Don'ts"><span class="none"></span>Dos and Don'ts</a></li>
+ <li><a href="../../../coldstandby/coldstandby.html" title="Cold Standby"><span class="none"></span>Cold Standby</a></li>
+ <li><a href="../../../FAQ.html" title="FAQ"><span class="none"></span>FAQ</a></li>
+ <li class="nav-header">Developing Oak</li>
+ <li><a href="../../../dev_getting_started.html" title="Getting Started"><span class="none"></span>Getting Started</a></li>
+ <li><a href="../../../participating.html" title="Participating"><span class="none"></span>Participating</a></li>
+ <li><a href="../../../oakathons.html" title="Oakathons"><span class="none"></span>Oakathons</a></li>
+ <li><a href="../../../developing-with-git.html" title="Developing with Git"><span class="none"></span>Developing with Git</a></li>
+ <li><a href="../../../diagnostic-builds.html" title="Cutting diagnostic builds"><span class="none"></span>Cutting diagnostic builds</a></li>
+ <li><a href="../../../branching.html" title="Branching off a new stable"><span class="none"></span>Branching off a new stable</a></li>
+ <li><a href="../../../attribution.html" title="Attribution"><span class="none"></span>Attribution</a></li>
+ <li><a href="../../../release-schedule.html" title="Release Schedule"><span class="none"></span>Release Schedule</a></li>
+ <li class="nav-header">Links</li>
+ <li><a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak"><span class="none"></span>Apache Jackrabbit Oak</a></li>
+ <li><a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit"><span class="none"></span>Apache Jackrabbit</a></li>
+ </ul>
+ </nav>
+ <div class="well sidebar-nav">
+<form id="search-form" action="https://www.google.com/search" method="get" >
+ <input value="jackrabbit.apache.org/oak/docs/" name="sitesearch" type="hidden"/>
+ <input class="search-query" name="q" id="query" type="text" placeholder="Search with Google..." />
+</form>
+ <div id="poweredBy">
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="../../../images/logos/maven-feather.png" /></a>
+ </div>
+ </div>
+ </header>
+ <main id="bodyColumn" class="span10" >
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<h1>Best Practices for External Authentication</h1>
+<ul>
+<li><a href="#Before_you_get_started">Before you get started</a></li>
+<li><a href="#Best_Practices">Best Practices</a>
+<ul>
+<li><a href="#JAAS_Setup">JAAS Setup</a>
+<ul>
+<li><a href="#Combination_with_Token_Authentication">Combination with Token Authentication</a></li>
+<li><a href="#Combination_with_Default_Authentication">Combination with Default Authentication</a>
+<ul>
+<li><a href="#Example_JAAS_Configuration">Example JAAS Configuration</a></li></ul></li></ul></li>
+<li><a href="#Synchronization_of_Users_and_Groups">Synchronization of Users and Groups</a>
+<ul>
+<li><a href="#External_Identity_Provider_as_SSOT">External Identity Provider as SSOT</a></li>
+<li><a href="#User_Management_for_External_Identities">User Management for External Identities</a></li>
+<li><a href="#Membership_Nesting">Membership Nesting</a></li>
+<li><a href="#Membership_crossing_IDP_boundaries">Membership crossing IDP boundaries</a></li></ul></li>
+<li><a href="#Authorization_for_External_Identities">Authorization for External Identities</a>
+<ul>
+<li><a href="#Access_control_setup">Access control setup</a></li>
+<li><a href="#Pre-sync_of_external_groups">Pre-sync of external groups</a></li></ul></li></ul></li></ul>
+<section>
+<h2><a name="Before_you_get_started"></a>Before you get started</h2>
+<p>Before you get started make sure you are familiar with the basic concepts of JCR authentication, and its implementation in Apache Jackrabbit Oak.</p>
+<p>External authentication in Oak refers to integrating a third party identity provider like LDAP or SAML into the authentication setup optionally combining it with other built-in authentication mechanisms.</p></section><section>
+<h2><a name="Best_Practices"></a>Best Practices</h2><section>
+<h3><a name="JAAS_Setup"></a>JAAS Setup</h3>
+<p>When combining external authentication with other built-in or custom <a class="externalLink" href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/spi/LoginModule.html">login modules</a> make sure to define a <a class="externalLink" href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/login/Configuration.html">configuration</a> with the optimal order and the proper <a class="externalLink" href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">control flag</a> for each module to cover all cases. The order should be chosen such that optional and sufficient login modules come first. Potentially expensive authentication against a third party identity provider as well as those for rare use cases should be defined with a lower ranking.</p>
+<p>Additional reading: <a class="externalLink" href="https://docs.oracle.com/en/java/javase/11/security/appendix-b-jaas-login-configuration-file.html#GUID-7EB80FA5-3C16-4016-AED6-0FC619F86F8E">https://docs.oracle.com/en/java/javase/11/security/appendix-b-jaas-login-configuration-file.html#GUID-7EB80FA5-3C16-4016-AED6-0FC619F86F8E</a></p><section>
+<h4><a name="Combination_with_Token_Authentication"></a>Combination with Token Authentication</h4>
+<p>Whenever JCR sessions created with Oak are short-lived (e.g. only lasting for a single HTTP request) authentication against an external IDP may not perform well. It is therefore recommended to use external authentication in combination with an additional authentication mechanism like e.g. the built-in <a href="../tokenmanagement.html">token login</a>.</p>
+<p>Make sure the token login module has <a class="externalLink" href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/login/AppConfigurationEntry.LoginModuleControlFlag.html">control flag</a> ‘SUFFICIENT’ and is evaluated prior to the external login that connects to the external IDP.</p></section><section>
+<h4><a name="Combination_with_Default_Authentication"></a>Combination with Default Authentication</h4>
+<p>Oak comes with a default login for user accounts stored and managed inside the JCR content repository. This also includes support for default users like ‘anonymous’ (guest) and ‘admin’ with full access to the repository. If this is desired, it is recommend to also add the <a href="../default.html#uid_pw">default <code>LoginModule</code></a> to the JAAS configuration.</p>
+<p>The optional order depends on the frequency of default vs external login: if login or impersonation against local users occurs frequently (e.g. unauthentication login with <a class="externalLink" href="https://s.apache.org/jcr-2.0-javadoc/javax/jcr/GuestCredentials.html">GuestCredentials</a>) the default login module should have a higher ranking. However, if authentication of local users is unlikely, the external oak login should have a ranking.</p><section>
+<h5><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h5>
+<p>The following JAAS configuration is an example when running an Oak repository with external authentication in combination with Apache Sling:</p>
+<table border="0" class="table table-striped">
+<thead>
+
+<tr class="a">
+<th>Ranking</th>
+<th>Control Flag</th>
+<th>LoginModule Class Name</th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td align="left">300</td>
+<td>OPTIONAL</td>
+<td>org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule</td></tr>
+<tr class="a">
+<td align="left">200</td>
+<td>SUFFICIENT</td>
+<td>org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule</td></tr>
+<tr class="b">
+<td align="left">150</td>
+<td>SUFFICIENT</td>
+<td>org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModuleFactory</td></tr>
+<tr class="a">
+<td align="left">100</td>
+<td>SUFFICIENT</td>
+<td>org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl</td></tr>
+</tbody>
+</table>
+<p>See <a href="externallogin_examples.html#Integration_with_Standard_Oak_Authentication_used_for_Apache_Sling">Authentication with External Login Module : Examples</a> for a detailed explanation as well as alternative
+configurations.</p></section></section></section><section>
+<h3><a name="Synchronization_of_Users_and_Groups"></a>Synchronization of Users and Groups</h3>
+<p>The external authentication module in Oak comes with the option to synchronize external identities into the content repository (see section <a href="../usersync.html">User and Group Synchronization</a>).</p>
+<p>The following best practices should be followed:</p><section>
+<h4><a name="External_Identity_Provider_as_SSOT"></a>External Identity Provider as SSOT</h4>
+<p>Your external identity provider should be considered the single source of truth (SSOT) for all users and groups defined and managed by it.</p>
+<p>In contrast, the users/groups synchronized into the repository should be considered a volatile cache and ideally are immutable (i.e. only maintained by system sessions in charge of the synchronization).</p>
+<p>The following features provided by the <i>oak-auth-external</i> module help to prevent unintended modification of synchronized external identities:</p>
+<ul>
+
+<li><a href="defaultusersync.html#dynamic_membership">Dynamic Membership</a>: Enabling dynamic membership will result in membership information being stored in a protected property that cannot be altered using regular JCR write or Jackrabbit user management API.</li>
+<li><a href="defaultusersync.html#dynamic_groups">Dynamic Group</a>: Can be used in combination with dynamic membership when the application requires group principals to also exposed through <code>UserManager</code> (and not just through <code>PrincipalManager</code> as it would be needed for permission setup). Note though that these group accounts cannot have members added (see section <a href="defaultusersync.html#enforcing_dynamic_groups">Enforcing dynamic groups</a>)</li>
+<li><a href="defaultusersync.html#protect_external_identities">Protecting External Identities</a>: The module comes with <a href="defaultusersync.html#configuration_principals">configuration
+option</a> to protect external identities. If enabled (as warning or as full protection) a dedicated validator that will report/fail attempts to modify synchronized external identities. This will help to identify violations of the immutability contract.</li>
+</ul></section><section>
+<h4><a name="User_Management_for_External_Identities"></a>User Management for External Identities</h4>
+<ul>
+
+<li>Properties and membership for external identities must be managed in the external IDP. Changes made in the JCR repository using user management API will be overwritten upon the next sync.</li>
+<li>Never set a password for external users to make sure uid/pw login gets authenticated against the external IDP and never against the synchronized user in the repository.</li>
+</ul></section><section>
+<h4><a name="Membership_Nesting"></a>Membership Nesting</h4>
+<p>For performance reasons avoid defining unnecessary membership nesting that increase the number of indirections (see <a href="../../authorization/bestpractices.html">Best Practices for Authorization</a>).</p></section><section>
+<h4><a name="Membership_crossing_IDP_boundaries"></a>Membership crossing IDP boundaries</h4>
+<p>Introducing membership crossing IDP boundaries should be considered a trust boundary violation.</p>
+<p>If adding external identities to local groups cannot be avoided, leverage <a href="defaultusersync.html#configuration_automembership">conditional auto-membership</a> or auto-membership configuration in combination with dynamic membership (see <a href="defaultusersync.html#configuration_sync_handler">Configuration of the DefaultSyncHandler</a>).</p></section></section><section>
+<h3><a name="Authorization_for_External_Identities"></a>Authorization for External Identities</h3>
+<p>Upon repository login through external authentication the subject is populated with principals obtained from the external identity provider.</p>
+<p>In addition, the configured auto-membership will be resolved for the external user and its external groups (see autoMembership configuration <a href="defaultusersync.html#configuration_sync_handler">options</a> and section <a href="defaultusersync.html#configuration_automembership">Automatic Membership with AutoMembershipConfig</a>)</p>
+<p>The authenticated session will be subject to regular Oak permission evaluation as defined for the instance and described in section <a href="../../permission.html">Permissions</a>.</p><section>
+<h4><a name="Access_control_setup"></a>Access control setup</h4>
+<p>Synchronized external identities (both in default and in dynamic sync mode) are exposed as principals through the <a href="../../principal.html">Principal Management API</a> and can be used for access control setup as described in <a href="../../accesscontrol.html">Access Control Management</a>.</p>
+<p>See also section <a href="../../authorization/bestpractices.html">Best Practices for Authorization</a> for recommendations.</p>
+<p>External groups get synchronized together with external users upon repository login. If you wish to defined access control setup for groups prior to the synchronization upon login the following 2 options exist:</p>
+<ul>
+
+<li>Pre-sync external groups to make them available to the principal manager (see next section)</li>
+<li>Configure <a href="../../accesscontrol/default.html#configuration">ImportMode</a>=<code>besteffort</code> with the default Oak authorization setup and define access control content for principals before they exist.</li>
+</ul></section><section>
+<h4><a name="Pre-sync_of_external_groups"></a>Pre-sync of external groups</h4>
+<p>The following 2 options exist to populate the repository with external group principals outside of the regular synchronization upon login:</p>
+<ul>
+
+<li>The <i>oak-auth-external</i> module comes with a JMX integration that allows for synchronization of external identities outside of the regular repository login. See <a href="../usersync.html#jmx-synchronization-tool">JMX Synchronization Tool</a> and <a class="externalLink" href="https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/SynchronizationMBean.html">SynchronizationMBean</a> for details. This requires the <code>ExternalIdentityProvider</code> to implement the methods required to retrieve external identities. This is the recommended way to pre-sync groups.</li>
+<li>In case the <code>ExternalIdentityProvider</code> does not support user and group sync outside of the regular repository login, external identities can be created using Jackrabbit User Management API. Note:
+<ul>
+
+<li>The property <code>rep:externalId</code> is system maintained and protected and cannot be added or changed once the group has been persisted.</li>
+<li>Mistakes in defining the protected properties <code>rep:externalId</code>, <code>rep:authorizableId</code> or <code>rep:principalName</code> will result in a mismatch during authentication, sync and permission evaluation. The only way to fix such mistakes is to remove and recreate the group. Access control content associated with a wrong principal name needs to be removed separately.</li>
+</ul>
+</li>
+</ul><!-- references --></section></section></section>
+ </main>
+ </div>
+ </div>
+ <hr/>
+ <footer>
+ <div class="container-fluid">
+ <div class="row-fluid">
+<p>© 2012-2023
+<a href="https://www.apache.org/">The Apache Software Foundation</a> | <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a>
+</p>
+ </div>
+ </div>
+ </footer>
+<script>
+ if(anchors) {
+ anchors.add();
+ }
+</script>
+ </body>
+</html>
\ No newline at end of file
Propchange: jackrabbit/site/live/oak/docs/security/authentication/external/bestpractices.html
------------------------------------------------------------------------------
svn:eol-style = native
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/defaultusersync.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/defaultusersync.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">User and Group Synchronization : The Default Implementation <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md"><img src="../../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
@@ -295,26 +295,53 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
+<h1>User and Group Synchronization : The Default Implementation</h1><hr />
+<ul>
+<li><a href="#Default_Implementation_of_Sync_API">Default Implementation of Sync API</a>
+<ul>
+<li><a href="#SyncManager">SyncManager</a></li>
+<li><a href="#SyncHandler">SyncHandler</a></li>
+<li><a href="#SyncContext">SyncContext</a>
+<ul>
+<li><a href="#DefaultSyncContext">DefaultSyncContext</a></li>
+<li><a href="#DynamicSyncContext">DynamicSyncContext</a></li></ul></li>
+<li><a href="#SyncResult">SyncResult</a></li>
+<li><a href="#SyncedIdentity">SyncedIdentity</a></li>
+<li><a href="#Dynamic_Sync">Dynamic Sync</a>
+<ul>
+<li><a href="#Dynamic_Group_Membership">Dynamic Group Membership</a></li>
+<li><a href="#Dynamic_Groups">Dynamic Groups</a></li></ul></li>
+<li><a href="#XML_Import">XML Import</a></li>
+<li><a href="#Validation">Validation</a>
+<ul>
+<li><a href="#rep:externalPrincipalNames">rep:externalPrincipalNames</a></li>
+<li><a href="#rep:externalId">rep:externalId</a></li>
+<li><a href="#Protecting_synchronized_external_users.2Fgroups">Protecting synchronized external users/groups</a></li>
+<li><a href="#Enforcing_dynamic_groups">Enforcing dynamic groups</a></li></ul></li>
+<li><a href="#Configuration">Configuration</a>
+<ul>
+<li><a href="#Configuration_of_the_DefaultSyncHandler">Configuration of the DefaultSyncHandler</a></li>
+<li><a href="#Automatic_Membership_with_AutoMembershipConfig">Automatic Membership with AutoMembershipConfig</a></li>
+<li><a href="#Configuration_of_the_.E2.80.98Apache_Jackrabbit_Oak_External_PrincipalConfiguration.E2.80.99">Configuration of the ‘Apache Jackrabbit Oak External PrincipalConfiguration’</a></li></ul></li></ul></li></ul>
<section>
-<h2><a name="User_and_Group_Synchronization_:_The_Default_Implementation"></a>User and Group Synchronization : The Default Implementation</h2><section>
-<h3><a name="Default_Implementation_of_Sync_API"></a>Default Implementation of Sync API</h3><section>
-<h4><a name="SyncManager"></a>SyncManager</h4>
+<h2><a name="Default_Implementation_of_Sync_API"></a>Default Implementation of Sync API</h2><section>
+<h3><a name="SyncManager"></a>SyncManager</h3>
<p>The default implementation (<code>SyncManagerImpl</code>) is intended for use in an OSGi-base
repository setup: it tracks all <code>SyncHandler</code> registered via OSGi.</p>
<p>It can be used in non-OSGi environments by passing a <code>org.apache.jackrabbit.oak.spi.whiteboard.Whiteboard</code>
to the constructor.</p></section><section>
-<h4><a name="SyncHandler"></a>SyncHandler</h4>
+<h3><a name="SyncHandler"></a>SyncHandler</h3>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html">DefaultSyncHandler</a> comes with a set of configuration options that
allow to specify the synchronization behavior (see below). Depending on the
configuration it chooses between two different <code>SyncContext</code> implementations.</p></section><section>
-<h4><a name="SyncContext"></a>SyncContext</h4>
+<h3><a name="SyncContext"></a>SyncContext</h3>
<p>Oak provides the following implementations of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> interface:</p>
<ul>
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a>: base implementation that synchronizes external user and group accounts into the repository</li>
<li><a class="externalLink" href="https://github.com/apache/jackrabbit-oak/tree/trunk/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.java">DynamicSyncContext</a>: derived implementation that provides special handling for external groups.</li>
</ul><section>
-<h5><a name="DefaultSyncContext"></a>DefaultSyncContext</h5>
+<h4><a name="DefaultSyncContext"></a>DefaultSyncContext</h4>
<p>All users/groups synchronized by this context will get the following properties set.
These properties allow to run separate task for periodical update and make sure
the authorizables can later on be identified as external users.</p>
@@ -330,7 +357,7 @@ backwards compatibility this protection
for further details.</p>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> is exported as part of the ‘basic’ package space and
may be used to provide custom implementations.</p></section><section>
-<h5><a name="DynamicSyncContext"></a>DynamicSyncContext</h5>
+<h4><a name="DynamicSyncContext"></a>DynamicSyncContext</h4>
<p>Extending from the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> this implementation that provides special
handling for external groups in case the <a href="#dynamic_membership">Dynamic Group Membership</a>
option is enabled in the <a href="#configuration">Configuration</a>.</p>
@@ -340,15 +367,16 @@ the group principal names of the externa
<li><code>rep:externalPrincipalNames</code> : Optional system-maintained property related to <a href="#dynamic_membership">Dynamic Group Membership</a></li>
</ul></section></section><section>
-<h4><a name="SyncResult"></a>SyncResult</h4>
+<h3><a name="SyncResult"></a>SyncResult</h3>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncResultImpl.html">DefaultSyncResultImpl</a> is exported as part of the ‘basic’ package space
providing a simple <code>SyncResult</code> implementation based on a status and a <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncedIdentity.html">DefaultSyncedIdentity</a>.</p></section><section>
-<h4><a name="SyncedIdentity"></a>SyncedIdentity</h4>
+<h3><a name="SyncedIdentity"></a>SyncedIdentity</h3>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncedIdentity.html">DefaultSyncedIdentity</a> is exported as part of the ‘basic’ package space. It
maps the ID of a synchronized user/group account to the external identity references
-represented by <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>.</p>
-<p><a name="dynamic_membership"></a></p></section></section><section>
-<h3><a name="Dynamic_Group_Membership"></a>Dynamic Group Membership</h3>
+represented by <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>.</p></section><section>
+<h3><a name="Dynamic_Sync"></a>Dynamic Sync</h3>
+<p><a name="dynamic_membership"></a></p><section>
+<h4><a name="Dynamic_Group_Membership"></a>Dynamic Group Membership</h4>
<p>As of Oak 1.5.3 the default sync handler comes with an addition configuration
option that allows enabling dynamic group membership resolution for external users.
Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external
@@ -356,14 +384,14 @@ groups are synchronized (see also <a cla
<p>The details and effects on other security related modules are described in
section <a href="dynamic.html">Dynamic Membership and Dynamic Groups</a>.</p>
<p><a name="dynamic_groups"></a></p></section><section>
-<h3><a name="Dynamic_Groups"></a>Dynamic Groups</h3>
+<h4><a name="Dynamic_Groups"></a>Dynamic Groups</h4>
<p>As of Oak 1.46.0 there exists the option to leverage <a href="#dynamic_membership">Dynamic Membership</a> in combination with a
new <code>Dynamic Groups</code> configuration option (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-9803">OAK-9803</a>). If both options are enabled external groups will continue
to be synchronized into the repository making sure the user-group relationship can still be inspected using Jackrabbit
User Management API without losing the benefits of the dynamic membership.
See section <a href="dynamic.html">Dynamic Membership and Dynamic Groups</a> for details and comparison.</p>
-<p><a name="xml_import"></a></p><section>
-<h4><a name="XML_Import"></a>XML Import</h4>
+<p><a name="xml_import"></a></p></section></section><section>
+<h3><a name="XML_Import"></a>XML Import</h3>
<p>The protected nature of the <code>rep:externalPrincipalNames</code> is also reflected during
XML import of user accounts:</p>
<p>External users with a <code>rep:externalPrincipalNames</code> property will get regularly imported.
@@ -374,8 +402,8 @@ the JMX console. Depending on the <i>Use
the target system the sync will then result in a full sync of group membership or
will re-create the <code>rep:externalPrincipalNames</code> property.</p>
<p><a name="validation"></a></p></section><section>
-<h4><a name="Validation"></a>Validation</h4><section>
-<h5><a name="rep:externalPrincipalNames"></a>rep:externalPrincipalNames</h5>
+<h3><a name="Validation"></a>Validation</h3><section>
+<h4><a name="rep:externalPrincipalNames"></a>rep:externalPrincipalNames</h4>
<p>As of Oak 1.5.3 a dedicated <code>Validator</code> implementation asserts that the protected,
system-maintained property <code>rep:externalPrincipalNames</code> is only written by the
internal system session.</p>
@@ -406,7 +434,7 @@ with external user/group accounts.</p>
<td>Property ‘rep:externalId’ cannot be removed if ‘rep:externalPrincipalNames’ is present.</td></tr>
</tbody>
</table></section><section>
-<h5><a name="rep:externalId"></a>rep:externalId</h5>
+<h4><a name="rep:externalId"></a>rep:externalId</h4>
<p>If protection of the <code>rep:externalId</code> property is enabled (since Oak 1.5.8) the
validator performs the following checks:</p>
<table border="0" class="table table-striped">
@@ -424,8 +452,9 @@ validator performs the following checks:
<td align="left">0075</td>
<td>Property ‘rep:externalId’ may only have a single value of type STRING.</td></tr>
</tbody>
-</table></section><section>
-<h5><a name="Protecting_synchronized_external_users.2Fgroups"></a>Protecting synchronized external users/groups</h5>
+</table>
+<p><a name="protect_external_identities"></a></p></section><section>
+<h4><a name="Protecting_synchronized_external_users.2Fgroups"></a>Protecting synchronized external users/groups</h4>
<p>If protection of synchronized external users/groups is enabled (since Oak 1.44.0) an additional validator is present
which either warns upon or prevents creation, modification and removal of external identities that have been synchronized
into the repository with the following exception:</p>
@@ -468,8 +497,9 @@ accounts in particular group membership
<td align="left">0076</td>
<td>Attempt to remove node ‘%s’ from protected external identity</td></tr>
</tbody>
-</table></section><section>
-<h5><a name="Enforcing_dynamic_groups"></a>Enforcing dynamic groups</h5>
+</table>
+<p><a name="enforcing_dynamic_groups"></a></p></section><section>
+<h4><a name="Enforcing_dynamic_groups"></a>Enforcing dynamic groups</h4>
<p>If <code>user.dynamicMembership</code> is enabled together with <code>group.dynamicGroups</code> a separate validator will be present to
make sure no members are added to the dynamic groups through regular API calls (<code>Group.addMember(Authorizable)</code> and
<code>Group.addMembers(String...</code>).</p>
@@ -492,8 +522,9 @@ to a dynamic external group:</p>
<td>“Attempt to add members to dynamic group ‘%s’ at ‘%s’”</td></tr>
</tbody>
</table>
-<p><a name="configuration"></a></p></section></section></section><section>
-<h3><a name="Configuration"></a>Configuration</h3><section>
+<p><a name="configuration"></a></p></section></section><section>
+<h3><a name="Configuration"></a>Configuration</h3>
+<p><a name="configuration_sync_handler"></a></p><section>
<h4><a name="Configuration_of_the_DefaultSyncHandler"></a>Configuration of the DefaultSyncHandler</h4>
<p>The default <code>SyncHandler</code> implementations are configured via <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a>:</p>
<table border="0" class="table table-striped">
@@ -570,7 +601,15 @@ to a dynamic external group:</p>
<td> </td>
<td> </td></tr>
</tbody>
-</table></section><section>
+</table>
+<p>Note, that the following options relate to the <a href="dynamic.html">dynamic sync</a> feature:</p>
+<ul>
+
+<li><code>user.dynamicMembership</code> : Enabling dynamic membership for external users.</li>
+<li><code>user.enforceDynamicMembership</code> : If enabled together with <code>user.dynamicMembership</code> previously synced membership information will be migrated to dynamic membership upon user sync. Otherwise it takes no effect.</li>
+<li><code>group.dynamicGroups</code> : Only takes effect in combination with <code>user.dynamicMembership</code> and will result in external groups being synced as dynamic groups.</li>
+</ul>
+<p><a name="configuration_automembership"></a></p></section><section>
<h4><a name="Automatic_Membership_with_AutoMembershipConfig"></a>Automatic Membership with AutoMembershipConfig</h4>
<p>Since Oak 1.42.0 (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-9463">OAK-9463</a>) the auto-membership behavior can be extended to allow for conditional group membership
based on characteristics of a given synced external identity. In addition to configuration options <code>group.autoMembership</code>
@@ -579,7 +618,8 @@ can be implemented to defined fine-grain
properties defined with a given external user.</p>
<p>The <code>DefaultSyncHandler</code> is tracking services implementing <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/AutoMembershipConfig.html">AutoMembershipConfig</a> that match the handler by name.
If present the additional membership defined by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/AutoMembershipConfig.html">AutoMembershipConfig</a>, will be reflected upon default and dynamic
-sync together with the original, ‘global’ auto-membership configuration.</p></section><section>
+sync together with the original, ‘global’ auto-membership configuration.</p>
+<p><a name="configuration_principals"></a></p></section><section>
<h4><a name="Configuration_of_the_.E2.80.98Apache_Jackrabbit_Oak_External_PrincipalConfiguration.E2.80.99"></a>Configuration of the ‘Apache Jackrabbit Oak External PrincipalConfiguration’</h4>
<p>Please note that the <code>ExternalPrincipalConfiguration</code> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i>
comes with a dedicated <code>RepositoryInitializer</code>, which requires the repository to be (re)initialized
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/dynamic.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/dynamic.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">User and Group Synchronization : Dynamic Membership and Dynamic Groups <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/external/dynamic.md"><img src="../../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
@@ -295,12 +295,29 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<section>
-<h2><a name="User_and_Group_Synchronization_:_Dynamic_Membership_and_Dynamic_Groups"></a>User and Group Synchronization : Dynamic Membership and Dynamic Groups</h2>
+<h1>User and Group Synchronization : Dynamic Membership and Dynamic Groups</h1><hr />
+<ul>
+<li><a href="#SyncContext_with_Dynamic_Membership">SyncContext with Dynamic Membership</a>
+<ul>
+<li><a href="#External_Groups">External Groups</a></li>
+<li><a href="#Automatic_Membership">Automatic Membership</a></li></ul></li>
+<li><a href="#Effect_of_Dynamic_Membership_on_other_Security_Modules">Effect of Dynamic Membership on other Security Modules</a>
+<ul>
+<li><a href="#Principal_Management">Principal Management</a>
+<ul>
+<li><a href="#API_Overview">API Overview</a></li></ul></li>
+<li><a href="#User_Management">User Management</a>
+<ul>
+<li><a href="#User_Management_without_Dynamic_Groups_Option">User Management without Dynamic Groups Option</a></li>
+<li><a href="#User_Management_with_Dynamic_Groups_Option_enabled">User Management with Dynamic Groups Option enabled</a></li>
+<li><a href="#API_Overview">API Overview</a></li></ul></li>
+<li><a href="#Authentication">Authentication</a></li>
+<li><a href="#Authorization">Authorization</a></li></ul></li></ul>
+
<p>As of Oak 1.5.3 the default sync handler comes with an additional configuration
option (see section <a href="defaultusersync.html#configuration">Configuration</a>
that allows enabling dynamic group membership resolution for external users.</p>
-<p>Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external
+<p>Enabling dynamic sync options in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external
groups are synchronized (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4101">OAK-4101</a>) and how automatic group membership
is being handled (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4087">OAK-4087</a>).</p>
<p>The key benefits of dynamic membership resolution are:</p>
@@ -310,11 +327,11 @@ is being handled (see <a class="external
<li>avoid storing/updating auto-membership which is assigned to all external users</li>
<li>ease principal resolution upon repository login</li>
</ul>
-<p>See also <a href="faq.html#Dynamic_Sync">FAQ</a> for frequently asked questions about thes dynamic sync.</p><section>
-<h3><a name="SyncContext_with_Dynamic_Membership"></a>SyncContext with Dynamic Membership</h3>
+<p>See also <a href="faq.html#Dynamic_Sync">FAQ</a> for frequently asked questions about the dynamic sync.</p><section>
+<h2><a name="SyncContext_with_Dynamic_Membership"></a>SyncContext with Dynamic Membership</h2>
<p>With the default <code>SyncHandler</code> this configuration option will show the following
effects:</p><section>
-<h4><a name="External_Groups"></a>External Groups</h4>
+<h3><a name="External_Groups"></a>External Groups</h3>
<ul>
<li>If enabled the handler will use an alternative <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> to synchronize external groups (<code>DynamicSyncContext</code>).</li>
@@ -336,7 +353,7 @@ in Oak 1.6.1 to allow for optimized reso
<code>ExternalIdentityRef</code>. In order to benefit from that shortcut a given implementation
of <code>ExternalIdentityProvider</code> needs to also implement <code>PrincipalNameResolver</code>.
See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5210">OAK-5210</a>.</p></section><section>
-<h4><a name="Automatic_Membership"></a>Automatic Membership</h4>
+<h3><a name="Automatic_Membership"></a>Automatic Membership</h3>
<ul>
<li>If enabled automatic membership assignment for existing, local groups will not longer be written to the repository</li>
@@ -365,8 +382,8 @@ configuration is respected (see also <a
and reflect autoMembership for synchronized external users in the User Management API (see below).
The same applies for the conditional auto-membership as introduced with <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-9463">OAK-9463</a>.</li>
</ul></section></section><section>
-<h3><a name="Effect_of_Dynamic_Membership_on_other_Security_Modules"></a>Effect of Dynamic Membership on other Security Modules</h3><section>
-<h4><a name="Principal_Management"></a>Principal Management</h4>
+<h2><a name="Effect_of_Dynamic_Membership_on_other_Security_Modules"></a>Effect of Dynamic Membership on other Security Modules</h2><section>
+<h3><a name="Principal_Management"></a>Principal Management</h3>
<p>The dynamic (principal) membership features comes with a dedicated <code>PrincipalConfiguration</code>
implementation (i.e. [ExternalPrincipalConfiguration]) that is in charge of securing<br />
the <code>rep:externalPrincipalNames</code> properties (see also section <a href="defaultusersync.html#validation">Validation</a>
@@ -382,7 +399,7 @@ for a comprehensive description).</p>
A given external principal will be accessible though the principal management API
if it can be read from any of the <code>rep:externalPrincipalNames</code> properties
present using a dedicated query.</p><section>
-<h5><a name="API_Overview"></a>API Overview</h5>
+<h4><a name="API_Overview"></a>API Overview</h4>
<ul>
<li><code>extUserName</code> : the principal name of an external user</li>
@@ -427,8 +444,8 @@ present using a dedicated query.</p><sec
<td><sup>2</sup> Group membership gets flattened and stored with the external user. Group-group relationship is not preserved.<br /><sup>3</sup> For dynamic groups synced into the repository the configured auto-membership principals are resolved, see also user management API below.</td></tr>
</tbody>
</table></section></section><section>
-<h4><a name="User_Management"></a>User Management</h4><section>
-<h5><a name="User_Management_without_Dynamic_Groups_Option"></a>User Management without Dynamic Groups Option</h5>
+<h3><a name="User_Management"></a>User Management</h3><section>
+<h4><a name="User_Management_without_Dynamic_Groups_Option"></a>User Management without Dynamic Groups Option</h4>
<p>Unless the ‘Dynamic Groups’ option is set additionally, the dynamic membership option will effectively disable the
synchronization of the external group account information into the repository's user management feature.
It will instead limit the synchronized information to the group principal names and the membership relation between a
@@ -451,7 +468,7 @@ parameters as well as the optional <a hr
of external user identities reflected in the corresponding API calls, most notably <code>Group.isMember</code>,
<code>Group.isDeclaredMember</code>, <code>Group.getMembers</code>, <code>Group.getDeclaredMembers</code> as well as <code>Authorizable.memberOf</code>
and <code>Authorizable.declaredMemberOf()</code>.</p></section><section>
-<h5><a name="User_Management_with_Dynamic_Groups_Option_enabled"></a>User Management with Dynamic Groups Option enabled</h5>
+<h4><a name="User_Management_with_Dynamic_Groups_Option_enabled"></a>User Management with Dynamic Groups Option enabled</h4>
<p>If the ‘Dynamic Groups’ flag is turned on in addition, external group accounts will continue to be synchronized into the
repository's user management. However, membership information will not be stored together with the groups but instead will
be dynamically calculated from the <code>rep:externalPrincipalNames</code> property caching the membership information with the user
@@ -466,7 +483,7 @@ apply:</p>
<p>Note, that manually adding members to these dynamic external groups using <code>Group.addMember</code>, <code>Group.addMembers</code> or
equivalent Oak API operations will be prevented by a dedicated validator that is enabled as soon as the <i>Dynamic Groups</i>
option is present together with <i>Dynamic Membership</i>.</p></section><section>
-<h5><a name="API_Overview"></a>API Overview</h5>
+<h4><a name="API_Overview"></a>API Overview</h4>
<ul>
<li><code>extUserId</code> : the ID of a synchronized external user</li>
@@ -620,16 +637,16 @@ option is present together with <i>Dynam
<td> </td></tr>
</tbody>
</table></section></section><section>
-<h4><a name="Authentication"></a>Authentication</h4>
+<h3><a name="Authentication"></a>Authentication</h3>
<p>The authentication setup provided by Oak is not affected by the dynamic membership
handling as long as the configured <code>LoginModule</code> implementations rely on the
<code>PrincipalProvider</code> for principal resolution and the <code>ExternalPrincipalConfiguration</code>
<i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> is properly registered
with the <code>SecurityProvider</code> (see section <a href="defaultusersync.html#configuration">Configuration</a>).</p></section><section>
-<h4><a name="Authorization"></a>Authorization</h4>
+<h3><a name="Authorization"></a>Authorization</h3>
<p>The authorization modules shipped with Oak only depend on <code>Principal</code>s (and not on
user management functionality) and are therefore not affected by the dynamic
-membership configuration.</p><!-- references --></section></section></section>
+membership configuration.</p><!-- references --></section></section>
</main>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/externallogin_examples.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/externallogin_examples.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">Authentication with External Login Module : Examples <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md"><img src="../../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
@@ -298,11 +298,161 @@
<section>
<h2><a name="Authentication_with_External_Login_Module_:_Examples"></a>Authentication with External Login Module : Examples</h2>
<ul>
+<li><a href="#Authentication_with_External_Login_Module_:_Examples">Authentication with External Login Module : Examples</a>
+<ul>
+<li><a href="#Integration_with_Standard_Oak_Authentication_used_for_Apache_Sling">Integration with Standard Oak Authentication used for Apache Sling</a>
+<ul>
+<li><a href="#Example_JAAS_Configuration">Example JAAS Configuration</a></li>
+<li><a href="#Understanding_the_Configuration">Understanding the Configuration</a>
+<ul>
+<li><a href="#The_LoginModule_Sequence">The LoginModule Sequence</a></li></ul></li></ul></li>
+<li><a href="#Integration_with_Standard_Oak_Authentication">Integration with Standard Oak Authentication</a>
+<ul>
+<li><a href="#Example_JAAS_Configuration">Example JAAS Configuration</a></li>
+<li><a href="#Understanding_the_Configuration">Understanding the Configuration</a>
+<ul>
+<li><a href="#The_LoginModule_Sequence">The LoginModule Sequence</a></li>
+<li><a href="#Login_with_Different_Credentials">Login with Different Credentials</a>
+<ul>
+<li><a href="#GuestCredentials">GuestCredentials</a></li>
+<li><a href="#SimpleCredentials">SimpleCredentials</a></li>
+<li><a href="#TokenCredentials">TokenCredentials</a></li>
+<li><a href="#ImpersonationCredentials">ImpersonationCredentials</a></li>
+<li><a href="#Other_Credentials">Other Credentials</a></li></ul></li></ul></li></ul></li>
+<li><a href="#Integration_with_Pre-Authentication_and_Login_Module_Chain">Integration with Pre-Authentication and Login Module Chain</a>
+<ul>
+<li><a href="#Example_JAAS_Configuration">Example JAAS Configuration</a></li>
+<li><a href="#Understanding_the_Configuration">Understanding the Configuration</a>
+<ul>
+<li><a href="#The_LoginModule_Sequence">The LoginModule Sequence</a></li>
+<li><a href="#Login_with_Different_Credentials">Login with Different Credentials</a>
+<ul>
+<li><a href="#Custom_Pre-Auth_Credentials">Custom Pre-Auth Credentials</a></li>
+<li><a href="#GuestCredentials">GuestCredentials</a></li>
+<li><a href="#SimpleCredentials">SimpleCredentials</a></li>
+<li><a href="#ImpersonationCredentials">ImpersonationCredentials</a></li>
+<li><a href="#Other_Credentials">Other Credentials</a></li></ul></li>
+<li><a href="#FAQ">FAQ</a>
+<ul>
+<li><a href="#Why_are_the_custom_.E2.80.98PreAuthCredentials.E2.80.99_not_public.3F">Why are the custom ‘PreAuthCredentials’ not public?</a></li>
+<li><a href="#Why_is_the_.E2.80.98LoginModuleImpl.E2.80.99_not_flagged_SUFFICIENT.3F">Why is the ‘LoginModuleImpl’ not flagged SUFFICIENT?</a></li>
+<li><a href="#Why_is_the_.E2.80.98ExternalLoginModule.E2.80.99_not_flagged_REQUIRED.3F">Why is the ‘ExternalLoginModule’ not flagged REQUIRED?</a></li></ul></li></ul></li></ul></li></ul></li></ul>
+
+<p><a name="standard-sling"></a></p><section>
+<h3><a name="Integration_with_Standard_Oak_Authentication_used_for_Apache_Sling"></a>Integration with Standard Oak Authentication used for Apache Sling</h3>
+<p>The following JAAS configuration can be used in combination with Apache Sling.</p><section>
+<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
+
+<div class="source"><pre class="prettyprint"><code> Example {
+ org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule optional;
+ org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
+ org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule sufficient
+ sync.handlerName="your-synchandler_name"
+ idp.name="your_idp_name";
+ org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient;
+
+ };
+</code></pre></div></section><section>
+<h4><a name="Understanding_the_Configuration"></a>Understanding the Configuration</h4><section>
+<h5><a name="The_LoginModule_Sequence"></a>The LoginModule Sequence</h5>
+<ul>
+
+<li>
-<li><a href="#standard">Integration with Standard Oak Authentication</a></li>
-<li><a href="#preauth">Integration with Pre-Authentication and Login Module Chain</a></li>
+<p>The <code>GuestLoginModule</code> is in charge of handling unauthenticated guest login without passing [GuestCredentials].
+In other words: if no credentials can be obtained during the login phase, an new instance of [GuestCredentials] is
+pushed to the shared state and this module succeeds. Due to the <i>optional</i> flag success is not
+required and the authentication proceeds down the list of modules.
+This module helps to cover non-standard guest login with <code>null</code> credentials as it is performed by
+Apache Sling (compatibility with Jackrabbit 1.0)</p>
+</li>
+<li>
+
+<p>The <code>TokenLoginModule</code> is in charge of handling repository authentication
+request with <code>TokenCredentials</code>:</p>
+<ul>
+
+<li><i>Login Success</i>: If token-login succeeds the <i>sufficient</i> flag makes sure
+authentication does not proceed down the <code>LoginModule</code> list. This means
+that it will not hit the <code>ExternalIdentityProvider</code> and will not re-sync
+an external user as long as the login token is valid.</li>
+<li><i>Login Failure</i>: If it fails (e.g. other type of <code>Credentials</code>) the authentication
+will proceed down the <code>LoginModule</code> list.</li>
+<li><i>Commit</i>: If the login failed the login module will test if the
+<code>Credentials</code> passed to the login ask for generation of a new login token.
+If this login succeeded it will populate the <code>Subject</code> with <code>Principal</code>s,
+<code>Credentials</code> and <code>AuthInfo</code>.</li>
+</ul>
+<p>NOTE: In this setup the <code>TokenLoginModule</code> is expected to only handle
+subsequent authentication request after having issued a login token.
+The latter is achieved by providing <code>Credentials</code> attributes that force
+the <code>TokenLoginModule</code> to generate a new login token in the <i>commit</i> phase.
+The application should then use that login toke for subsequent requests.</p>
+<p>See <a href="../tokenmanagement.html">Token Authentication and Token Management</a> for
+details and for a description of the default implementation.</p>
+</li>
+<li>
+
+<p>The <code>ExternalLoginModule</code> is in charge of handling authentication request for
+users managed by an <code>ExternalIdentityProvider</code>.</p>
+<ul>
+
+<li>
+
+<p><i>Login Success</i>: If user authentication against the IDP succeeds
+the module synchronizes the external user into the repository according
+to the logic defined in the configure <code>SyncHandler</code>. If the user
+has been synced before it might be updated. If and how often a user
+gets re-synced is an implementation detail of the <code>SyncHandler</code>.</p>
+</li>
+<li>
+
+<p><i>Login Failure</i>: If the authentication fails (e.g. wrong IDP or invalid
+<code>Credentials</code>), the login will proceed to the <code>LoginModuleImpl</code>.</p>
+</li>
+<li>
+
+<p><i>Commit</i>: If the login succeeded the login module will populate the
+<code>Subject</code> with <code>Principal</code>s, <code>Credentials</code> and <code>AuthInfo</code>.</p>
+<p>NOTE: if no login token is generated upon first login, any subsequent
+login for <i>external</i> users will end up being handled by this module
+(including connection to the IDP) or fail.</p>
+</li>
+</ul>
+</li>
+<li>
+
+<p>The <code>LoginModuleImpl</code> is in charge of handling authentication request for
+users managed and created through the repository's user management API;
+i.e. users that are not defined by an <code>ExternalIdentityProvider</code>. This
+includes built-in system users like the administrator, the guest-user
+(aka anonymous) or <code>SystemUsers</code>. It also handles impersonation logins.</p>
+<ul>
+
+<li>
+
+<p><i>Login Success</i>: If regular user authentication (or impersonation) succeeds
+the <i>sufficient</i> flag makes sure authentication does not proceed
+down the <code>LoginModule</code> list i.e. omits unnecessarily trying to
+authenticate a local user against the external IDP.</p>
+</li>
+<li>
+
+<p><i>Login Failure</i>: If the authentication fails (e.g. no local user that
+could have uid/pw matching the passed <code>Credentials</code>), it will
+continue down the <code>LoginModule</code> list.</p>
+</li>
+<li>
+
+<p><i>Commit</i>: If the login succeeded the login module will populate the
+<code>Subject</code> with <code>Principal</code>s, <code>Credentials</code> and <code>AuthInfo</code>.</p>
+<p>NOTE: if no login token is generated upon first login, any subsequent
+login for <i>local</i> users will end up being handled by this module or fail.</p>
+</li>
+</ul>
+</li>
</ul>
-<p><a name="standard"></a></p><section>
+<p><a name="standard"></a></p></section></section></section><section>
<h3><a name="Integration_with_Standard_Oak_Authentication"></a>Integration with Standard Oak Authentication</h3><section>
<h4><a name="Example_JAAS_Configuration"></a>Example JAAS Configuration</h4>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/faq.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/faq.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/faq.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/faq.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/faq.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/external/faq.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">External Authentication : FAQ <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/external/faq.md"><img src="../../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
Modified: jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/externalloginmodule.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/externalloginmodule.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">Authentication with the External Login Module <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md"><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
@@ -331,6 +331,7 @@ that may also be synchronized into the r
<li>provide a transparent oak principal provider.</li>
<li>offer services for background synchronization of users and groups</li>
</ul>
+<p>See also <a href="external/bestpractices.html">Best Practices for External Authentication</a>.</p>
<p><a name="details"></a></p></section><section>
<h3><a name="Implementation_Details"></a>Implementation Details</h3>
<p>The external identity and login handling is split into 3 parts:</p>
Modified: jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/identitymanagement.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/identitymanagement.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">External Identity Management <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md"><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
Modified: jackrabbit/site/live/oak/docs/security/authentication/ldap.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/ldap.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/ldap.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/ldap.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/ldap.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/ldap.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">LDAP Integration <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md"><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
Modified: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/preauthentication.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/preauthentication.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">Pre-Authenticated Login <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md"><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
Modified: jackrabbit/site/live/oak/docs/security/authentication/token/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/token/default.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/token/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/token/default.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/token/default.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/token/default.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">Token Management : The Default Implementation <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md"><img src="../../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>
Modified: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1907790&r1=1907789&r2=1907790&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Tue Feb 21 14:07:26 2023
@@ -2,7 +2,7 @@
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/tokenmanagement.md at 2023-01-23
+ | Generated by Apache Maven Doxia Site Renderer 1.11.1 from src/site/markdown/security/authentication/tokenmanagement.md at 2023-02-21
| Rendered using Apache Maven Fluido Skin 1.11.1
-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
@@ -174,7 +174,7 @@
<li class=""><a href="https://jackrabbit.apache.org/" class="externalLink" title="Jackrabbit">Jackrabbit</a><span class="divider">/</span></li>
<li class=""><a href="https://jackrabbit.apache.org/oak/docs/" class="externalLink" title="Oak">Oak</a><span class="divider">/</span></li>
<li class="active ">Token Authentication and Token Management <a href="https://github.com/apache/jackrabbit-oak/edit/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md"><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li>
- <li id="publishDate" class="pull-right">Last Published: 2023-01-23</li>
+ <li id="publishDate" class="pull-right">Last Published: 2023-02-21</li>
</ul>
</div>
</header>