You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/02/16 12:59:05 UTC
svn commit: r1730662 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: ./ accesscontrol/ authentication/ authorization/ permission/ principal/ user/

Author: angela
Date: Tue Feb 16 11:59:05 2016
New Revision: 1730662

URL: http://svn.apache.org/viewvc?rev=1730662&view=rev
Log:
minor improvement: security documentation

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/query.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Tue Feb 16 11:59:05 2016
@@ -124,6 +124,7 @@ the complete list of methods.
     acMgr.setPolicy(path, acl);
     session.save();
 
+<a href="default_implementation"/>
 ### Characteristics of the Default Implementation
 
 The behavior of the default access control implementation is described in sections 
@@ -145,6 +146,7 @@ methods:
 
 The supported configuration options of the default implementation are described in the corresponding [section](accesscontrol/default.html#configuration).
 
+<a name="further_reading"/>
 ### Further Reading
 
 - [Differences wrt Jackrabbit 2.x](accesscontrol/differences.html)

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md Tue Feb 16 11:59:05 2016
@@ -16,21 +16,21 @@
   -->
 ### Access Control Management : Differences wrt Jackrabbit 2.x
 
-#### Characteristics of the Default Implementation
+#### Differences by Interface
 
-##### JCR API
-###### AccessControlManager#hasPrivilege and #getPrivileges
+##### AccessControlManager
+###### hasPrivilege and getPrivileges
 As of OAK those methods throw `PathNotFoundException` if the corresponding node
 is not accessible by the editing session. This is in accordance with the behavior
 mandated by JSR 283 and a bug in Jackrabbit 2.x.
 
-###### AccessControlManager#getEffectivePolicies
+###### getEffectivePolicies
 In contrast to Jackrabbit 2.x the editing session is used to retrieve the effective
 policies and the policies returned by these methods are guarantueed to only return
 information that is otherwise accessible by the session. The corresponding methods
 in Jackrabbit 2.x use to throw an  exception in this situation.
 
-###### AccessControlPolicy
+##### AccessControlPolicy
 OAK introduces a new type of policy that enforces regular read-access for everyone
 on the trees that hold this new `ReadPolicy` (see [OAK-951]). The main usage of this new policy
 is to ensure backwards compatible behavior of repository level information (node
@@ -43,7 +43,7 @@ Currently these special read policies ar
 configuration and cannot be managed/edited using regular access control management
 API (see ([OAK-951](https://issues.apache.org/jira/browse/OAK-951))).
 
-###### AccessControlEntry
+##### AccessControlEntry
 Validation: as of OAK the implementation of the `AccessControlEntry` interface is
 no longer in charge of validating the specified privileges. While some validation
 is still performed in the corresponding `AccessControlList` methods, the complete
@@ -52,17 +52,17 @@ implementation.
 
 The default behavior with respect to principal validation is compliant with the
 specification and the same as in Jackrabbit 2.x.: Adding an ACE for an principal
-unknown to the repository will fail. However in order to be consistent
-with the ability have a more relaxed behavior upon XML import that validation
-will be relaxed if the import behavior is being changed to allow for unknown
-principals (see ([OAK-1350](https://issues.apache.org/jira/browse/OAK-1350))) and
-the section Import below.
+unknown to the repository will fail. However, in order to be consistent
+with the behavior upon XML import that validation is relaxed if the import 
+behavior is changed to allow for unknown principals (see ([OAK-1350](https://issues.apache.org/jira/browse/OAK-1350))) 
+and section XML Import below.
 
 Restrictions: as of OAK the optional restrictions present with a given
 `JackrabbitAccessControlEntry` can be multivalued (see below).
 
-##### Jackrabbit API
-###### Principal-based Access Control
+#### Additional Functionality
+
+##### Principal-based Access Control
 The principal-based access control management as present in Jackrabbit-core is no
 longer present with OAK. The main benefit of the principal-based approach has been
 incorporated with the changes in the default [permission evaluation](differences_permissions.html)).
@@ -72,16 +72,16 @@ by principal is possible as long as the
 on the target node(s). Similarly, the per principal policies exposed to a given
 session will always respect that access rights of that session.
 
-###### Restrictions
-The implementation of the additional restrictions associated with an ACE has been 
+##### Restrictions
+The implementation of additional restrictions associated with an ACE has been 
 slighly modified/extended.
 
 See section [Restriction Management](../authorization/restriction.html) for details. 
 
-##### Import
+##### XML Import
 
 * respects `ImportBehavior` for handling of principals instead of just performing best effort import
-* supports both workspace and import
+* supports both `Workspace` and `Session` import
 
 #### Configuration
 
@@ -100,3 +100,4 @@ The following modification is most likel
 
 <!-- hidden references -->
 [OAK-951]: https://issues.apache.org/jira/browse/OAK-951
+[ImportBehavior]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/xml/ImportBehavior.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Tue Feb 16 11:59:05 2016
@@ -113,6 +113,7 @@ The Oak API contains the following authe
 - `ContentRepository.login(Credentials, String)`: The Oak counterpart of the JCR login.
 - `ContentSession.getAuthInfo()`: exposes the `AuthInfo` associated with the `ContentSession`.
 
+<a href="default_implementation"/>
 ### Oak Authentication Implementation
 
 A description of the various requirements covered by Oak by default as well

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md Tue Feb 16 11:59:05 2016
@@ -16,14 +16,15 @@
   -->
 ### Authentication : Differences wrt Jackrabbit 2.x
 
-#### Characteristics of the Default Implementation
+#### Guest Login vs Null Login
 
 ##### Null Login
 
 As of Oak 1.0 `Repository#login()` and `Repository#login(null, wspName)` is no
-longer treated as guest login. In order to get backwards compatible behavior,
-Oak comes with a dedicated [GuestLoginModule] that can be added to the JAAS (or
-the corresponding OSGI) configuration.
+longer treated as guest login but as _pre-authenticed_ as defined by JSR 283. 
+In order to get backwards compatible behavior, Oak comes with a dedicated 
+[GuestLoginModule] that can be added to the JAAS (or the corresponding OSGi) 
+configuration.
 
 ##### Guest Login
 

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md Tue Feb 16 11:59:05 2016
@@ -73,12 +73,12 @@ The `CompositeAuthorizationConfiguration
 the `RestrictionProvider`s from the aggregated modules and expose the complete 
 set of restrictions in order to meet the API contract. 
 
-Nevertheless, each authorization model is in charge of exposing, validating and 
+Nevertheless, each authorization model is responsible for exposing, validating and 
 evaluating the subset of restrictions it can handle through the access control API 
 extensions and the permission evaluation, respectively. Similarly, a given module  
 may decide to provide no support for restrictions. Examples include modules that 
-provide different types of `AccessControlPolicy`, where restrictions may simply 
-not apply (see for example `oak-authorization-cug`).
+provide different types of `AccessControlPolicy` where restrictions cannot be applied 
+(see for example [oak-authorization-cug](cug.html)).
                
 <a name="configuration"/>
 ### Configuration

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md Tue Feb 16 11:59:05 2016
@@ -69,7 +69,10 @@ to read and create entries with restrict
 <a name="api_extensions"/>
 ### Oak Restriction API
 
-The following public interfaces are provided by Oak in the package `org.apache.jackrabbit.oak.spi.security.authorization.restriction`:
+The following public interfaces are provided by Oak in the package 
+`org.apache.jackrabbit.oak.spi.security.authorization.restriction` and provide 
+support for pluggable restrictions both for access control management and the 
+repository internal permission evaluation:
 
 - [RestrictionProvider]
 - [Restriction]

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md Tue Feb 16 11:59:05 2016
@@ -27,12 +27,15 @@ The Oak Security Layer
  * [Overview](authentication.html)
  * [Differences wrt Jackrabbit 2.x](authentication/differences.html)
  * [Authentication : Implementation Details](authentication/default.html)
+ * [Pre-Authentication](authentication/preauthentication.html)
+ 
+#### Extensions
+ 
  * [Token Authentication and Token Management](authentication/tokenmanagement.html)
  * [External Authentication](authentication/externalloginmodule.html)
      * [User and Group Synchronization](authentication/usersync.html)
      * [Identity Management](authentication/identitymanagement.html)
      * [LDAP Integration](authentication/ldap.html)
- * [Pre-Authentication](authentication/preauthentication.html)
 
 ### Authorization
 
@@ -43,7 +46,6 @@ The Oak Security Layer
  * [Overview](accesscontrol.html)
  * [Differences wrt Jackrabbit 2.x](accesscontrol/differences.html)
  * [Access Control Management : The Default Implementation](accesscontrol/default.html)
- * [Restriction Management](authorization/restriction.html)
  * [Using the API](accesscontrol/editing.html)
 
 #### Permissions
@@ -51,18 +53,20 @@ The Oak Security Layer
  * [Overview](permission.html)
  * [Differences wrt Jackrabbit 2.x](permission/differences.html)
  * [Permissions : The Default Implementation](permission/default.html)
-    * [Permission Evaluation in Detail : The Default Implementation](permission/evaluation.html)
+    * [Permission Evaluation in Detail](permission/evaluation.html)
     
 #### Privilege Management
 
  * [Overview](privilege.html)
  * [Differences wrt Jackrabbit 2.x](privilege/differences.html)
+ * [Privilege Management : The Default Implementation](privilege/default.html)
  * Mapping Privileges to Items and API Calls
     * [Mapping Privileges to Items](privilege/mappingtoitems.html)
     * [Mapping API Calls to Privileges](privilege/mappingtoprivileges.html)
 
 #### Extensions
 
+ * [Restriction Management](authorization/restriction.html)
  * [Managing Access with Closed User Groups (CUG)](authorization/cug.html)
 
 ### Principal Management
@@ -76,8 +80,8 @@ The Oak Security Layer
  * [Differences wrt Jackrabbit 2.x](user/differences.html)
  * [User Management : The Default Implementation](user/default.html)
     * [Group Membership](user/membership.html)
-    * [Searching Users and Groups](user/query.html)
     * [Authorizable Actions](user/authorizableaction.html)
     * [Authorizable Node Name Generation](user/authorizablenodename.html)
     * [Password Expiry and Force Initial Password Change](user/expiry.html)
-    * [Password History](user/history.html)
+    * [Password History](user/history.html) 
+ * [Searching Users and Groups](user/query.html)

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Tue Feb 16 11:59:05 2016
@@ -244,6 +244,7 @@ defines the following interfaces and cla
 - [Permissions]: The permissions defined, respected and evaluated by the repository.
 - [PermissionConstants]: Constants used throughout the permission evaluation.
 
+<a href="default_implementation"/>
 ### Characteristics of the Permission Evaluation
 
 As explained above permission evaluation is completely separated from the access
@@ -279,10 +280,12 @@ methods:
 
 The supported configuration options of the default implementation are described in the corresponding [section](permission/default.html#configuration).
 
-##### Differences to Jackrabbit 2.x
+<a name="further_reading"/>
+### Further Reading
 
-The `omit-default-permission` configuration option present with the Jackrabbit's AccessControlProvider implementations is no longer supported with Oak.
-Since there are no permissions installed by default this flag has become superfluous.
+- [Differences wrt Jackrabbit 2.x](permission/differences.html)
+- [Permissions : The Default Implementation](permission/default.html)
+- [Permission Evaluation in Detail](permission/evaluation.html)
 
 <!-- references -->
 [Permissions]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md Tue Feb 16 11:59:05 2016
@@ -125,7 +125,6 @@ use the regular JCR and Jackrabbit permi
 as listed in the [introduction](../permission.html#jcr_api) and in section 
 [Using the Access Control Management API](../accesscontrol/editing.html).
 
-
 #### Node Type Definitions
 
 For the permission store the following built-in node types have been defined:
@@ -181,3 +180,8 @@ The default implementation supports the
 
 - `REMOVE_NODE`: if present, the permission evaluation will traverse down the hierarchy upon node removal. This config flag is a best effort approach but doesn't guarantee an identical behavior.
 - `USER_MANAGEMENT`: if set permissions for user related items will be evaluated the same way as regular JCR items irrespective of their protection status.
+
+##### Differences to Jackrabbit 2.x
+
+The `omit-default-permission` configuration option present with the Jackrabbit's AccessControlProvider implementations is no longer supported with Oak.
+Since there are no permissions installed by default this flag has become superfluous.

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/differences.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/differences.md Tue Feb 16 11:59:05 2016
@@ -92,6 +92,12 @@ have a versionable node in this workspac
 the effective permissions that would apply to that node if the version was restored.
 This changes is covered by [OAK-444] and addresses concerns summarized in [JCR-2963].
 
+#### Configuration
+
+The `omit-default-permission` configuration option present with the Jackrabbit's AccessControlProvider 
+implementations is no longer supported with Oak. Since there are no permissions 
+installed by default this flag has become superfluous.
+
 <!-- hidden references -->
 [Permissions]: http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.java
 [PermissionHook]: http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.java

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md Tue Feb 16 11:59:05 2016
@@ -15,7 +15,7 @@
    limitations under the License.
 -->
 
-Permission Evaluation in Detail : The Default Implementation
+Permission Evaluation in Detail
 --------------------------------------------------------------------------------
 
 <a name="permissionentries"/>

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md Tue Feb 16 11:59:05 2016
@@ -63,6 +63,7 @@ from different source providers.
 - [SystemPrincipal]: built-in principal implementation to mark system internal subjects.
 - [SystemUserPrincipal]: Marker interface to identify principals associated with special system users.
 
+<a href="default_implementation"/>
 ### Oak Principal Management Implementation
 
 The default implementation of the principal management API basically corresponds

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/differences.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/differences.md Tue Feb 16 11:59:05 2016
@@ -16,7 +16,7 @@
   -->
 ### Principal Management : Differences wrt Jackrabbit 2.x
 
-#### Replacement for internal Jackrabbit interfaces and classes
+#### Replacement for Jackrabbit Internals
 
 As of Oak 1.0 the following interfaces and class that were internal to Jackrabbit
 have been made part of public API exposed by Oak:
@@ -33,7 +33,7 @@ order to combine principals from differe
 handles the different sources is required; the [CompositePrincipalProvider] is an
 example that combines multiple implementations.
 
-See [Principal Management](../principal.html#pluggability) for an example.
+See section [Pluggability](../principal.html#pluggability) for an example.
 
 <!-- references -->
 

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Tue Feb 16 11:59:05 2016
@@ -77,6 +77,7 @@ utility methods:
     - `privilegesFromNames(Session session, String... privilegeNames)`
     - `privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)`
 
+<a href="default_implementation"/>
 ### Oak Privilege Management Implementation
 
 The behavior of the default privilege management implementation is described in section 
@@ -99,6 +100,16 @@ knowledge and understanding of Jackrabbi
 the security risk associated with it. Doing so, will most likely require a re-write
 of the default access control and permission evaluation.
 
+<a name="further_reading"/>
+### Further Reading
+
+- [Differences wrt Jackrabbit 2.x](privilege/differences.html)
+- [Privilege Management : The Default Implementation](privilege/default.html)
+- Mapping Privileges to Items and API Calls
+    - [Mapping Privileges to Items](privilege/mappingtoitems.html)
+    - [Mapping API Calls to Privileges](privilege/mappingtoprivileges.html)
+
+
 <!-- references -->
 [PrivilegeConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.html
 [PrivilegeConstants]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Tue Feb 16 11:59:05 2016
@@ -69,6 +69,7 @@ and [user authentication](authentication
   function for password generation.
 - `UserUtil` : Utilities related to general user management tasks.
 
+<a href="default_implementation"/>
 ### Oak User Management Implementation
 
 The behavior of the default user management implementation is described in section 
@@ -82,7 +83,7 @@ This class is responsible for passing co
 and provides the following two methods:
 
 - `getUserManager(Root, NamePathMapper)`: get a new `UserManager` instance
-- `getUserPrincipalProvider(Root, NamePathMapper)`: optional method that allows for optimization of the principal look-up associated with user/group accounts (since Oak 1.3.4).
+- `getUserPrincipalProvider(Root, NamePathMapper)`: optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).
 
 #### Configuration Parameters
 
@@ -104,6 +105,7 @@ Alternatively the default user managemen
 adjusted using various means. See the corresponding [section](user/default.html#pluggability)
 for further details.
 
+<a name="further_reading"/>
 ### Further Reading
 
 - [Differences wrt Jackrabbit 2.x](user/differences.html)
@@ -111,9 +113,9 @@ for further details.
     - [Group Membership](user/membership.html)
     - [Authorizable Actions](user/authorizableaction.html)
     - [Authorizable Node Name](user/authorizablenodename.html)
-    - [Searching Users and Groups](user/query.html)
     - [Password Expiry and Force Initial Password Change](user/expiry.html)
     - [Password History](user/history.html)
+- [Searching Users and Groups](user/query.html)
 
 <!-- hidden references -->
 [UserConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md Tue Feb 16 11:59:05 2016
@@ -79,7 +79,7 @@ The default user management implementati
 the optional group that represents the [everyone] principal, which is marked by 
 the reserved principal name and by definition has all other principals as members.
 
-This special group always contains all Authorizable as member and cannot be edited
+This special group always contains all users/groups as member and cannot be edited
 with user management API. As of OAK this fact is consistently reflected in all
 group membership related methods. See also [Principal Management](../principal.html).
 
@@ -102,9 +102,13 @@ of the underlaying JCR node but only com
 * The `rep:password` property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that `User#changePassword` does not allow to remove the password property.
 * Since version 1.1.0 Oak supports the new API to create dedicated system users [JCR-3802](https://issues.apache.org/jira/browse/JCR-3802).
 
-#### Query
+<a name="query"/>
+#### Searching
 
-See section [Searching Users and Groups](query.html) for details.
+#### XPathQueryBuilder
+
+Oak 1.0 comes with a default XPATH based implementation of the `QueryBuilder`
+interface which is passed to the query upon calling `UserManager#findAuthorizables(Query)`.
 
 #### Group Membership
 

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md Tue Feb 16 11:59:05 2016
@@ -27,7 +27,9 @@ reverting other changes unrelated to the
 it's the responsibility of the API consumer to specifically revert pending or
 invalid transient modifications.
 
-#### UserManager
+#### Differences by Interface
+
+##### UserManager
 
 - stores user/group information in the workspace associated with the editing Session
 - the autosave feature is no longer supported by default; configuration option
@@ -35,7 +37,7 @@ invalid transient modifications.
 - calling `getAuthorizable` with empty id or `null` id/principal will not throw
   a runtime exception but silently returns `null`
 
-#### Authorizable
+##### Authorizable
 
 * Equality and HashCode : the implementation of `Object#equals()` and `Object#hashCode()` for
   authorizables differs from Jackrabbit 2.x. It no longer relies on the _sameness_ of
@@ -47,11 +49,11 @@ invalid transient modifications.
   of the `AuthorizableNodeName` interface. Default: ID as name hint.
   See section [Authorizable Node Name Generation](authorizablenodename.html) for details.
 
-#### User
+##### User
 
 * Creation: The password is no longer mandatory upon user creation.
 
-#### Group
+##### Group
 
 * Creation: `createGroup(Principal)` will no longer generate a groupID in case the principal
   name collides with an existing user or group ID. This has been considered redundant
@@ -59,12 +61,21 @@ invalid transient modifications.
 * Group Members: The way many group members are stored with a given Group has been redesigned
   in Oak 1.0. See section [Group Membership](membership.html) for a detailed description.
 
-#### Query
+<a name="query"/>
+##### QueryBuilder
+
+The user query is expected to work as in Jackrabbit 2.x with the following notable
+bug fixes:
 
-The user query is expected to work as in Jackrabbit 2.x. See section
-[Searching Users and Groups](query.html) for a list of bug fixes.
+* `QueryBuilder#setScope(String groupID, boolean declaredOnly)` now also works properly
+  for the everyone group (see [OAK-949])
+* `QueryBuilder#impersonates(String principalName)` works properly for the admin
+  principal which are specially treated in the implementation of the `Impersonation`
+  interface (see [OAK-1183]).
 
-#### XML Import
+#### Additional Functionality
+
+##### XML Import
 
 * Importing an authorizable to another tree than the configured user/group node 
   will only failed upon save (-> see `UserValidator` during the `Root#commit`). 
@@ -72,15 +83,17 @@ The user query is expected to work as in
 * The `BestEffort` behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).
 * Oak also supports workspace import for authorizables
 
-#### Builtin Users and the Everyone Group
+##### Built-in Users
 
 - admin user can be initialized without password (`PARAM_OMIT_ADMIN_PW` config option)
 - anonymous user is optional (missing `PARAM_ANONYMOUS_ID` config option)
 - anonymous user is always initialized without password.
-- the implementation of the everyone group is consistent throughout all group
-  membership related methods.
 
-#### Authorizable Actions
+##### Group representing the Everyone Principal
+
+- the implementation of the optional special group representing the [everyone] principal is consistent throughout all group membership related methods.
+
+##### Authorizable Actions
 The former internal interface `AuthorizableAction` has been slightly adjusted to
 match OAK requirements and is now part of the public OAK SPI interfaces.
 
@@ -114,4 +127,10 @@ in Jackrabbit 2.x are no longer supporte
 * "compatibleJR16"
 * "autoExpandTree"
 * "autoExpandSize"
-* "groupMembershipSplitSize"
\ No newline at end of file
+* "groupMembershipSplitSize"
+
+<!-- hidden references -->
+
+[OAK-949]: https://issues.apache.org/jira/browse/OAK-949
+[OAK-1183]: https://issues.apache.org/jira/browse/OAK-1183
+[everyone]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/query.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/query.md?rev=1730662&r1=1730661&r2=1730662&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/query.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/query.md Tue Feb 16 11:59:05 2016
@@ -299,21 +299,8 @@ Find all authorizables accessible to the
 
 ### Characteristics of the Default Implementation
 
-#### Changes wrt Jackrabbit 2.x
-
-The user query is expected to work as in Jackrabbit 2.x with the following notable
-bug fixes:
-
-* `QueryBuilder#setScope(String groupID, boolean declaredOnly)` now also works properly
-  for the everyone group (see [OAK-949])
-* `QueryBuilder#impersonates(String principalName)` works properly for the admin
-  principal which are specially treated in the implementation of the `Impersonation`
-  interface (see [OAK-1183]).
-
-#### XPathQueryBuilder
-
-Oak 1.0 comes with a default XPATH based implementation of the `QueryBuilder`
-inteface which is passed to the query upon calling `UserManager#findAuthorizables(Query)`.
+See sections [Differences to Jackrabbit 2.x](differences.html#query) and 
+[The Default Implementation](default.html#query) for details.
 
 ### Utilities
 
@@ -322,8 +309,6 @@ a utility class provided by the jcr-comm
 
 <!-- hidden references -->
 
-[OAK-949]: https://issues.apache.org/jira/browse/OAK-949
-[OAK-1183]: https://issues.apache.org/jira/browse/OAK-1183
 [QueryBuilder]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/QueryBuilder.java
 [Query]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/user/Query.java
 [org.apache.jackrabbit.commons.jackrabbit.user.AuthorizableQueryManager]: http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/jackrabbit/user/AuthorizableQueryManager.java
\ No newline at end of file