You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/11/09 09:44:20 UTC
svn commit: r1846222 [13/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/authentication/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/default.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/default.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication : Implementation Details</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Authentication_:_Implementation_Details"></a>Authentication : Implementation Details</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -263,121 +250,146 @@
<div class="section">
<h3><a name="Authentication_Requirements"></a>Authentication Requirements</h3>
<p>Jackrabbit Oak covers the following login requirements and provides dedicated <tt>LoginModule</tt> implementation(s) for each scenario:</p>
-<ul>
+<ul>
+
<li><a href="#guest">Guest Login</a></li>
+
<li><a href="#uid_pw">UserId/Password Login</a></li>
+
<li><a href="#impersonation">Impersonation Login</a></li>
+
<li><a href="#token">Token Login</a></li>
+
<li><a href="#pre_authenticated">Pre-Authenticated Login</a></li>
+
<li><a href="#external">External Login</a></li>
</ul>
-<a name="guest"></a>
-#### Guest Login
-
+<p><a name="guest"></a></p>
+<div class="section">
+<h4><a name="Guest_Login"></a>Guest Login</h4>
<p>The proper way to obtain an guest session as of Oak is as specified by JSR 283:</p>
-<div>
-<div>
-<pre class="source">String wspName = null;
+<div class="source">
+<div class="source"><pre class="prettyprint">String wspName = null;
Session anonymous = repository.login(new GuestCredentials(), wspName);
</pre></div></div>
-
<p>As of Oak 1.0 <tt>Repository#login()</tt> and <tt>Repository#login(null, wspName)</tt> is no longer treated as guest login. This behavior of Jackrabbit-core is violating the specification, which defines that null-login should be used for those cases where the authentication process is handled outside of the repository (see <a href="preauthentication.html">Pre-Authentication</a>).</p>
<p>Similarly, any special treatment that Jackrabbit core applied for the guest (anonymous) user has been omitted altogether from the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html">LoginModuleImpl</a>. In the default setup the built-in anonymous user will be created without any password. Therefore explicitly uid/pw login using the anonymous userId will no longer work. This behavior is now consistent with the default login of any other user which doesn’t have a password set.</p>
<div class="section">
-<div class="section">
<h5><a name="GuestLoginModule"></a>GuestLoginModule</h5>
<p>The aim of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.html">GuestLoginModule</a> implementation is to provide backwards compatibility with Jackrabbit 2.x with respect to the guest (anonymous) login: the <tt>GuestLoginModule</tt> can be added as <i>optional</i> entry to the chain of login modules in the JAAS (or corresponding OSGi) configuration.</p>
<p>Example JAAS Configuration:</p>
-<div>
-<div>
-<pre class="source">jackrabbit.oak {
+<div class="source">
+<div class="source"><pre class="prettyprint">jackrabbit.oak {
org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule optional;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
};
</pre></div></div>
-
<p>The behavior of the <tt>GuestLoginModule</tt> is as follows:</p>
<p><i>Phase 1: Login</i></p>
-<ul>
+<ul>
+
<li>tries to retrieve JCR credentials from the [CallbackHandler] using the [CredentialsCallback]</li>
-<li>in case no credentials could be obtained it pushes a new instance of <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/GuestCredentials.html">GuestCredentials</a> to the shared stated and <b>returns</b> <tt>true</tt></li>
+
+<li>in case no credentials could be obtained it pushes a new instance of <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/GuestCredentials.html">GuestCredentials</a> to the shared stated and <b>returns</b> <tt>true</tt></li>
+
<li>otherwise it <b>returns</b> <tt>false</tt></li>
</ul>
<p><i>Phase 2: Commit</i></p>
-<ul>
-<li>if the phase 1 succeeded it will add the <tt>GuestCredentials</tt> created above and <tt>EveryonePrincipal</tt> the <tt>Subject</tt> in phase 2 of the login process and <b>returns</b> <tt>true</tt></li>
+<ul>
+
+<li>if the phase 1 succeeded it will add the <tt>GuestCredentials</tt> created above and <tt>EveryonePrincipal</tt> the <tt>Subject</tt> in phase 2 of the login process and <b>returns</b> <tt>true</tt></li>
+
<li>otherwise it <b>returns</b> <tt>false</tt></li>
</ul>
-<a name="uid_pw"></a>
-#### UserId/Password Login
-
+<p><a name="uid_pw"></a></p></div></div>
+<div class="section">
+<h4><a name="UserIdPassword_Login"></a>UserId/Password Login</h4>
<p>Oak 1.0 comes with 2 different login module implementations that can handle <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html">SimpleCredentials</a>:</p>
-<ul>
+<ul>
+
<li>Default (<tt>LoginModuleImpl</tt>) as described below</li>
+
<li><tt>ExternalLoginModule</tt> as described in section <a href="externalloginmodule.html">External Authentication</a></li>
-</ul></div>
+</ul>
<div class="section">
<h5><a name="LoginModuleImpl"></a>LoginModuleImpl</h5>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html">LoginModuleImpl</a> defines a regular userId/password login and requires a repository setup that supports <a href="../user.html">User Management</a> and is designed to supports the following <tt>Credentials</tt>:</p>
-<ul>
+<ul>
+
<li><tt>SimpleCredentials</tt></li>
+
<li><tt>GuestCredentials</tt> (see above)</li>
+
<li><tt>ImpersonationCredentials</tt> (see below)</li>
</ul>
<p>This login module implementations behaves as follows:</p>
<p><i>Phase 1: Login</i></p>
-<ul>
+<ul>
+
<li>if a user does not exist in the repository (i.e. cannot be provided by the user manager) it <b>returns <tt>false</tt></b>.</li>
+
<li>if an authorizable with the respective userId exists but is a group or a disabled users, it <b>throws <tt>LoginException</tt></b></li>
+
<li>if a user exists in the repository and the credentials don’t match, it <b>throws <tt>LoginException</tt></b></li>
+
<li>if a user exists in the repository and the credentials match, it <b>returns <tt>true</tt></b>
+
<ul>
-
+
<li>also, it adds the credentials to the shared state</li>
+
<li>also, it adds the login name to the shared state</li>
+
<li>also, it calculates the principals and adds them to the private state</li>
+
<li>also, it adds the credentials to the private state</li>
-</ul>
-</li>
+ </ul></li>
</ul>
<p><i>Phase 2: Commit</i></p>
-<ul>
+<ul>
+
<li>if the private state contains the credentials and principals, it adds them (both) to the subject and <b>returns <tt>true</tt></b></li>
+
<li>if the private state does not contain credentials and principals, it clears the state and <b>returns <tt>false</tt></b></li>
</ul>
-<a name="user_authentication"></a>
-###### User Authentication
-
+<p><a name="user_authentication"></a></p>
+<div class="section">
+<h6><a name="User_Authentication"></a>User Authentication</h6>
<p>The <tt>LoginModuleImpl</tt> uses a configured <tt>Authentication</tt>-implementation for performing the login step. Which implementation to use is determined by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a> obtained by the given <tt>UserConfiguration</tt>. It is expected to provides an <tt>Authentication</tt> implementation if the given <tt>UserConfiguration</tt> is accepted.</p>
<p>In case multiple implementations of the <tt>UserAuthenticationFactory</tt> are available, the precedence depends on its OSGi service ranking property. The default factory implementation has a ranking of 0 (OSGi default). Services with the highest ranking will take precedence.</p>
<p>See also section <a href="../user/default.html#pluggability">user management</a>.</p>
-<a name="impersonation"></a>
-#### Impersonation Login
-
+<p><a name="impersonation"></a></p></div></div></div>
+<div class="section">
+<h4><a name="Impersonation_Login"></a>Impersonation Login</h4>
<p>Another flavor of the Oak authentication implementation is covered by <tt>javax.jcr.Session#impersonate(Credentials)</tt>, which allows to obtain an new <tt>Session</tt> for a user identified by the specified credentials. As of JSR 333 this method can also be used in order to clone the existing session (i.e. self-impersonation of the user that holds the session.</p>
<p>With Oak 1.0 impersonation is implemented as follows:</p>
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal">
+
<li><tt>Session#impersonate</tt> takes any kind of <tt>Credentials</tt></li>
-<li>the specified credentials are wrapped in a new instance of <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html">ImpersonationCredentials</a> along with the current <tt>AuthInfo</tt> object.</li>
+
+<li>the specified credentials are wrapped in a new instance of <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html">ImpersonationCredentials</a> along with the current <tt>AuthInfo</tt> object.</li>
+
<li>these <tt>ImpersonationCredentials</tt> are passed to <tt>Repository.login</tt></li>
</ol>
<p>Whether or not impersonation succeeds consequently both depends on the authentication setup and on some implementation specific validation that make sure the editing session is allowed to impersonate the user identified by the credentials passed to the impersonate call.</p>
<p>With Oak 1.0 only the default login module (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html">LoginModuleImpl</a>) is able to deal with <tt>ImpersonationCredentials</tt> and applies the following logic:</p>
-<ul>
-<li><b>Self-Impersonation</b>: Any attempt to impersonate the same session will succeed as long as the user is still valid (i.e. exists and has not been disabled).</li>
-<li><b>Regular Impersonation</b>: Impersonation another user will only succeed if the impersonated user is valid (i.e. exists and is not disabled) <i>and</i> the the user associated with the editing session is allowed to impersonate this user. The latter depends on the <a href="../user.html">User Management</a> implementation specifically on the return value of <tt>User.getImpersonation().allows(Subject subject)</tt>.</li>
-</ul></div>
+<ul>
+
+<li><b>Self-Impersonation</b>: Any attempt to impersonate the same session will succeed as long as the user is still valid (i.e. exists and has not been disabled).</li>
+
+<li><b>Regular Impersonation</b>: Impersonation another user will only succeed if the impersonated user is valid (i.e. exists and is not disabled) <i>and</i> the the user associated with the editing session is allowed to impersonate this user. The latter depends on the <a href="../user.html">User Management</a> implementation specifically on the return value of <tt>User.getImpersonation().allows(Subject subject)</tt>.</li>
+</ul>
<div class="section">
<h5><a name="ImpersonationCredentials"></a>ImpersonationCredentials</h5>
<p>Since the implementation of <tt>Session.impersonate</tt> no longer uses <tt>SimpleCredentials</tt> to transport the original <tt>Subject</tt> but rather performs the login with dedicated <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html">ImpersonationCredentials</a>, impersonation is no longer restricted to <tt>SimpleCredentials</tt> being passed to <tt>Session#impersonate</tt> call. Instead the specified credentials are passed to a new instance of <tt>ImpersonationCredentials</tt> delegating the evaluation and validation of the specified <tt>Credentials</tt> to the configured login module(s).</p>
@@ -385,44 +397,54 @@ Session anonymous = repository.login(new
<div class="section">
<h5><a name="Impersonation_with_Custom_Authentication_Setup"></a>Impersonation with Custom Authentication Setup</h5>
<p>Applications that wish to use a custom authentication setup need to ensure the following steps in order to get JCR impersonation working:</p>
-<ul>
+<ul>
+
<li>Respect <tt>ImpersonationCredentials</tt> in the authentication setup.</li>
-<li>Identify the impersonated from <tt>ImpersonationCredentials.getBaseCredentials</tt> and verify if it can be authenticated.</li>
-<li>Validate that the editing session is allowed to impersonate: The user associated with the editing session can be identified by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a> obtained from from <tt>ImpersonationCredentials.getImpersonatorInfo()</tt>.</li>
+
+<li>Identify the impersonated from <tt>ImpersonationCredentials.getBaseCredentials</tt> and verify if it can be authenticated.</li>
+
+<li>Validate that the editing session is allowed to impersonate: The user associated with the editing session can be identified by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a> obtained from from <tt>ImpersonationCredentials.getImpersonatorInfo()</tt>.</li>
</ul>
-<a name="token"></a>
-#### Token Login
-
-<p>See section <a href="tokenmanagement.html">Token Authentication</a> for details regarding token based authentication.</p></div>
+<p><a name="token"></a></p></div></div>
+<div class="section">
+<h4><a name="Token_Login"></a>Token Login</h4>
+<p>See section <a href="tokenmanagement.html">Token Authentication</a> for details regarding token based authentication.</p>
<div class="section">
<h5><a name="TokenLoginModule"></a>TokenLoginModule</h5>
<p>The <tt>TokenLoginModule</tt> is in charge of creating new login tokens and validate repository logins with <tt>TokenCredentials</tt>. The exact behavior of this login module is described in section <a href="tokenmanagement.html">Token Authentication</a>.</p>
-<a name="pre_authenticated"></a>
-#### Pre-Authenticated Login
-
+<p><a name="pre_authenticated"></a></p></div></div>
+<div class="section">
+<h4><a name="Pre-Authenticated_Login"></a>Pre-Authenticated Login</h4>
<p>Oak provides two different mechanisms to create pre-authentication that doesn’t involve the repositories internal authentication mechanism for credentials validation.</p>
-<ul>
+<ul>
+
<li>Pre-Authentication combined with Login Module Chain</li>
+
<li>Pre-Authentication without Repository Involvement (aka <tt>null</tt> login)</li>
</ul>
<p>See section <a href="preauthentication.html">Pre-Authentication Login</a> for further details and examples.</p>
-<a name="external"></a>
-#### External Login
-
+<p><a name="external"></a></p></div>
+<div class="section">
+<h4><a name="External_Login"></a>External Login</h4>
<p>While the default setup in Oak is solely relying on repository functionality to ensure proper authentication it quite common to authenticate against different systems (e.g. LDAP). For those setups that wish to combine initial authentication against a third party system with repository functionality, Oak provides a default implementation with extension points:</p>
-<ul>
-<li><a href="externalloginmodule.html">External Authentication</a>: Summary of the external authentication and details about the <tt>ExternalLoginModule</tt>.</li>
-<li><a href="usersync.html">User and Group Synchronization</a>: Details regarding user and group synchronization as well as a list of configuration options provided by the the default implementations present with Oak.</li>
+<ul>
+
+<li><a href="externalloginmodule.html">External Authentication</a>: Summary of the external authentication and details about the <tt>ExternalLoginModule</tt>.</li>
+
+<li><a href="usersync.html">User and Group Synchronization</a>: Details regarding user and group synchronization as well as a list of configuration options provided by the the default implementations present with Oak.</li>
+
<li><a href="identitymanagement.html">Identity Management</a>: Further information regarding extenal identity management.</li>
-<li><a href="ldap.html">LDAP Integration</a>: How to make use of the <tt>ExternalLoginModule</tt> with the LDAP identity provider implementation. This combination is aimed to replace <a class="externalLink" href="http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html">com.day.crx.security.ldap.LDAPLoginModule</a>, which relies on Jackrabbit internals and will no longer work with Oak.</li>
-</ul></div>
+
+<li><a href="ldap.html">LDAP Integration</a>: How to make use of the <tt>ExternalLoginModule</tt> with the LDAP identity provider implementation. This combination is aimed to replace <a class="externalLink" href="http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html">com.day.crx.security.ldap.LDAPLoginModule</a>, which relies on Jackrabbit internals and will no longer work with Oak.</li>
+</ul>
<div class="section">
<h5><a name="ExternalLoginModule"></a>ExternalLoginModule</h5>
<p>The [ExternalLoginModule] is a base implementation that allows easy integration of 3rd party authentication and identity systems, such as <a href="ldap.html">LDAP</a>. The general mode of the external login module is to use the external system as authentication source and as a provider for users and groups that may also be synchronized into the repository.</p>
-<p>This login module implementation requires an valid <tt>SyncHandler</tt> and <tt>IdentityProvider</tt> to be present. The detailed behavior of the <tt>ExternalLoginModule</tt> is described in section <a href="externalloginmodule.html">External Authentication</a>.</p><!-- hidden references --></div></div></div></div>
+<p>This login module implementation requires an valid <tt>SyncHandler</tt> and <tt>IdentityProvider</tt> to be present. The detailed behavior of the <tt>ExternalLoginModule</tt> is described in section <a href="externalloginmodule.html">External Authentication</a>.</p>
+<!-- hidden references --></div></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/differences.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/differences.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authentication : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<div class="section">
<h3><a name="Authentication_:_Differences_wrt_Jackrabbit_2.x"></a>Authentication : Differences wrt Jackrabbit 2.x</h3>
<div class="section">
@@ -263,19 +250,24 @@
<div class="section">
<h5><a name="Guest_Login"></a>Guest Login</h5>
<p>With respect to guest login (aka anonymous login) the Oak content repository out of the box contains the following modifications:</p>
-<ul>
+<ul>
+
<li>null login != guest login</li>
+
<li>special password handling of the anonymous user has been dropped</li>
+
<li>the anonymous user by default doesn’t have a password set</li>
</ul></div>
<div class="section">
<h5><a name="Pre-Authentication"></a>Pre-Authentication</h5>
<p>Oak provides two different mechanisms to create pre-authentication that doesn’t involve the repositories internal authentication mechanism for credentials validation. See the corresponding section <a href="preauthentication.html">Pre-Authentication</a> for details and examples.</p>
-<ul>
+<ul>
+
<li>Pre-Authentication combined with Login Module Chain</li>
-<li>Pre-Authentication without Repository Involvement: the <tt>Subject</tt> must be available with the current <tt>java.security.AccessControlContext</tt>.</li>
+
+<li>Pre-Authentication without Repository Involvement: the <tt>Subject</tt> must be available with the current <tt>java.security.AccessControlContext</tt>.</li>
</ul></div></div>
<div class="section">
<h4><a name="Impersonation"></a>Impersonation</h4>
@@ -287,52 +279,53 @@
<p>The OAK implementation of <tt>Session#impersonate</tt> no longer uses <tt>SimpleCredentials</tt> to transport the original <tt>Subject</tt> but rather performs the login with dedicated <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html">ImpersonationCredentials</a>.</p>
<p>This modification will not affect applications that used JCR API to impersonate a given session. However the following example which ‘manually’ builds impersonation credentials the way jackrabbit core was handling it will <b>no longer work</b> to impersonate an existing session:</p>
-<div>
-<div>
-<pre class="source"> org.apache.jackrabbit.core.SessionImpl sImpl = (SessionImpl) mySession;
+<div class="source">
+<div class="source"><pre class="prettyprint"> org.apache.jackrabbit.core.SessionImpl sImpl = (SessionImpl) mySession;
SimpleCredentials jrImpCreds = new SimpleCredentials("someUserId, new char[0]);
creds.setAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE, sImpl.getSubject());
Session impersonated = sImpl.getRepository().login(jrImpCreds, sImpl.getWorkspace().getName());
</pre></div></div>
-
<p>Upon migration to Oak such implementation specific code should be refactored to use regular JCR API for impersonation:</p>
-<div>
-<div>
-<pre class="source"> // Note: build credentials depends on the auth setup !
+<div class="source">
+<div class="source"><pre class="prettyprint"> // Note: build credentials depends on the auth setup !
Credentials impersonationCredentials = new SimpleCredentials("someUserId, new char[0]);
Session impersonated = session.impersonate(impersonationCredentials);
</pre></div></div>
-
<p>In order to achieve impersonation on the Oak API directly:</p>
-<div>
-<div>
-<pre class="source"> ContentRepository contentRepo = ...
+<div class="source">
+<div class="source"><pre class="prettyprint"> ContentRepository contentRepo = ...
ContentSession editingSession = ...
AuthInfo impersonatorInfo = editingSession.getAuthInfo();
Credentials credentials = new SimpleCredentials("someUserId, new char[0]);
ImpersonationCredentials impersonationCredentials = new ImpersonationCredentials(credentials, impersonatorInfo);
ContentSession impersonated = contentRepo.login(impersonationCredentials, editingSession.getWorkspaceName());
-</pre></div></div>
-</div></div>
+</pre></div></div></div></div>
<div class="section">
<h4><a name="Token_based_Authentication"></a>Token based Authentication</h4>
<p>The token based authentication has been completely refactor in Oak as described in section <a href="tokenmanagement.html">Token Management</a>. The default implementation differs from Jackrabbit as follows</p>
-<ul>
+<ul>
+
<li>token node is created with dedicated node type (rep:Token)</li>
+
<li>expiration and key properties are mandatory and protected properties</li>
-<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> is defined by the token management API.</li>
+
+<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> is defined by the token management API.</li>
</ul>
<p>As far as the token based authentication itself is concerned the Oak implementation contains the following changes compared to Jackrabbit 2.x:</p>
-<ul>
+<ul>
+
<li>token based authentication is completely separated from regular uid/pw authentication.</li>
-<li>the dedicated <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> is both responsible for creating new login tokens performing the the authentication for <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java">TokenCredentials</a> passed to the repository login. Other login modules should not attempt to do so.</li>
-<li>token characteristics such as expiration time only need to be configured with the token management API; other <tt>LoginModule</tt> implementations no longer need to have the same config options set.</li>
-</ul><!-- references --></div></div></div>
+
+<li>the dedicated <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a> is both responsible for creating new login tokens performing the the authentication for <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java">TokenCredentials</a> passed to the repository login. Other login modules should not attempt to do so.</li>
+
+<li>token characteristics such as expiration time only need to be configured with the token management API; other <tt>LoginModule</tt> implementations no longer need to have the same config options set.</li>
+</ul>
+<!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User and Group Synchronization : The Default Implementation</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,8 +239,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="User_and_Group_Synchronization_:_The_Default_Implementation"></a>User and Group Synchronization : The Default Implementation</h2>
<div class="section">
<h3><a name="Default_Implementation_of_Sync_API"></a>Default Implementation of Sync API</h3>
@@ -266,27 +253,32 @@
<div class="section">
<h4><a name="SyncContext"></a>SyncContext</h4>
<p>Oak provides the following implementations of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> interface:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a>: base implementation that synchronizes external user and group accounts into the repository</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicSyncContext.html">DynamicSyncContext</a>: derived implementation that provides special handling for external groups.</li>
</ul>
<div class="section">
<h5><a name="DefaultSyncContext"></a>DefaultSyncContext</h5>
<p>All users/groups synchronized by this context will get the following properties set. These properties allow to run separate task for periodical update and make sure the authorizables can later on be identified as external users.</p>
-<ul>
+<ul>
+
<li><tt>rep:externalId</tt> : This allows to identify the external users, know the associated IDP and distinguish them from others.</li>
+
<li><tt>rep:lastSynced</tt> : Sync timestamp to mark the external user/group valid for the configurable time (to reduce expensive syncing). Once expired, they will be validated against the 3rd party system again.</li>
</ul>
<p>NOTE: Since Oak 1.5.8 the system-maintained property <tt>rep:externalId</tt> is protected and can not be altered using regular JCR and Jackrabbit API, irrespective of the permission setup of the editing session. For backwards compatibility this protection can be turned off. See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4301">OAK-4301</a> for further details.</p>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> is exported as part of the ‘basic’ package space and may be used to provide custom implementations.</p></div>
<div class="section">
<h5><a name="DynamicSyncContext"></a>DynamicSyncContext</h5>
-<p>Extending from the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> this implementation that provides special handling for external groups in case the <a href="#dynamic_membership">Dynamic Group Membership</a> option is enabled in the <a href="#configuration">Configuration</a>.</p>
+<p>Extending from the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.html">DefaultSyncContext</a> this implementation that provides special handling for external groups in case the <a href="#dynamic_membership">Dynamic Group Membership</a> option is enabled in the <a href="#configuration">Configuration</a>.</p>
<p>In addition to the properties mentioned above this implementation will additionally create a multivalued STRING property that caches the group principal names of the external user accounts:</p>
-<ul>
+<ul>
+
<li><tt>rep:externalPrincipalNames</tt> : Optional system-maintained property related to <a href="#dynamic_membership">Dynamic Group Membership</a></li>
</ul></div></div>
<div class="section">
@@ -295,137 +287,244 @@
<div class="section">
<h4><a name="SyncedIdentity"></a>SyncedIdentity</h4>
<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncedIdentity.html">DefaultSyncedIdentity</a> is exported as part of the ‘basic’ package space. It maps the ID of a synchronized user/group account to the external identity references represented by <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html">ExternalIdentityRef</a>.</p>
-<a name="dynamic_membership"></a>
-### Dynamic Group Membership
-
+<p><a name="dynamic_membership"></a></p></div></div>
+<div class="section">
+<h3><a name="Dynamic_Group_Membership"></a>Dynamic Group Membership</h3>
<p>As of Oak 1.5.3 the default sync handler comes with an addition configuration option that allows to enable dynamic group membership resolution for external users. Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external groups are synchronized (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4101">OAK-4101</a>).</p>
-<p>The details and effects on other security related modules are described in section <a href="dynamic.html">Dynamic Membership</a>.</p>
-<a name="xml_import"></a>
-#### XML Import
-
+<p>The details and effects on other security related modules are described in section <a href="dynamic.html">Dynamic Membership</a>. </p>
+<p><a name="xml_import"></a></p>
+<div class="section">
+<h4><a name="XML_Import"></a>XML Import</h4>
<p>The protected nature of the <tt>rep:externalPrincipalNames</tt> is also reflected during XML import of user accounts:</p>
<p>External users with a <tt>rep:externalPrincipalNames</tt> property will get regularly imported. However, any non-system driven import will omit the <tt>rep:externalPrincipalNames</tt> and additional remove the <tt>rep:lastSynced</tt> property in order to force a re-sync of the external user by the system upon the next login or when triggered through the JMX console. Depending on the <i>User Dynamic Membership</i> configuration value on the target system the sync will then result in a full sync of group membership or will re-create the <tt>rep:externalPrincipalNames</tt> property.</p>
-<a name="validation"></a>
-#### Validation
-
+<p><a name="validation"></a></p></div>
+<div class="section">
+<h4><a name="Validation"></a>Validation</h4>
<div class="section">
<h5><a name="rep:externalPrincipalNames"></a>rep:externalPrincipalNames</h5>
-<p>As of Oak 1.5.3 a dedicated <tt>Validator</tt> implementation asserts that the protected, system-maintained property <tt>rep:externalPrincipalNames</tt> is only written by the internal system session.</p>
+<p>As of Oak 1.5.3 a dedicated <tt>Validator</tt> implementation asserts that the protected, system-maintained property <tt>rep:externalPrincipalNames</tt> is only written by the internal system session. </p>
<p>This prevents users to unintentionally or maliciously manipulating the information linking to the external identity provider in particular their external identity and the set of external group principals associated with their account.</p>
<p>Additionally the validator asserts the consistency of the properties defined with external user/group accounts.</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Code </th>
-<th> Message </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> 0070 </td>
-<td> Attempt to create, modify or remove the system property ‘rep:externalPrincipalNames’ </td></tr>
-<tr class="a">
-<td> 0071 </td>
-<td> Attempt to write ‘rep:externalPrincipalNames’ with a type other than Type.STRINGS </td></tr>
-<tr class="b">
-<td> 0072 </td>
-<td> Property ‘rep:externalPrincipalNames’ requires ‘rep:externalId’ to be present on the Node. </td></tr>
-<tr class="a">
-<td> 0073 </td>
-<td> Property ‘rep:externalId’ cannot be removed if ‘rep:externalPrincipalNames’ is present. </td></tr>
-</tbody>
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>0070 </td>
+
+<td>Attempt to create, modify or remove the system property ‘rep:externalPrincipalNames’ </td>
+ </tr>
+
+<tr class="a">
+
+<td>0071 </td>
+
+<td>Attempt to write ‘rep:externalPrincipalNames’ with a type other than Type.STRINGS </td>
+ </tr>
+
+<tr class="b">
+
+<td>0072 </td>
+
+<td>Property ‘rep:externalPrincipalNames’ requires ‘rep:externalId’ to be present on the Node. </td>
+ </tr>
+
+<tr class="a">
+
+<td>0073 </td>
+
+<td>Property ‘rep:externalId’ cannot be removed if ‘rep:externalPrincipalNames’ is present. </td>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h5><a name="rep:externalId"></a>rep:externalId</h5>
<p>If protection of the <tt>rep:externalId</tt> property is enabled (since Oak 1.5.8) the validator performs the following checks:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Code </th>
-<th> Message </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> 0074 </td>
-<td> Attempt to add, modify or remove the system maintained property ‘rep:externalId’. </td></tr>
-<tr class="a">
-<td> 0075 </td>
-<td> Property ‘rep:externalId’ may only have a single value of type STRING. </td></tr>
-</tbody>
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>0074 </td>
+
+<td>Attempt to add, modify or remove the system maintained property ‘rep:externalId’. </td>
+ </tr>
+
+<tr class="a">
+
+<td>0075 </td>
+
+<td>Property ‘rep:externalId’ may only have a single value of type STRING. </td>
+ </tr>
+ </tbody>
</table>
-<a name="configuration"></a>
-### Configuration
-</div></div>
+<p><a name="configuration"></a></p></div></div></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<div class="section">
<h4><a name="Configuration_of_the_DefaultSyncHandler"></a>Configuration of the DefaultSyncHandler</h4>
<p>The default <tt>SyncHandler</tt> implementations are configured via <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a>:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Name </th>
-<th> Property </th>
-<th> Description </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> Sync Handler Name </td>
-<td> <tt>handler.name</tt> </td>
-<td> Name of this sync configuration. This is used to reference this handler by the login modules. </td></tr>
-<tr class="a">
-<td> User auto membership </td>
-<td> <tt>user.autoMembership</tt> </td>
-<td> List of groups that a synced user is added to automatically </td></tr>
-<tr class="b">
-<td> User Expiration Time </td>
-<td> <tt>user.expirationTime</tt> </td>
-<td> Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td></tr>
-<tr class="a">
-<td> User Membership Expiration </td>
-<td> <tt>user.membershipExpTime</tt> </td>
-<td> Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td></tr>
-<tr class="b">
-<td> User membership nesting depth </td>
-<td> <tt>user.membershipNestingDepth</tt> </td>
-<td> Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td></tr>
-<tr class="a">
-<td> User Dynamic Membership </td>
-<td> <tt>user.dynamicMembership</tt> </td>
-<td> Enabling dynamic membership for external users. </td></tr>
-<tr class="b">
-<td> User Path Prefix </td>
-<td> <tt>user.pathPrefix</tt> </td>
-<td> The path prefix used when creating new users. </td></tr>
-<tr class="a">
-<td> User property mapping </td>
-<td> <tt>user.propertyMapping</tt> </td>
-<td> List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td></tr>
-<tr class="b">
-<td> Disable missing users </td>
-<td> <tt>user.disableMissing</tt> </td>
-<td> By default, users that no longer exist on the external provider will be locally removed. Set this property to <tt>true</tt> to <a class="externalLink" href="https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)">disable</a> them instead and have them re-enabled if they become available again. </td></tr>
-<tr class="a">
-<td> Group auto membership </td>
-<td> <tt>group.autoMembership</tt> </td>
-<td> List of groups that a synced group is added to automatically </td></tr>
-<tr class="b">
-<td> Group Expiration Time </td>
-<td> <tt>group.expirationTime</tt> </td>
-<td> Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td></tr>
-<tr class="a">
-<td> Group Path Prefix </td>
-<td> <tt>group.pathPrefix</tt> </td>
-<td> The path prefix used when creating new groups. </td></tr>
-<tr class="b">
-<td> Group property mapping </td>
-<td> <tt>group.propertyMapping</tt> </td>
-<td> List mapping definition of local properties from external ones. </td></tr>
+
+<th>Name </th>
+
+<th>Property </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>Sync Handler Name </td>
+
+<td><tt>handler.name</tt> </td>
+
+<td>Name of this sync configuration. This is used to reference this handler by the login modules. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User auto membership </td>
+
+<td><tt>user.autoMembership</tt> </td>
+
+<td>List of groups that a synced user is added to automatically </td>
+ </tr>
+
+<tr class="b">
+
+<td>User Expiration Time </td>
+
+<td><tt>user.expirationTime</tt> </td>
+
+<td>Duration until a synced user gets expired (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="a">
+
+<td>User Membership Expiration </td>
+
+<td><tt>user.membershipExpTime</tt> </td>
+
+<td>Time after which membership expires (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="b">
+
+<td>User membership nesting depth </td>
+
+<td><tt>user.membershipNestingDepth</tt> </td>
+
+<td>Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User Dynamic Membership </td>
+
+<td><tt>user.dynamicMembership</tt> </td>
+
+<td>Enabling dynamic membership for external users. </td>
+ </tr>
+
+<tr class="b">
+
+<td>User Path Prefix </td>
+
+<td><tt>user.pathPrefix</tt> </td>
+
+<td>The path prefix used when creating new users. </td>
+ </tr>
+
+<tr class="a">
+
+<td>User property mapping </td>
+
+<td><tt>user.propertyMapping</tt> </td>
+
+<td>List mapping definition of local properties from external ones. eg: ‘profile/email=mail’.Use double quotes for fixed values. eg: ’profile/nt:primaryType=“nt:unstructured” </td>
+ </tr>
+
+<tr class="b">
+
+<td>Disable missing users </td>
+
+<td><tt>user.disableMissing</tt> </td>
+
+<td>By default, users that no longer exist on the external provider will be locally removed. Set this property to <tt>true</tt> to [disable](<a class="externalLink" href="https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)">https://jackrabbit.apache.org/api/2.8/org/apache/jackrabbit/api/security/user/User.html#disable(java.lang.String)</a>) them instead and have them re-enabled if they become available again. </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group auto membership </td>
+
+<td><tt>group.autoMembership</tt> </td>
+
+<td>List of groups that a synced group is added to automatically </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group Expiration Time </td>
+
+<td><tt>group.expirationTime</tt> </td>
+
+<td>Duration until a synced group expires (eg. ‘1h 30m’ or ‘1d’). </td>
+ </tr>
+
+<tr class="a">
+
+<td>Group Path Prefix </td>
+
+<td><tt>group.pathPrefix</tt> </td>
+
+<td>The path prefix used when creating new groups. </td>
+ </tr>
+
+<tr class="b">
+
+<td>Group property mapping </td>
+
+<td><tt>group.propertyMapping</tt> </td>
+
+<td>List mapping definition of local properties from external ones. </td>
+ </tr>
+
<tr class="a">
+
+<td> </td>
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
+ </tr>
+ </tbody>
</table></div>
<div class="section">
<h4><a name="Configuration_of_the_Apache_Jackrabbit_Oak_External_PrincipalConfiguration"></a>Configuration of the ‘Apache Jackrabbit Oak External PrincipalConfiguration’</h4>
@@ -433,25 +532,41 @@
<p>The recommended way to assert a proper init, is to add ‘org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration’ as additional value to the <tt>requiredServicePids</tt> configuration option of the <tt>SecurityProviderRegistration</tt> <i>(“Apache Jackrabbit Oak SecurityProvider”)</i>.</p>
<p>See section <a href="../../introduction.html">Introduction to Oak Security</a> for further details on the <tt>SecurityProviderRegistration</tt>.</p>
<p>The <tt>ExternalPrincipalConfiguration</tt> defines the following configuration options:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Name </th>
-<th> Property </th>
-<th> Description </th></tr>
-</thead><tbody>
-
-<tr class="b">
-<td> External Identity Protection </td>
-<td> <tt>protectExternalId</tt> </td>
-<td> Enables protection of the system maintained <tt>rep:externalId</tt> properties </td></tr>
+
+<th>Name </th>
+
+<th>Property </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
+<tr class="b">
+
+<td>External Identity Protection </td>
+
+<td><tt>protectExternalId</tt> </td>
+
+<td>Enables protection of the system maintained <tt>rep:externalId</tt> properties </td>
+ </tr>
+
<tr class="a">
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
-</table><!-- references --></div></div></div>
+
+<td> </td>
+ </tr>
+ </tbody>
+</table>
+<!-- references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html?rev=1846222&r1=1846221&r2=1846222&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/external/dynamic.html Fri Nov 9 09:44:19 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-09-19
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180919" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User and Group Synchronization : Dynamic Membership</title>
<link rel="stylesheet" href="../../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-09-19<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,16 +239,18 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="User_and_Group_Synchronization_:_Dynamic_Membership"></a>User and Group Synchronization : Dynamic Membership</h2>
-<p>As of Oak 1.5.3 the default sync handler comes with an additional configuration option (see section <a href="defaultusersync.html#configuration">Configuration</a> that allows to enable dynamic group membership resolution for external users.</p>
+<p>As of Oak 1.5.3 the default sync handler comes with an additional configuration option (see section <a href="defaultusersync.html#configuration">Configuration</a> that allows to enable dynamic group membership resolution for external users. </p>
<p>Enabling dynamic membership in the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncConfig.html">DefaultSyncConfig</a> will change the way external groups are synchronized (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4101">OAK-4101</a>) and how automatic group membership is being handled (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4087">OAK-4087</a>)</p>
<p>The key benefits of dynamic membership resolution are:</p>
-<ul>
+<ul>
+
<li>avoiding duplicate user management effort wrt to membership handling both in the external IDP and the repository</li>
+
<li>avoid storing/updating auto-membership which is assigned to all external users</li>
+
<li>ease principal resolution upon repository login</li>
</ul>
<div class="section">
@@ -269,38 +259,49 @@
<p>With the default <tt>SyncHandler</tt> this configuration option will show the following effects:</p>
<div class="section">
<h5><a name="External_Groups"></a>External Groups</h5>
-<ul>
+<ul>
+
<li>If enabled the handler will use an alternative <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncContext.html">SyncContext</a> to synchronize external groups (<tt>DynamicSyncContext</tt>).</li>
-<li>Instead of synchronizing groups into the user management, this <tt>DynamicSyncContext</tt> will additionally set the property <tt>rep:externalPrincipalNames</tt> on the synchronized external user</li>
-<li><tt>rep:externalPrincipalNames</tt> is a system maintained multivalued property of type ‘STRING’ storing the names of the <tt>java.security.acl.Group</tt>-principals a given external user is member of (both declared and inherited according to the configured membership nesting depth)</li>
-<li>External groups will no longer be synchronised into the repository’s user management but will only be available as <tt>Principal</tt>s (see section <i>User Management</i> below).</li>
+
+<li>Instead of synchronizing groups into the user management, this <tt>DynamicSyncContext</tt> will additionally set the property <tt>rep:externalPrincipalNames</tt> on the synchronized external user</li>
+
+<li><tt>rep:externalPrincipalNames</tt> is a system maintained multivalued property of type ‘STRING’ storing the names of the <tt>java.security.acl.Group</tt>-principals a given external user is member of (both declared and inherited according to the configured membership nesting depth)</li>
+
+<li>External groups will no longer be synchronised into the repository’s user management but will only be available as <tt>Principal</tt>s (see section <i>User Management</i> below).</li>
</ul>
<p>Note: as a further improvement the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/PrincipalNameResolver.html">PrincipalNameResolver</a> interface was introduced in Oak 1.6.1 to allow for optimized resolution of a principal names from a given <tt>ExternalIdentityRef</tt>. In order to benefit from that shortcut a given implementation of <tt>ExternalIdentityProvider</tt> needs to also implement <tt>PrincipalNameResolver</tt>. See also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5210">OAK-5210</a>.</p></div>
<div class="section">
<h5><a name="Automatic_Membership"></a>Automatic Membership</h5>
-<ul>
+<ul>
+
<li>If enabled automatic membership assignment for existing, local groups will not longer be written to the repository</li>
-<li>Instead the <tt>ExternalPrincipalConfiguration</tt> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> will keep track of the mapping between registered <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a>s (i.e. auto-membership configuration) and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>s. This allows to determine auto-membership based on the <tt>rep:externalId</tt> stored with the user accounts.</li>
-<li>The <tt>PrincipalProvider</tt> associated with this dedicated principal configuration will expand the collection of <tt>Principal</tt>s generated for the following calls with the automatically assigned principals:
+
+<li>Instead the <tt>ExternalPrincipalConfiguration</tt> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> will keep track of the mapping between registered <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html">SyncHandler</a>s (i.e. auto-membership configuration) and <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html">ExternalIdentityProvider</a>s. This allows to determine auto-membership based on the <tt>rep:externalId</tt> stored with the user accounts.</li>
+
+<li>The <tt>PrincipalProvider</tt> associated with this dedicated principal configuration will expand the collection of <tt>Principal</tt>s generated for the following calls with the automatically assigned principals:
+
<ul>
-
+
<li><tt>PrincipalProvider.getGroupMembership(Principal)</tt></li>
+
<li><tt>PrincipalProvider.getPrincipals(String)</tt></li>
-</ul>
-</li>
-<li>Configured auto-membership groupIds that cannot be resolved to an existing <tt>o.a.j.api.security.user.Group</tt> will be ignored in accordance to the default behavior.</li>
-<li>Consequently, the <tt>PrincipalProvider</tt> relies on other <tt>PrincipalProvider</tt> implementations to <i>own</i> these group principals and will not expose them upon other calls (e.g. <tt>PrincipalProvider.getPrincipal(String)</tt>.</li>
-<li>Any changes to the auto-membership configuration will be immediately reflected to new instances of the <tt>PrincipalProvider</tt>.</li>
-<li>Note, that in the initial version (Oak 1.6) only the <tt>user.autoMembership</tt> configuration is respected (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5194">OAK-5194</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5195">OAK-5195</a>)</li>
+ </ul></li>
+
+<li>Configured auto-membership groupIds that cannot be resolved to an existing <tt>o.a.j.api.security.user.Group</tt> will be ignored in accordance to the default behavior.</li>
+
+<li>Consequently, the <tt>PrincipalProvider</tt> relies on other <tt>PrincipalProvider</tt> implementations to <i>own</i> these group principals and will not expose them upon other calls (e.g. <tt>PrincipalProvider.getPrincipal(String)</tt>.</li>
+
+<li>Any changes to the auto-membership configuration will be immediately reflected to new instances of the <tt>PrincipalProvider</tt>.</li>
+
+<li>Note, that in the initial version (Oak 1.6) only the <tt>user.autoMembership</tt> configuration is respected (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5194">OAK-5194</a> and <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-5195">OAK-5195</a>)</li>
</ul></div></div>
<div class="section">
<h4><a name="Effect_of_Dynamic_Membership_on_other_Security_Modules"></a>Effect of Dynamic Membership on other Security Modules</h4>
<div class="section">
<h5><a name="Principal_Management"></a>Principal Management</h5>
-<p>The dynamic (principal) membership features comes with a dedicated <tt>PrincipalConfiguration</tt> implementation (i.e. [ExternalPrincipalConfiguration]) that is in charge of securing<br />
-the <tt>rep:externalPrincipalNames</tt> properties (see also section <a href="defaultusersync.html#validation">Validation</a> and <a href="defaultusersync.html#configuration">Configuration</a>).</p>
+<p>The dynamic (principal) membership features comes with a dedicated <tt>PrincipalConfiguration</tt> implementation (i.e. [ExternalPrincipalConfiguration]) that is in charge of securing<br />the <tt>rep:externalPrincipalNames</tt> properties (see also section <a href="defaultusersync.html#validation">Validation</a> and <a href="defaultusersync.html#configuration">Configuration</a>). </p>
<p>Additionally the [ExternalPrincipalConfiguration] provides a <tt>PrincipalProvider</tt> implementation which makes external (group) principals available to the repository’s authentication and authorization using the <tt>rep:externalPrincipalNames</tt> as a persistent cache to avoid expensive lookup on the IDP. This also makes external <tt>Principal</tt>s retrievable and searchable through the Jackrabbit principal management API (see section <a href="../../principal.html">Principal Management</a> for a comprehensive description).</p>
<p>Please note the following implementation detail wrt accessibility of group principals: A given external principal will be accessible though the principal management API if it can be read from any of the <tt>rep:externalPrincipalNames</tt> properties present using a dedicated query.</p></div>
<div class="section">
@@ -313,7 +314,8 @@ the <tt>rep:externalPrincipalNames</tt>
<p>The authentication setup provided by Oak is not affected by the dynamic membership handling as long as the configured <tt>LoginModule</tt> implementations rely on the <tt>PrincipalProvider</tt> for principal resolution and the <tt>ExternalPrincipalConfiguration</tt> <i>(“Apache Jackrabbit Oak External PrincipalConfiguration”)</i> is properly registered with the <tt>SecurityProvider</tt> (see section <a href="defaultusersync.html#configuration">Configuration</a>).</p></div>
<div class="section">
<h5><a name="Authorization"></a>Authorization</h5>
-<p>The authorization modules shipped with Oak only depend on <tt>Principal</tt>s (and not on user management functionality) and are therefore not affected by the dynamic membership configuration.</p><!-- references --></div></div></div></div>
+<p>The authorization modules shipped with Oak only depend on <tt>Principal</tt>s (and not on user management functionality) and are therefore not affected by the dynamic membership configuration.</p>
+<!-- references --></div></div></div></div>
</div>
</div>
</div>