You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by mr...@apache.org on 2018/07/09 08:53:19 UTC
svn commit: r1835390 [22/23] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user.html (original)
+++ jackrabbit/site/live/oak/docs/security/user.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,125 +240,103 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
-<h2><a name="User_Management"></a>User Management</h2>
-<p><a name="jcr_api"></a></p>
+-->
<div class="section">
-<h3><a name="JCR_API"></a>JCR API</h3>
+<h2><a name="User_Management"></a>User Management</h2>
+<a name="jcr_api"></a>
+### JCR API
+
<p>JCR itself doesn’t come with a dedicated user management API. The only method related and ultimately used for user management tasks is <tt>Session.getUserID()</tt>. Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.</p>
-<p><a name="jackrabbit_api"></a></p></div>
-<div class="section">
-<h3><a name="Jackrabbit_API"></a>Jackrabbit API</h3>
-<p>The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user’ package space:</p>
+<a name="jackrabbit_api"></a>
+### Jackrabbit API
+<p>The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user’ package space:</p>
<ul>
-
+
<li><tt>UserManager</tt></li>
-
<li><tt>Authorizable</tt>
-
<ul>
-
+
<li><tt>User</tt></li>
-
<li><tt>Group</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li><tt>Impersonation</tt></li>
-
<li><tt>QueryBuilder</tt>
-
<ul>
-
+
<li><tt>Query</tt></li>
- </ul></li>
</ul>
-<p><a name="api_extensions"></a></p></div>
-<div class="section">
-<h3><a name="API_Extensions"></a>API Extensions</h3>
-<p>The Oak project introduces the following user management related public interfaces and classes:</p>
+</li>
+</ul>
+<a name="api_extensions"></a>
+### API Extensions
+<p>The Oak project introduces the following user management related public interfaces and classes:</p>
<ul>
-
+
<li><tt>AuthorizableType</tt>: ease handling with the different authorizable types.</li>
-
<li><tt>AuthorizableAction</tt> and <tt>AuthorizableActionProvider</tt>: see <a href="user/authorizableaction.html">Authorizable Actions</a> for details.</li>
-
-<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
-
+<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
<li><tt>GroupAction</tt> (via <tt>AuthorizableActionProvider</tt>): see <a href="user/groupaction.html">Group Actions</a> for details.</li>
-
<li><tt>UserAuthenticationFactory</tt>: see sections <a href="user/default.html#pluggability">pluggability</a> and <a href="authentication/default.html#user_authentication">user authentication</a> for additional details.</li>
</ul>
-<p><a name="utilities"></a></p></div>
-<div class="section">
-<h3><a name="Utilities"></a>Utilities</h3>
-<p><tt>org.apache.jackrabbit.oak.spi.security.user.*</tt></p>
+<a name="utilities"></a>
+### Utilities
+<p><tt>org.apache.jackrabbit.oak.spi.security.user.*</tt></p>
<ul>
-
+
<li><tt>UserConstants</tt> : Constants (NOTE: OAK names/paths)</li>
-
<li><tt>UserIdCredentials</tt> : Simple credentials implementation that might be used for `User.getCredentials’ without exposing pw information.</li>
</ul>
<p><tt>org.apache.jackrabbit.oak.spi.security.user.util.*</tt></p>
-
<ul>
-
-<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.</li>
-
+
+<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.</li>
<li><tt>UserUtil</tt> : Utilities related to general user management tasks.</li>
</ul>
-<p><a name="default_implementation"></a></p></div>
-<div class="section">
-<h3><a name="Oak_User_Management_Implementation"></a>Oak User Management Implementation</h3>
+<a name="default_implementation"></a>
+### Oak User Management Implementation
+
<p>The behavior of the default user management implementation is described in section <a href="user/default.html">User Management: The Default Implementation</a>.</p>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
-<p>The Oak user management comes with a dedicated entry point called <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a>. This class is responsible for passing configuration options to the implementation and provides the following two methods:</p>
+<a name="configuration"></a>
+### Configuration
+<p>The Oak user management comes with a dedicated entry point called <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a>. This class is responsible for passing configuration options to the implementation and provides the following two methods:</p>
<ul>
-
+
<li><tt>getUserManager(Root, NamePathMapper)</tt>: get a new <tt>UserManager</tt> instance</li>
-
<li><tt>getUserPrincipalProvider(Root, NamePathMapper)</tt>: optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).</li>
</ul>
<div class="section">
+<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The supported configuration options of the default implementation are described in the corresponding <a href="user/default.html#configuration">section</a>.</p>
-<p><a name="pluggability"></a></p></div></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
+<a name="pluggability"></a>
+### Pluggability
+
<p>The default security setup as present with Oak 1.0 is able to have the default user management implementation replaced as follows:</p>
<p>The complete user management implementation can be changed by plugging a different <tt>UserConfiguration</tt> implementations. In OSGi-base setup this is achieved by making the configuration a service which must take precedence over the default. In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</p>
<p>Alternatively the default user management implementation can be extended and adjusted using various means. See the corresponding <a href="user/default.html#pluggability">section</a> for further details.</p>
-<p><a name="further_reading"></a></p></div>
-<div class="section">
-<h3><a name="Further_Reading"></a>Further Reading</h3>
+<a name="further_reading"></a>
+### Further Reading
<ul>
-
+
<li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
-
<li><a href="user/default.html">User Management : The Default Implementation</a>
-
<ul>
-
+
<li><a href="user/membership.html">Group Membership</a></li>
-
<li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
-
<li><a href="user/authorizablenodename.html">Authorizable Node Name</a></li>
-
<li><a href="user/expiry.html">Password Expiry and Force Initial Password Change</a></li>
-
<li><a href="user/history.html">Password History</a></li>
- </ul></li>
-
-<li><a href="user/query.html">Searching Users and Groups</a></li>
</ul>
-<!-- hidden references --></div></div>
+</li>
+<li><a href="user/query.html">Searching Users and Groups</a></li>
+</ul><!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/authorizableaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizableaction.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizableaction.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizableaction.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authorizable Actions</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,29 +240,25 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<h2><a name="Authorizable_Actions"></a>Authorizable Actions</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>Oak 1.0 comes with a extension to the Jackrabbit user management API that allows to perform additional actions or validations upon common user management tasks such as</p>
-
<ul>
-
+
<li>create authorizables</li>
-
<li>remove authorizables</li>
-
<li>change a user’s password</li>
</ul>
<p>Similar functionality has been present in Jackrabbit 2.x as internal interface. Compared to the Jackrabbit interface the new <tt>AuthorizableAction</tt> has been slightly adjusted to match Oak requirements operate directly on the Oak API, which eases the handling of implementation specific tasks such as writing protected items.</p></div>
<div class="section">
<h3><a name="AuthorizableAction_API"></a>AuthorizableAction API</h3>
<p>The following public interfaces are provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user.action</tt>:</p>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.html">AuthorizableAction</a></li>
-
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableActionProvider.html">AuthorizableActionProvider</a></li>
</ul>
<p>The <tt>AuthorizableAction</tt> interface itself allows to perform validations or write additional application specific content while executing user management related write operations. Therefore these actions are executed as part of the transient user management modifications. This contrasts to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s which in turn are only triggered once modifications are persisted.</p>
@@ -271,36 +267,27 @@
<div class="section">
<h3><a name="Default_Implementations"></a>Default Implementations</h3>
<p>Oak 1.0 provides the following base implementations:</p>
-
<ul>
-
+
<li><tt>AbstractAuthorizableAction</tt>: abstract base implementation that doesn’t perform any action.</li>
-
<li><tt>DefaultAuthorizableActionProvider</tt>: default action provider service that allows to enable the built-in actions provided with oak.</li>
-
<li><tt>CompositeActionProvider</tt>: Allows to aggregate multiple provider implementations.</li>
</ul>
<div class="section">
<h4><a name="Changes_wrt_Jackrabbit_2.x"></a>Changes wrt Jackrabbit 2.x</h4>
-
<ul>
-
+
<li>actions no longer operate on JCR API but rather on the Oak API direct.</li>
-
<li>provider interface simplifies pluggability</li>
</ul></div>
<div class="section">
<h4><a name="Built-in_AuthorizableAction_Implementations"></a>Built-in AuthorizableAction Implementations</h4>
<p>The following implementations of the <tt>AuthorizableAction</tt> interface are provided:</p>
-
<ul>
-
+
<li><tt>AccessControlAction</tt>: set up permission for new authorizables</li>
-
<li><tt>PasswordValidationAction</tt>: simplistic password verification upon user creation and password modification</li>
-
<li><tt>PasswordChangeAction</tt>: verifies that the new password is different from the old one</li>
-
<li><tt>ClearMembershipAction</tt>: clear group membership upon removal of an authorizable.</li>
</ul>
<p>As in Jackrabbit 2.x the actions are executed with the editing session and the target operation will fail if any of the configured actions fails (e.g. due to insufficient permissions by the editing Oak ContentSession).</p></div></div>
@@ -308,11 +295,9 @@
<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 is able to provide custom <tt>AuthorizableActionProvider</tt> implementations and will automatically combine the different implementations using the <tt>CompositeActionProvider</tt>.</p>
<p>In an OSGi setup the following steps are required in order to add an action provider implementation:</p>
-
<ul>
-
+
<li>implement <tt>AuthorizableActionProvider</tt> interface exposing your custom action(s).</li>
-
<li>make the provider implementation an OSGi service and make it available to the Oak repository.</li>
</ul>
<div class="section">
@@ -321,8 +306,9 @@
<div class="section">
<h6><a name="Example_Action_Provider"></a>Example Action Provider</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">@Component()
+<div>
+<div>
+<pre class="source">@Component()
@Service(AuthorizableActionProvider.class)
public class MyAuthorizableActionProvider implements AuthorizableActionProvider {
@@ -361,13 +347,15 @@ public class MyAuthorizableActionProvide
config = ConfigurationParameters.of(properties);
}
}
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h6><a name="Example_Action"></a>Example Action</h6>
<p>This example action generates additional child nodes upon user/group creation that will later be used to store various target-specific profile information:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">class ProfileAction extends AbstractAuthorizableAction {
+<div>
+<div>
+<pre class="source">class ProfileAction extends AbstractAuthorizableAction {
private final String publicName;
private final String privateName;
@@ -404,12 +392,14 @@ public class MyAuthorizableActionProvide
}
}
}
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h6><a name="Example_Non-OSGI_Setup"></a>Example Non-OSGI Setup</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">Map<String, Object> userParams = new HashMap<String, Object>();
+<div>
+<div>
+<pre class="source">Map<String, Object> userParams = new HashMap<String, Object>();
userParams.put(UserConstants.PARAM_AUTHORIZABLE_ACTION_PROVIDER, new MyAuthorizableActionProvider());
ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams)));
SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build();
Modified: jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Authorizable Node Name Generation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,55 +240,48 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<h2><a name="Authorizable_Node_Name_Generation"></a>Authorizable Node Name Generation</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>Oak 1.0 comes with a extension to the Jackrabbit user management API that allows to change the way how the name of an authorizable node is being generated.</p>
<p>As in Jackrabbit 2.x the target ID is used as name-hint by default. In order to prevent exposing identifier related information in the path of the authorizable node, it it’s desirable to change this default behavior by plugging a different implementation of the <tt>AuthorizableNodeName</tt> interface.</p>
-
<ul>
-
-<li><tt>AuthorizableNodeName</tt> : Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository.</li>
+
+<li><tt>AuthorizableNodeName</tt> : Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository.</li>
</ul>
<p>In the default implementation the corresponding configuration parameter is <tt>PARAM_AUTHORIZABLE_NODE_NAME</tt>. The default name generator can be replace by installing an OSGi service that implementations the <tt>AuthorizableNodeName</tt> interface. In a non-OSGi setup the user configuration must be initialized with configuration parameters that provide the custom generator implementation.</p></div>
<div class="section">
<h3><a name="AuthorizableNodeName_API"></a>AuthorizableNodeName API</h3>
<p>The following public interfaces are provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user</tt>:</p>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/AuthorizableNodeName.html">AuthorizableNodeName</a></li>
</ul>
<p>The <tt>AuthorizableNodeName</tt> interface itself defines single method that allows to generate a valid JCR name for a given authorizable ID.</p>
<div class="section">
<h4><a name="Changes_wrt_Jackrabbit_2.x"></a>Changes wrt Jackrabbit 2.x</h4>
-
<ul>
-
-<li>The generation of the node name is a configuration option of the default user management implementation.</li>
-
-<li>In an OSGi-based setup the default can be changed at runtime by plugging a different implementation. E.g. the <tt>RandomAuthorizableNodeName</tt> component can easily be enabled by providing the required configuration.</li>
+
+<li>The generation of the node name is a configuration option of the default user management implementation.</li>
+<li>In an OSGi-based setup the default can be changed at runtime by plugging a different implementation. E.g. the <tt>RandomAuthorizableNodeName</tt> component can easily be enabled by providing the required configuration.</li>
</ul></div>
<div class="section">
<h4><a name="Built-in_AuthorizableAction_Implementations"></a>Built-in AuthorizableAction Implementations</h4>
<p>Oak 1.0 provides the following base implementations:</p>
-
<ul>
-
-<li><tt>AuthorizableNodeName.Default</tt>: Backwards compatible implementation that uses the authorizable ID as name hint.</li>
-
+
+<li><tt>AuthorizableNodeName.Default</tt>: Backwards compatible implementation that uses the authorizable ID as name hint.</li>
<li><tt>RandomAuthorizableNodeName</tt>: Generating a random JCR name (see <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/user/RandomAuthorizableNodeName.html">RandomAuthorizableNodeName</a>.java).</li>
</ul></div></div>
<div class="section">
<h3><a name="Pluggability"></a>Pluggability</h3>
<p>The default security setup as present with Oak 1.0 can be run with a custom <tt>RandomAuthorizableNodeName</tt> implementations.</p>
<p>In an OSGi setup the following steps are required in order to add a different implementation:</p>
-
<ul>
-
+
<li>implement <tt>AuthorizableNodeName</tt> interface.</li>
-
<li>make the implementation an OSGi service and make it available to the Oak repository.</li>
</ul>
<div class="section">
@@ -298,8 +291,9 @@
<h6><a name="Example_AuthorizableNodeName"></a>Example AuthorizableNodeName</h6>
<p>In an OSGi-based setup it’s sufficient to make the service available to the repository in order to enable this custom node name generator.</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">@Component
+<div>
+<div>
+<pre class="source">@Component
@Service(value = {AuthorizableNodeName.class})
/**
* Custom implementation of the {@code AuthorizableNodeName} interface
@@ -314,10 +308,12 @@ final class UUIDNodeName implements Auth
}
}
</pre></div></div>
+
<p>In a non-OSGi setup this custom name generator can be plugged by making it available to the user configuration as follows:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">Map<String, Object> userParams = new HashMap<String, Object>();
+<div>
+<div>
+<pre class="source">Map<String, Object> userParams = new HashMap<String, Object>();
userParams.put(UserConstants.PARAM_AUTHORIZABLE_NODE_NAME, new UUIDNodeName());
ConfigurationParameters config = ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams)));
SecurityProvider securityProvider = SecurityProviderBuilder.newBuilder().with(config).build();
Modified: jackrabbit/site/live/oak/docs/security/user/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/default.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/default.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,22 +240,19 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="User_Management_:_The_Default_Implementation"></a>User Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
<p>The default user management implementation stores user/group information in the content repository. In contrast to Jackrabbit 2.x, which by default used a single, dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace.</p>
<p>Consequently the <tt>UserManager</tt> associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x <tt>UserPerWorkspaceUserManager</tt>).</p>
-
<ul>
-
-<li>The Oak implementation is build on the Oak API. This allows for double usage as extension to the JCR API as well as within the Oak layer (aka SPI).</li>
-
-<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing <tt>Session</tt> from which the class has been obtained.</li>
-
+
+<li>The Oak implementation is build on the Oak API. This allows for double usage as extension to the JCR API as well as within the Oak layer (aka SPI).</li>
+<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing <tt>Session</tt> from which the class has been obtained.</li>
<li>Changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
-
-<li>In case of any failure during user management related write operations the API consumer is in charge of specifically revert pending or invalid transient modifications or calling <tt>Session#refresh(false)</tt>.</li>
+<li>In case of any failure during user management related write operations the API consumer is in charge of specifically revert pending or invalid transient modifications or calling <tt>Session#refresh(false)</tt>.</li>
</ul></div>
<div class="section">
<h3><a name="Differences_wrt_Jackrabbit_2.x"></a>Differences wrt Jackrabbit 2.x</h3>
@@ -273,9 +270,11 @@
<p>In contrast to Jackrabbit 2.x the anonymous (or guest) user is optional. Creation will be skipped if the value of the <tt>PARAM_ANONYMOUS_ID</tt> configuration parameter is <tt>null</tt> or empty.</p>
<p>Note, that the anonymous user will always be created without specifying a password in order to prevent regular login with <tt>SimpleCredentials</tt>. The proper way to obtain a guest session is:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">Repository#login(new GuestCredentials(), wspName);
+<div>
+<div>
+<pre class="source">Repository#login(new GuestCredentials(), wspName);
</pre></div></div>
+
<p>See section <a href="../authentication.html">Authentication</a> for further information about guest login.</p></div></div>
<div class="section">
<h4><a name="Everyone_Group"></a>Everyone Group</h4>
@@ -287,19 +286,13 @@
<h4><a name="Reading_Authorizables"></a>Reading Authorizables</h4>
<div class="section">
<h5><a name="Handling_of_the_Authorizable_ID"></a>Handling of the Authorizable ID</h5>
-
<ul>
-
+
<li>As of Oak 1.0 the node type definition of <tt>rep:Authorizable</tt> defines a new property <tt>rep:authorizableId</tt> which is intended to store the ID of a user or group.</li>
-
<li>This property is protected and system maintained and cannot be changed after creation through user management API calls.</li>
-
<li>The default implementation comes with a dedicated property index for <tt>rep:authorizableId</tt> which asserts the uniqueness of that ID.</li>
-
<li>For backwards compatibility with Jackrabbit 2.x the ID specified during creation is also reflected in the <tt>jcr:uuid</tt> (protected and mandatory), which is used for the lookup.</li>
-
<li><tt>Authorizable#getID</tt> returns the string value contained in <tt>rep:authorizableID</tt> and for backwards compatibility falls back on the node name in case the <tt>rep:authorizableId</tt> property is missing.</li>
-
<li>The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface (see configuration section below). By default it uses the ID as name hint and includes a conversion to a valid JCR node name.</li>
</ul></div>
<div class="section">
@@ -307,16 +300,14 @@
<p>The implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for user and groups slightly differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</p></div></div>
<div class="section">
<h4><a name="Creating_Authorizables"></a>Creating Authorizables</h4>
-
<ul>
-
+
<li>The <tt>rep:password</tt> property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that <tt>User#changePassword</tt> does not allow to remove the password property.</li>
-
<li>Since version 1.1.0 Oak supports the new API to create dedicated system users <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3802">JCR-3802</a>.</li>
</ul>
-<p><a name="query"></a></p></div>
-<div class="section">
-<h4><a name="Searching"></a>Searching</h4></div>
+<a name="query"></a>
+#### Searching
+</div>
<div class="section">
<h4><a name="XPathQueryBuilder"></a>XPathQueryBuilder</h4>
<p>Oak 1.0 comes with a default XPATH based implementation of the <tt>QueryBuilder</tt> interface which is passed to the query upon calling <tt>UserManager#findAuthorizables(Query)</tt>.</p></div>
@@ -326,22 +317,18 @@
<div class="section">
<h4><a name="Autosave_Behavior"></a>Autosave Behavior</h4>
<p>Due to the nature of the UserManager (see above) we decided to drop the auto-save behavior in the default implementation present with OAK. Consequently,</p>
-
<ul>
-
+
<li><tt>UserManager#autoSave(boolean)</tt> throws <tt>UnsupportedRepositoryOperationException</tt></li>
-
<li><tt>UserManager#isAutoSave()</tt> always returns <tt>false</tt></li>
</ul>
<p>See also <tt>PARAM_SUPPORT_AUTOSAVE</tt> below; while this should not be needed if application code has been written against the Jackrabbit API (and thus testing if auto-save mode is enabled or not) this configuration option can be used as last resort.</p></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
<p>As of Oak 1.0 user and group nodes can be imported both with Session and Workspace import. Other differences compared to Jackrabbit 2.x:</p>
-
<ul>
-
+
<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
-
<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
</ul></div>
<div class="section">
@@ -352,13 +339,14 @@
<h4><a name="Password_History"></a>Password History</h4>
<p>Since Oak 1.3.3 the default user management implementation provides password history support. By default this feature is disabled.</p>
<p>See section <a href="history.html">Password History</a> for details.</p>
-<p><a name="representation"></a></p></div></div>
-<div class="section">
-<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
+<a name="representation"></a>
+### Representation in the Repository
+
<p>The following block lists the built-in node types related to user management tasks:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:Authorizable] > mix:referenceable, nt:hierarchyNode
+<div>
+<div>
+<pre class="source">[rep:Authorizable] > mix:referenceable, nt:hierarchyNode
abstract
+ * (nt:base) = nt:unstructured VERSION
- rep:principalName (STRING) protected mandatory
@@ -376,7 +364,7 @@
[rep:Impersonatable]
mixin
- rep:impersonators (STRING) protected multiple
-
+
/* @since oak 1.1.0 */
[rep:Password]
- * (UNDEFINED) protected
@@ -398,363 +386,196 @@
/* @since oak 1.0 */
[rep:MemberReferencesList]
+ * (rep:MemberReferences) = rep:MemberReferences protected COPY
-
+
/* @deprecated since oak 1.0 */
[rep:Members]
orderable
+ * (rep:Members) = rep:Members protected multiple
- * (WEAKREFERENCE) protected < 'rep:Authorizable'
</pre></div></div>
-<p><a name="validation"></a></p></div>
-<div class="section">
-<h3><a name="Validation"></a>Validation</h3>
-<p>The consistency of this content structure is asserted by a dedicated <tt>UserValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
+<a name="validation"></a>
+### Validation
+<p>The consistency of this content structure is asserted by a dedicated <tt>UserValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td>0020 </td>
-
-<td>Admin user cannot be disabled </td>
- </tr>
-
+<td> 0020 </td>
+<td> Admin user cannot be disabled </td></tr>
<tr class="a">
-
-<td>0021 </td>
-
-<td>Invalid jcr:uuid for authorizable (creation) </td>
- </tr>
-
+<td> 0021 </td>
+<td> Invalid jcr:uuid for authorizable (creation) </td></tr>
<tr class="b">
-
-<td>0022 </td>
-
-<td>Changing Id, principal name after creation </td>
- </tr>
-
+<td> 0022 </td>
+<td> Changing Id, principal name after creation </td></tr>
<tr class="a">
-
-<td>0023 </td>
-
-<td>Invalid jcr:uuid for authorizable (mod) </td>
- </tr>
-
+<td> 0023 </td>
+<td> Invalid jcr:uuid for authorizable (mod) </td></tr>
<tr class="b">
-
-<td>0024 </td>
-
-<td>Password may not be plain text </td>
- </tr>
-
+<td> 0024 </td>
+<td> Password may not be plain text </td></tr>
<tr class="a">
-
-<td>0025 </td>
-
-<td>Attempt to remove id, principalname or pw </td>
- </tr>
-
+<td> 0025 </td>
+<td> Attempt to remove id, principalname or pw </td></tr>
<tr class="b">
-
-<td>0026 </td>
-
-<td>Mandatory property rep:principalName missing </td>
- </tr>
-
+<td> 0026 </td>
+<td> Mandatory property rep:principalName missing </td></tr>
<tr class="a">
-
-<td>0027 </td>
-
-<td>The admin user cannot be removed </td>
- </tr>
-
+<td> 0027 </td>
+<td> The admin user cannot be removed </td></tr>
<tr class="b">
-
-<td>0028 </td>
-
-<td>Attempt to create outside of configured scope </td>
- </tr>
-
+<td> 0028 </td>
+<td> Attempt to create outside of configured scope </td></tr>
<tr class="a">
-
-<td>0029 </td>
-
-<td>Intermediate folders not rep:AuthorizableFolder </td>
- </tr>
-
+<td> 0029 </td>
+<td> Intermediate folders not rep:AuthorizableFolder </td></tr>
<tr class="b">
-
-<td>0030 </td>
-
-<td>Missing uuid for group (check for cyclic membership) </td>
- </tr>
-
+<td> 0030 </td>
+<td> Missing uuid for group (check for cyclic membership) </td></tr>
<tr class="a">
-
-<td><s>0031</s> </td>
-
-<td><s>Cyclic group membership</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6072">OAK-6072</a>) </td>
- </tr>
-
+<td> <s>0031</s> </td>
+<td> <s>Cyclic group membership</s> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6072">OAK-6072</a>) </td></tr>
<tr class="b">
-
-<td>0032 </td>
-
-<td>Attempt to set password with system user </td>
- </tr>
-
+<td> 0032 </td>
+<td> Attempt to set password with system user </td></tr>
<tr class="a">
-
-<td>0033 </td>
-
-<td>Attempt to add rep:pwd node to a system user </td>
- </tr>
- </tbody>
+<td> 0033 </td>
+<td> Attempt to add rep:pwd node to a system user </td></tr>
+</tbody>
</table>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
-<p>The following user management specific methods are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a> as of OAK 1.0:</p>
+<a name="configuration"></a>
+### Configuration
+<p>The following user management specific methods are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a> as of OAK 1.0:</p>
<ul>
-
+
<li>getUserManager: Obtain a new user manager instance</li>
-</ul>
+</ul></div>
<div class="section">
<h4><a name="Configuration_Parameters_supported_by_the_default_implementation"></a>Configuration Parameters supported by the default implementation</h4>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td><tt>PARAM_ADMIN_ID</tt> </td>
-
-<td>String </td>
-
-<td>“admin” </td>
- </tr>
-
+<td> <tt>PARAM_ADMIN_ID</tt> </td>
+<td> String </td>
+<td> “admin” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_OMIT_ADMIN_PW</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_OMIT_ADMIN_PW</tt> </td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="b">
-
-<td><tt>PARAM_ANONYMOUS_ID</tt> </td>
-
-<td>String </td>
-
-<td>“anonymous” (nullable) </td>
- </tr>
-
+<td> <tt>PARAM_ANONYMOUS_ID</tt> </td>
+<td> String </td>
+<td> “anonymous” (nullable) </td></tr>
<tr class="a">
-
-<td><tt>PARAM_USER_PATH</tt> </td>
-
-<td>String </td>
-
-<td>“/rep:security/rep:authorizables/rep:users” </td>
- </tr>
-
+<td> <tt>PARAM_USER_PATH</tt> </td>
+<td> String </td>
+<td> “/rep:security/rep:authorizables/rep:users” </td></tr>
<tr class="b">
-
-<td><tt>PARAM_GROUP_PATH</tt> </td>
-
-<td>String </td>
-
-<td>“/rep:security/rep:authorizables/rep:groups” </td>
- </tr>
-
+<td> <tt>PARAM_GROUP_PATH</tt> </td>
+<td> String </td>
+<td> “/rep:security/rep:authorizables/rep:groups” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_DEFAULT_DEPTH</tt> </td>
-
-<td>int </td>
-
-<td>2 </td>
- </tr>
-
+<td> <tt>PARAM_DEFAULT_DEPTH</tt> </td>
+<td> int </td>
+<td> 2 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
-
-<td>String </td>
-
-<td>“SHA-256” </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
+<td> String </td>
+<td> “SHA-256” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
-
-<td>int </td>
-
-<td>1000 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
+<td> int </td>
+<td> 1000 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
-
-<td>int </td>
-
-<td>8 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
+<td> int </td>
+<td> 8 </td></tr>
<tr class="a">
-
-<td><tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
-
-<td>AuthorizableNodeName </td>
-
-<td>AuthorizableNodeName#DEFAULT </td>
- </tr>
-
+<td> <tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
+<td> AuthorizableNodeName </td>
+<td> AuthorizableNodeName#DEFAULT </td></tr>
<tr class="b">
-
-<td><tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
-
-<td>AuthorizableActionProvider </td>
-
-<td>DefaultAuthorizableActionProvider </td>
- </tr>
-
+<td> <tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
+<td> AuthorizableActionProvider </td>
+<td> DefaultAuthorizableActionProvider </td></tr>
<tr class="a">
-
-<td><tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="b">
-
-<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-
-<td>String (“abort”, “ignore”, “besteffort”) </td>
-
-<td>“ignore” </td>
- </tr>
-
+<td> <tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+<td> String (“abort”, “ignore”, “besteffort”) </td>
+<td> “ignore” </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
-
-<td>int </td>
-
-<td>0 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+<td> int </td>
+<td> 0 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="a">
-
-<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
-
-<td>int (upper limit: 1000) </td>
-
-<td>0 </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+<td> int (upper limit: 1000) </td>
+<td> 0 </td></tr>
<tr class="b">
-
-<td><tt>PARAM_CACHE_EXPIRATION</tt> </td>
-
-<td>long </td>
-
-<td>0 </td>
- </tr>
-
+<td> <tt>PARAM_CACHE_EXPIRATION</tt> </td>
+<td> long </td>
+<td> 0 </td></tr>
<tr class="a">
-
-<td><tt>PARAM_ENABLE_RFC7613_USERCASE_MAPPED_PROFILE</tt></td>
-
-<td>boolean </td>
-
-<td>false </td>
- </tr>
-
+<td> <tt>PARAM_ENABLE_RFC7613_USERCASE_MAPPED_PROFILE</tt></td>
+<td> boolean </td>
+<td> false </td></tr>
<tr class="b">
-
-<td> </td>
-
<td> </td>
-
<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table>
<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
-
<ul>
-
+
<li><tt>compatibleJR16</tt></li>
-
<li><tt>autoExpandTree</tt></li>
-
<li><tt>autoExpandSize</tt></li>
-
<li><tt>groupMembershipSplitSize</tt></li>
</ul>
<p>The optional <tt>cacheExpiration</tt> configuration option listed above is discussed in detail in section <a href="../principal/cache.html">Caching Results of Principal Resolution</a>. It is not related to user management s.str. but affects the implementation specific <tt>PrincipalProvider</tt> implementation exposed by <tt>UserConfiguration.getUserPrincipalProvider</tt>.</p>
-<p><a name="pluggability"></a></p></div></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
-<p>Within the default user management implementation the following parts can be modified or extended at runtime by providing corresponding OSGi services or passing appropriate configuration parameters exposing the custom implementations:</p>
+<a name="pluggability"></a>
+### Pluggability
+<p>Within the default user management implementation the following parts can be modified or extended at runtime by providing corresponding OSGi services or passing appropriate configuration parameters exposing the custom implementations:</p>
<ul>
-
+
<li><tt>AuthorizableActionProvider</tt>: Defines the authorizable actions, see <a href="authorizableaction.html">Authorizable Actions</a>.</li>
-
-<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository. See <a href="authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
-
+<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names in case the user management implementation stores user information in the repository. See <a href="authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
<li><tt>UserAuthenticationFactory</tt>: see below</li>
-</ul>
+</ul></div>
<div class="section">
<h4><a name="UserAuthenticationFactory_:_Authenticating_Users"></a>UserAuthenticationFactory : Authenticating Users</h4>
-<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation. </p>
+<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation.</p>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Example_UserAuthenticationFactory"></a>Example UserAuthenticationFactory</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">@Component()
+<div>
+<div>
+<pre class="source">@Component()
@Service(UserAuthenticationFactory.class)
public class MyUserAuthenticationFactory implements UserAuthenticationFactory {
Modified: jackrabbit/site/live/oak/docs/security/user/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/differences.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/differences.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – User Management : Differences to Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,99 +240,80 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<div class="section">
<h3><a name="User_Management_:_Differences_to_Jackrabbit_2.x"></a>User Management : Differences to Jackrabbit 2.x</h3>
<p>The default user management implementation present has the following characteristics that differ from the default behavior in Jackrabbit 2.x</p>
<div class="section">
<h4><a name="General"></a>General</h4>
-
<ul>
-
+
<li>changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
-
<li>In case of a failure <tt>Session#refresh</tt> is no longer called in order to prevent reverting other changes unrelated to the user management operation. Consequently it’s the responsibility of the API consumer to specifically revert pending or invalid transient modifications.</li>
</ul></div>
<div class="section">
<h4><a name="Differences_by_Interface"></a>Differences by Interface</h4>
<div class="section">
<h5><a name="UserManager"></a>UserManager</h5>
-
<ul>
-
+
<li>stores user/group information in the workspace associated with the editing Session</li>
-
-<li>the autosave feature is no longer supported by default; configuration option <tt>PARAM_SUPPORT_AUTOSAVE</tt> can be used to obtain backwards compatible behavior</li>
-
-<li>calling <tt>getAuthorizable</tt> with empty id or <tt>null</tt> id/principal will not throw a runtime exception but silently returns <tt>null</tt></li>
+<li>the autosave feature is no longer supported by default; configuration option <tt>PARAM_SUPPORT_AUTOSAVE</tt> can be used to obtain backwards compatible behavior</li>
+<li>calling <tt>getAuthorizable</tt> with empty id or <tt>null</tt> id/principal will not throw a runtime exception but silently returns <tt>null</tt></li>
</ul></div>
<div class="section">
<h5><a name="Authorizable"></a>Authorizable</h5>
-
<ul>
-
-<li>Equality and HashCode : the implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for authorizables differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</li>
-
-<li>Authorizable ID: the ID of authorizables is stored separately in a <tt>rep:authorizableId</tt> property. This value is returned upon <tt>Authorizable#getID</tt>. For backwards compatibility it falls back on the node name in case the ID property is missing.</li>
-
-<li>Node Name: The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface. Default: ID as name hint. See section <a href="authorizablenodename.html">Authorizable Node Name Generation</a> for details.</li>
+
+<li>Equality and HashCode : the implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for authorizables differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</li>
+<li>Authorizable ID: the ID of authorizables is stored separately in a <tt>rep:authorizableId</tt> property. This value is returned upon <tt>Authorizable#getID</tt>. For backwards compatibility it falls back on the node name in case the ID property is missing.</li>
+<li>Node Name: The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface. Default: ID as name hint. See section <a href="authorizablenodename.html">Authorizable Node Name Generation</a> for details.</li>
</ul></div>
<div class="section">
<h5><a name="User"></a>User</h5>
-
<ul>
-
+
<li>Creation: The password is no longer mandatory upon user creation.</li>
</ul></div>
<div class="section">
<h5><a name="Group"></a>Group</h5>
-
<ul>
-
-<li>Creation: <tt>createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
-
-<li>Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section <a href="membership.html">Group Membership</a> for a detailed description.</li>
+
+<li>Creation: <tt>createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
+<li>Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section <a href="membership.html">Group Membership</a> for a detailed description.</li>
</ul>
-<p><a name="query"></a></p></div>
-<div class="section">
-<h5><a name="QueryBuilder"></a>QueryBuilder</h5>
-<p>The user query is expected to work as in Jackrabbit 2.x with the following notable bug fixes:</p>
+<a name="query"></a>
+##### QueryBuilder
+<p>The user query is expected to work as in Jackrabbit 2.x with the following notable bug fixes:</p>
<ul>
-
-<li><tt>QueryBuilder#setScope(String groupID, boolean declaredOnly)</tt> now also works properly for the everyone group (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-949">OAK-949</a>)</li>
-
-<li><tt>QueryBuilder#impersonates(String principalName)</tt> works properly for the admin principal which are specially treated in the implementation of the <tt>Impersonation</tt> interface (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1183">OAK-1183</a>).</li>
+
+<li><tt>QueryBuilder#setScope(String groupID, boolean declaredOnly)</tt> now also works properly for the everyone group (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-949">OAK-949</a>)</li>
+<li><tt>QueryBuilder#impersonates(String principalName)</tt> works properly for the admin principal which are specially treated in the implementation of the <tt>Impersonation</tt> interface (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1183">OAK-1183</a>).</li>
</ul></div></div>
<div class="section">
<h4><a name="Additional_Functionality"></a>Additional Functionality</h4>
<div class="section">
<h5><a name="XML_Import"></a>XML Import</h5>
-
<ul>
-
-<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
-
+
+<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-> see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
-
<li>Oak also supports workspace import for authorizables</li>
</ul></div>
<div class="section">
<h5><a name="Built-in_Users"></a>Built-in Users</h5>
-
<ul>
-
+
<li>admin user can be initialized without password (<tt>PARAM_OMIT_ADMIN_PW</tt> config option)</li>
-
<li>anonymous user is optional (missing <tt>PARAM_ANONYMOUS_ID</tt> config option)</li>
-
<li>anonymous user is always initialized without password.</li>
</ul></div>
<div class="section">
<h5><a name="Group_representing_the_Everyone_Principal"></a>Group representing the Everyone Principal</h5>
-
<ul>
-
+
<li>the implementation of the optional special group representing the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html">everyone</a> principal is consistent throughout all group membership related methods.</li>
</ul></div>
<div class="section">
@@ -342,56 +323,44 @@
<div class="section">
<h4><a name="Node_Type_Definitions"></a>Node Type Definitions</h4>
<p>The built-in node types related to user management tasks have been modified as follows.</p>
-
<ul>
-
+
<li><i>rep:Authorizable</i>
-
<ul>
-
+
<li>new protected property <tt>rep:authorizableId</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li><i>rep:Group</i>
-
<ul>
-
+
<li>extends from <tt>rep:MemberReferences</tt> which provides the multivalued property <tt>rep:members</tt></li>
-
<li>the child node definition <tt>rep:members</tt> has been deprecated and is no longer used</li>
-
<li>new child node definition <tt>rep:membersList</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<p>The following node type definitions have been added:</p>
-
<ul>
-
+
<li><i>rep:MemberReferences</i> : provides the multivalued <tt>rep:members</tt> property.</li>
-
<li><i>rep:MemberReferencesList</i></li>
</ul>
<p>The following node type definition has been deprecated and will no longer be used:</p>
-
<ul>
-
+
<li><i>rep:Members</i></li>
</ul></div>
<div class="section">
<h4><a name="Configuration"></a>Configuration</h4>
<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
-
<ul>
-
+
<li>“compatibleJR16”</li>
-
<li>“autoExpandTree”</li>
-
<li>“autoExpandSize”</li>
-
<li>“groupMembershipSplitSize”</li>
-</ul>
-<!-- hidden references --></div></div></div>
+</ul><!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/expiry.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/expiry.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/expiry.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/expiry.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Password Expiry and Force Initial Password Change</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,7 +240,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Password_Expiry_and_Force_Initial_Password_Change"></a>Password Expiry and Force Initial Password Change</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -255,52 +256,11 @@
<h3><a name="Configuration"></a>Configuration</h3>
<p>An administrator may enable password expiry and initial password change via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default both features are disabled.</p>
<p>The following configuration options are supported:</p>
-
-<table border="0" class="table table-striped">
- <thead>
-
-<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
-
-<td>int </td>
-
-<td>0 </td>
-
-<td>Number of days until the password expires. </td>
- </tr>
-
-<tr class="a">
-
-<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
-
-<td>boolean </td>
-
-<td>false </td>
-
-<td>boolean flag to enable initial pw change. </td>
- </tr>
- </tbody>
-</table>
+<p>| Parameter | Type | Default | Description | |————————————- |——– -|————————| | <tt>PARAM_PASSWORD_MAX_AGE</tt> | int | 0 | Number of days until the password expires. | | <tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> | boolean | false | boolean flag to enable initial pw change. |</p>
<p>Note:</p>
-
<ul>
-
+
<li>Maximum Password Age (<tt>maxPasswordAge</tt>) will only be enabled when a value greater 0 is set (expiration time in days).</li>
-
<li>Change Password On First Login (<tt>initialPasswordChange</tt>): When enabled, forces users to change their password upon first login.</li>
</ul></div>
<div class="section">
@@ -308,12 +268,10 @@
<div class="section">
<h4><a name="Definition_of_Expired_Password"></a>Definition of Expired Password</h4>
<p>An expired password is defined as follows:</p>
-
<ul>
-
-<li>The current date-time is after or on the date-time + maxPasswordAge specified in a <tt>rep:passwordLastModified</tt> property</li>
-
-<li>OR: Expiry and/or Enforce Password Change is enabled, but no <tt>rep:passwordLastModified</tt> property exists</li>
+
+<li>The current date-time is after or on the date-time + maxPasswordAge specified in a <tt>rep:passwordLastModified</tt> property</li>
+<li>OR: Expiry and/or Enforce Password Change is enabled, but no <tt>rep:passwordLastModified</tt> property exists</li>
</ul>
<p>For the above, a password node <tt>rep:pw</tt> and a property <tt>rep:passwordLastModified</tt>, governed by a new <tt>rep:Password</tt> node type and located in the user’s home, have been introduced, leaving open future enhancements to password management (such as password policies, history, et al):</p></div>
<div class="section">
@@ -321,19 +279,23 @@
<div class="section">
<h5><a name="Node_Type_rep:Password"></a>Node Type rep:Password</h5>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:Password]
+<div>
+<div>
+<pre class="source">[rep:Password]
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h5><a name="Node_rep:pwd_and_Property_rep:passwordLastModified"></a>Node rep:pwd and Property rep:passwordLastModified</h5>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:User] > rep:Authorizable, rep:Impersonatable
+<div>
+<div>
+<pre class="source">[rep:User] > rep:Authorizable, rep:Impersonatable
+ rep:pwd (rep:Password) = rep:Password protected
...
</pre></div></div>
+
<p>The <tt>rep:pw</tt> node and the <tt>rep:passwordLastModified</tt> property are defined protected in order to guard against the user modifying (overcoming) her password expiry. The new sub-node also has the advantage of allowing repository consumers to e.g. register specific commit hooks / actions on such a node.</p>
<p>In the future the <tt>rep:password</tt> property on the user node may be migrated to the <tt>rep:pw</tt> sub-node.</p></div></div>
<div class="section">
@@ -358,19 +320,16 @@
<p>This method of changing password via the normal login call only works if a user’s password is in fact expired and cannot be used for regular password changes (attribute is ignored, use <tt>User#changePassword</tt> directly instead).</p>
<p>Should the <a href="history.html">Password History feature</a> be enabled, and - for the above password change - a password already in the history be used, the change will fail and the login still throw a <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/CredentialExpiredException.html">CredentialExpiredException</a>. In order for consumers of the exception to become aware that the credentials are still considered expired, and that the password was not changed due to the new password having been found in the password history, the credentials object is fitted with an additional attribute with name <tt>PasswordHistoryException</tt>.</p>
<p>This attribute may contain the following two values:</p>
-
<ul>
-
+
<li><i>“New password was found in password history.”</i> or</li>
-
<li><i>"“New password is identical to the current password.”</i></li>
</ul></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>
<p>When users are imported via the Oak JCR XML importer, the expiry relevant nodes and property are supported. If the XML specifies a <tt>rep:pw</tt> node and optionally a <tt>rep:passwordLastModified</tt> property, these are imported, irrespective of the password expiry or force initial password change being enabled in the configuration. If they’re enabled, the imported property will be used in the normal login process as described above. If not enabled, the imported property will have no effect.</p>
<p>On the other hand, if the imported user already exists, potentially existing <tt>rep:passwordLastModified</tt> properties will be overwritten with the value from the import. If password expiry is enabled, this may cause passwords to expire earlier or later than anticipated, governed by the new value. Also, an import may create such a property where none previously existed, thus effectively cancelling the need to change the password on first login - if the feature is enabled.</p>
-<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p>
-<!-- hidden references --></div></div></div>
+<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p><!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/user/groupaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/groupaction.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/groupaction.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/groupaction.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Group Actions</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,28 +240,24 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<h2><a name="Group_Actions"></a>Group Actions</h2>
<div class="section">
<h3><a name="Overview"></a>Overview</h3>
<p>Oak 1.6 comes with an extension to the Jackrabbit user management API that allows to perform additional actions or validations upon group member management tasks such as</p>
-
<ul>
-
+
<li>add an authorizable to a group</li>
-
<li>remove an authorizable from a group</li>
-
<li>add a set of member ids as members of a group</li>
-
<li>remove a set of member ids from a group</li>
</ul></div>
<div class="section">
<h3><a name="GroupAction_API"></a>GroupAction API</h3>
<p>The following public interface is provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user.action</tt>:</p>
-
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/GroupAction.html">GroupAction</a></li>
</ul>
<p>The <tt>GroupAction</tt> interface extends from <tt>AuthorizableAction</tt> and itself allows to perform validations or write additional application specific content while executing group member management related write operations. Therefore these actions are executed as part of the transient user management modifications. This contrasts to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s which in turn are only triggered once modifications are persisted.</p>
@@ -270,9 +266,8 @@
<div class="section">
<h3><a name="Default_Implementations"></a>Default Implementations</h3>
<p>Oak 1.5 provides the following base implementation for <tt>GroupAction</tt> implementations to build upon:</p>
-
<ul>
-
+
<li><tt>AbstractGroupAction</tt>: abstract base implementation that doesn’t perform any action.</li>
</ul></div>
<div class="section">
@@ -280,7 +275,7 @@
<p>Refer to <a href="authorizableaction.html#Pluggability">Authorizable Actions | Pluggability </a> for details on how to plug a new group action into the system.</p></div>
<div class="section">
<h3><a name="XML_Import"></a>XML Import</h3>
-<p>During import the group actions are called in the same fashion as for regular groups as long as the member reference can be resolved to an existing authorizable. Member IDs of authorizables that do not exist at group import time or failed member IDs are passed to the group actions if <tt>ImportBehavior.BESTEFFORT</tt> is set for the import.</p>
+<p>During import the group actions are called in the same fashion as for regular groups as long as the member reference can be resolved to an existing authorizable. Member IDs of authorizables that do not exist at group import time or failed member IDs are passed to the group actions if <tt>ImportBehavior.BESTEFFORT</tt> is set for the import.</p>
<div class="section">
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
@@ -288,8 +283,9 @@
<h6><a name="Example_Action"></a>Example Action</h6>
<p>This example action creates or removes asset home directories for members added to or removed from a specific group:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">public class CreateHomeForMemberGroupAction extends AbstractGroupAction {
+<div>
+<div>
+<pre class="source">public class CreateHomeForMemberGroupAction extends AbstractGroupAction {
private static final String GROUP_ID = "asset-editors";
private static final String ASSET_ROOT = "/content/assets";
Modified: jackrabbit/site/live/oak/docs/security/user/history.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/history.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/history.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/history.html Mon Jul 9 08:53:17 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180524" />
+ <meta name="Date-Revision-yyyymmdd" content="20180709" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Password History</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -240,7 +240,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Password_History"></a>Password History</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -249,45 +250,27 @@
<h3><a name="Configuration"></a>Configuration</h3>
<p>An administrator may enable password history via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default the history is disabled (<tt>passwordHistorySize</tt> set to 0).</p>
<p>The following configuration option is supported:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th>
+<th> Description </th></tr>
+</thead><tbody>
+
<tr class="b">
-
-<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
-
-<td>int </td>
-
-<td>0 </td>
-
-<td>Number of passwords to be stored in the history </td>
- </tr>
-
+<td> <tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+<td> int </td>
+<td> 0 </td>
+<td> Number of passwords to be stored in the history </td></tr>
<tr class="a">
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
-
-<td> </td>
- </tr>
- </tbody>
+<td> </td>
+<td> </td>
+<td> </td>
+<td> </td></tr>
+</tbody>
</table>
<p>Setting the configuration option to a value greater than 0 enables password history and sets feature to remember the specified number of passwords for a user. Note, that the current implementation has a limit of at most 1000 passwords remembered in the history.</p></div>
<div class="section">
@@ -297,26 +280,28 @@
<p>History password hashes are recorded in a multi-value property <tt>rep:pwdHistory</tt> on the user’s <tt>rep:pwd</tt> node, which mandates the specific node type <tt>rep:Password</tt></p>
<p>The <tt>rep:pwdHistory</tt> property is defined protected in order to guard against the user modifying (overcoming) her password history limitations.</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:User] > rep:Authorizable, rep:Impersonatable
+<div>
+<div>
+<pre class="source">[rep:User] > rep:Authorizable, rep:Impersonatable
+ rep:pwd (rep:Password) = rep:Password protected
- rep:password (STRING) protected
...
-
+
[rep:Password]
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h4><a name="Recording_of_Passwords"></a>Recording of Passwords</h4>
<p>If the feature is enabled, during a user changing her password, the old password hash is recorded in the password history.</p>
<p>The old password hash is only recorded if a password was set (non-empty). Therefore setting a password for a user for the first time (i.e. during creation or if the user doesn’t have a password set before) does not result in a history record, as there is no old password.</p>
<p>The old password hash is copied to the password history <i>after</i> the provided new password has been validated but <i>before</i> the new password hash is written to the user’s <tt>rep:password</tt> property.</p>
<p>The history operates as a FIFO list. A new password history record exceeding the configured max history size, results in the oldest recorded password from being removed from the history.</p>
-<p>Also, if the configuration parameter for the history size is changed to a non-zero but smaller value than before, upon the next password change the oldest records exceeding the new history size are removed. </p></div>
+<p>Also, if the configuration parameter for the history size is changed to a non-zero but smaller value than before, upon the next password change the oldest records exceeding the new history size are removed.</p></div>
<div class="section">
<h4><a name="Evaluation_of_Password_History"></a>Evaluation of Password History</h4>
-<p>Upon a user changing her password and if the password history feature is enabled (configured password history size > 0), implementation checks if the current password or any of the password hashes recorded in the history matches the new password.</p>
+<p>Upon a user changing her password and if the password history feature is enabled (configured password history size > 0), implementation checks if the current password or any of the password hashes recorded in the history matches the new password.</p>
<p>If any record is a match, a <tt>ConstraintViolationException</tt> is thrown and the user’s password is <i>NOT</i> changed.</p></div>
<div class="section">
<h4><a name="XML_Import"></a>XML Import</h4>