jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tri...@apache.org
Subject svn commit: r1544753 - in /jackrabbit/site/live/oak/docs: css/site.css differences_user.html security/permission_eval.html
Date Sat, 23 Nov 2013 07:15:54 GMT
Author: tripod
Date: Sat Nov 23 07:15:53 2013
New Revision: 1544753

URL: http://svn.apache.org/r1544753
Log:
OAK-936: Site checkin for project Oak Documentation-0.12-SNAPSHOT

Modified:
    jackrabbit/site/live/oak/docs/css/site.css
    jackrabbit/site/live/oak/docs/differences_user.html
    jackrabbit/site/live/oak/docs/security/permission_eval.html

Modified: jackrabbit/site/live/oak/docs/css/site.css
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/css/site.css?rev=1544753&r1=1544752&r2=1544753&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/css/site.css (original)
+++ jackrabbit/site/live/oak/docs/css/site.css Sat Nov 23 07:15:53 2013
@@ -1 +1,8 @@
-/* You can override this file with your own styles */
\ No newline at end of file
+tt {
+	white-space: nowrap;
+	border: 1px solid #eaeaea;
+	background-color: #f5f5f5;
+}
+pre {
+	font-size: 12px;
+}
\ No newline at end of file

Modified: jackrabbit/site/live/oak/docs/differences_user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_user.html?rev=1544753&r1=1544752&r2=1544753&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/differences_user.html (original)
+++ jackrabbit/site/live/oak/docs/differences_user.html Sat Nov 23 07:15:53 2013
@@ -434,8 +434,21 @@
 <p>With the default configuration Jackrabbit 2.x stores the group members as <i>weak
references</i> in a <tt>rep:members</tt> multi value property in the group
node. If the <tt>groupMembershipSplitSize</tt> configuration parameter is set
and valid, the group memberships are collected in a node structure below <tt>rep:members</tt>
instead of the default multi valued property. Its value determines the maximum number of member
properties until additional intermediate nodes are inserted. Valid parameter values are integers
&gt; 4. The node structure is a balanced b-tree where only the leave nodes carry the actual
values in residual properties which name is the principal name of the member.</p></div>
 <div class="section">
 <h6>Behavior as of OAK 1.0<a name="Behavior_as_of_OAK_1.0"></a></h6>
-<p><b>NOTE</b>: The following section is not valid until <a class="externalLink"
href="https://issues.apache.org/jira/browse/OAK-482">OAK-482</a> is fixed.</p>
-<p>As of Oak the user manager automatically chooses an appropriate storage structure
depending on the number of group members. If the number of members is low they are store as
<i>weak references</i> in a <tt>rep:members</tt> multi value property.
This is similar to Jackrabbit 2.x. If the number of members is high the user manager will
create an intermediate node list to reduce the size of the multi value properties below a
<tt>rep:membersList</tt> node (see section</p></div>
+<p>As of Oak the user manager automatically chooses an appropriate storage structure
depending on the number of group members. If the number of members is low they are stored
as <i>weak references</i> in a <tt>rep:members</tt> multi value property.
This is similar to Jackrabbit 2.x. If the number of members is high the user manager will
limit the size of the multi value properties and create overflow <tt>rep:MemberReferences</tt>
nodes below a <tt>rep:membersList</tt> node to hold the extra members.</p></div>
+<div class="section">
+<h6>Relevant new node types<a name="Relevant_new_node_types"></a></h6>
+
+<div class="source">
+<pre>[rep:Group] &gt; rep:Authorizable, rep:MemberReferences
+  + rep:members (rep:Members) = rep:Members multiple protected VERSION /* @deprecated */
+  + rep:membersList (rep:MemberReferencesList) = rep:MemberReferencesList protected COPY
+
+[rep:MemberReferences]
+  - rep:members (WEAKREFERENCE) protected multiple &lt; 'rep:Authorizable'
+
+[rep:MemberReferencesList]
+  + * (rep:MemberReferences) = rep:MemberReferences protected COPY
+</pre></div></div>
 <div class="section">
 <h6>Example Group with few members<a name="Example_Group_with_few_members"></a></h6>
 <p><i>(irrelevant properties excluded)</i></p>
@@ -464,9 +477,9 @@
     &quot;jcr:primaryType&quot;: &quot;rep:Group&quot;,
     &quot;rep:principalName&quot;: &quot;employees&quot;,
     &quot;rep:membersList&quot;: {
-        &quot;jcr:primaryType&quot;: &quot;rep:MembersList&quot;,
+        &quot;jcr:primaryType&quot;: &quot;rep:MemberReferencesList&quot;,
         &quot;0&quot;: {
-            &quot;jcr:primaryType&quot;: &quot;rep:Members&quot;,
+            &quot;jcr:primaryType&quot;: &quot;rep:MemberReferences&quot;,
             &quot;rep:members&quot;: [
                 &quot;429bbd5b-46a6-3c3d-808b-5fd4219d5c4d&quot;,
                 &quot;ca58c408-fe06-357e-953c-2d23ffe1e096&quot;,
@@ -475,7 +488,7 @@
         },
         ...
         &quot;341&quot;: {
-            &quot;jcr:primaryType&quot;: &quot;rep:Members&quot;,
+            &quot;jcr:primaryType&quot;: &quot;rep:MemberReferences&quot;,
             &quot;rep:members&quot;: [
                 &quot;fdd1547a-b19a-3154-90da-1eae8c2c3504&quot;,
                 &quot;65c3084e-abfc-3719-8223-72c6cb9a3d6f&quot;,
@@ -491,7 +504,7 @@
 <p><b>TODO</b></p></div>
 <div class="section">
 <h6>Importing Group Members<a name="Importing_Group_Members"></a></h6>
-<p><b>TODO</b></p></div></div></div>
+<p>Importing group members through the import methods in <tt>javax.jcr.Session</tt>
or <tt>javax.jcr.Workspace</tt> is storage agnostic and supports both, property
based and node based, strategies and is backward compatible to content exported from Jackrabbit
2.x. The group member lists that are modified during an import are internally processed using
the normal user manager APIs. This implies that the node structure after the import might
not be the same as the one represented in the input.</p></div></div></div>
 <div class="section">
 <h4>2. Builtin Users<a name="a2._Builtin_Users"></a></h4>
 <p>The setup of builtin user and group accounts is triggered by the configured <tt>WorkspaceInitializer</tt>
associated with the user management configuration (see Configuration section below). </p>

Modified: jackrabbit/site/live/oak/docs/security/permission_eval.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission_eval.html?rev=1544753&r1=1544752&r2=1544753&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission_eval.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission_eval.html Sat Nov 23 07:15:53 2013
@@ -1,435 +1,435 @@
-<!DOCTYPE html>
-<!--
- | Generated by Apache Maven Doxia at 2013-11-22
- | Rendered using Apache Maven Fluido Skin 1.3.0
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-  <head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20131122" />
-    <meta http-equiv="Content-Language" content="en" />
-    <title>Jackrabbit Oak - </title>
-    <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
-    <link rel="stylesheet" href="../css/site.css" />
-    <link rel="stylesheet" href="../css/print.css" media="print" />
-
-      
-    <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
-
-    
-            </head>
-        <body class="topBarEnabled">
-          
-    
-    
-            
-    
-    
-    <a href="http://github.com/apache/jackrabbit-oak">
-      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
-        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
-        alt="Fork me on GitHub">
-    </a>
-  
-                
-                    
-                
-
-    <div id="topbar" class="navbar navbar-fixed-top ">
-      <div class="navbar-inner">
-                <div class="container-fluid">
-        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
-          <span class="icon-bar"></span>
-          <span class="icon-bar"></span>
-          <span class="icon-bar"></span>
-        </a>
-                
-                                <ul class="nav">
-                          <li class="dropdown">
-        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
-        <ul class="dropdown-menu">
-        
-                      <li>      <a href="../index.html"  title="Jackrabbit Oak">Jackrabbit
Oak</a>
-</li>
-                  
-                      <li>      <a href="../license.html"  title="License">License</a>
-</li>
-                  
-                      <li>      <a href="../downloads.html"  title="Downloads">Downloads</a>
-</li>
-                  
-                      <li>      <a href="../from_here.html"  title="From here">From
here</a>
-</li>
-                          </ul>
-      </li>
-                <li class="dropdown">
-        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture
<b class="caret"></b></a>
-        <ul class="dropdown-menu">
-        
-                      <li>      <a href="../overview.html"  title="Overview">Overview</a>
-</li>
-                  
-                      <li>      <a href="../nodestate.html"  title="Understanding
the node state model">Understanding the node state model</a>
-</li>
-                  
-                      <li>      <a href="../microkernel.html"  title="Microkernel">Microkernel</a>
-</li>
-                  
-                      <li>      <a href="../query.html"  title="Query">Query</a>
-</li>
-                  
-                      <li>      <a href="../blobstore.html"  title="BlobStore">BlobStore</a>
-</li>
-                          </ul>
-      </li>
-                <li class="dropdown">
-        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b
class="caret"></b></a>
-        <ul class="dropdown-menu">
-        
-                      <li>      <a href="../use_getting_started.html"  title="Getting
Started">Getting Started</a>
-</li>
-                  
-                      <li>      <a href="../differences.html"  title="Differences
to Jackrabbit 2">Differences to Jackrabbit 2</a>
-</li>
-                  
-                      <li>      <a href="../known_issues.html"  title="Known Issues">Known
Issues</a>
-</li>
-                  
-                      <li>      <a href="../dos_and_donts.html"  title="Dos and
don'ts">Dos and don'ts</a>
-</li>
-                  
-                      <li>      <a href="../when_things_go_wrong.html"  title="When
things go wrong">When things go wrong</a>
-</li>
-                          </ul>
-      </li>
-                <li class="dropdown">
-        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b
class="caret"></b></a>
-        <ul class="dropdown-menu">
-        
-                      <li>      <a href="../dev_getting_started.html"  title="Getting
Started">Getting Started</a>
-</li>
-                  
-                      <li>      <a href="../participating.html"  title="Participating">Participating</a>
-</li>
-                  
-                      <li>      <a href="../apidocs/index.html"  title="API docs">API
docs</a>
-</li>
-                          </ul>
-      </li>
-                <li class="dropdown">
-        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
-        <ul class="dropdown-menu">
-        
-                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache
Jackrabbit Oak">Apache Jackrabbit Oak</a>
-</li>
-                  
-                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache
Jackrabbit">Apache Jackrabbit</a>
-</li>
-                          </ul>
-      </li>
-                  </ul>
-          
-          
-          
-                   
-                      </div>
-          
-        </div>
-      </div>
-    </div>
-    
-        <div class="container-fluid">
-          <div id="banner">
-        <div class="pull-left">
-                                <div id="bannerLeft">
-                <h2>Oak Documentation</h2>
-                </div>
-                      </div>
-        <div class="pull-right">  </div>
-        <div class="clear"><hr/></div>
-      </div>
-
-      <div id="breadcrumbs">
-        <ul class="breadcrumb">
-                
-                    
-                  <li id="publishDate">Last Published: 2013-11-22</li>
-                  <li class="divider">|</li> <li id="projectVersion">Version:
0.12-SNAPSHOT</li>
-                      
-                
-                    
-      
-                            </ul>
-      </div>
-
-            
-      <div class="row-fluid">
-        <div id="leftColumn" class="span3">
-          <div class="well sidebar-nav">
-                
-                    
-                <ul class="nav nav-list">
-                    <li class="nav-header">Overview</li>
-                                
-      <li>
-    
-                          <a href="../index.html" title="Jackrabbit Oak">
-          <i class="none"></i>
-        Jackrabbit Oak</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../license.html" title="License">
-          <i class="none"></i>
-        License</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../downloads.html" title="Downloads">
-          <i class="none"></i>
-        Downloads</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../from_here.html" title="From here">
-          <i class="none"></i>
-        From here</a>
-            </li>
-                              <li class="nav-header">Concepts and architecture</li>
-                                
-      <li>
-    
-                          <a href="../overview.html" title="Overview">
-          <i class="none"></i>
-        Overview</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../nodestate.html" title="Understanding the node state
model">
-          <i class="none"></i>
-        Understanding the node state model</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../microkernel.html" title="Microkernel">
-          <i class="none"></i>
-        Microkernel</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../query.html" title="Query">
-          <i class="none"></i>
-        Query</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../blobstore.html" title="BlobStore">
-          <i class="none"></i>
-        BlobStore</a>
-            </li>
-                              <li class="nav-header">Using Oak</li>
-                                
-      <li>
-    
-                          <a href="../use_getting_started.html" title="Getting Started">
-          <i class="none"></i>
-        Getting Started</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../differences.html" title="Differences to Jackrabbit
2">
-          <i class="none"></i>
-        Differences to Jackrabbit 2</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../known_issues.html" title="Known Issues">
-          <i class="none"></i>
-        Known Issues</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../dos_and_donts.html" title="Dos and don'ts">
-          <i class="none"></i>
-        Dos and don'ts</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../when_things_go_wrong.html" title="When things go
wrong">
-          <i class="none"></i>
-        When things go wrong</a>
-            </li>
-                              <li class="nav-header">Developing Oak</li>
-                                
-      <li>
-    
-                          <a href="../dev_getting_started.html" title="Getting Started">
-          <i class="none"></i>
-        Getting Started</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../participating.html" title="Participating">
-          <i class="none"></i>
-        Participating</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="../apidocs/index.html" title="API docs">
-          <i class="none"></i>
-        API docs</a>
-            </li>
-                              <li class="nav-header">Links</li>
-                                
-      <li>
-    
-                          <a href="http://jackrabbit.apache.org/oak" class="externalLink"
title="Apache Jackrabbit Oak">
-          <i class="none"></i>
-        Apache Jackrabbit Oak</a>
-            </li>
-                  
-      <li>
-    
-                          <a href="http://jackrabbit.apache.org/" class="externalLink"
title="Apache Jackrabbit">
-          <i class="none"></i>
-        Apache Jackrabbit</a>
-            </li>
-            </ul>
-                
-                    
-                
-          <hr class="divider" />
-
-           <div id="poweredBy">
-                   
-    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
-
-    
-    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall"
></div>
-
-                   <div class="clear"></div>
-                            <div class="clear"></div>
-                            <div class="clear"></div>
-                             <a href="http://maven.apache.org/" title="Built by Maven"
class="poweredBy">
-        <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png"
/>
-      </a>
-                  </div>
-          </div>
-        </div>
-        
-                
-        <div id="bodyColumn"  class="span9" >
-                                  
-            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
-   contributor license agreements.  See the NOTICE file distributed with
-   this work for additional information regarding copyright ownership.
-   The ASF licenses this file to You under the Apache License, Version 2.0
-   (the "License"); you may not use this file except in compliance with
-   the License.  You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License. --><h1>The Oak Security Layer</h1>
-<div class="section">
-<h2>Internals of Permission Evaluation<a name="Internals_of_Permission_Evaluation"></a></h2>
-<div class="section">
-<h3>What happens on <tt>session.getNode(&quot;/foo&quot;).getProperty(&quot;jar:title&quot;).getString()</tt>
in respect to access control?<a name="What_happens_on_session.getNodefoo.getPropertyjar:title.getString_in_respect_to_access_control"></a></h3>
-
-<ol style="list-style-type: decimal">
-  
-<li>
-<p><tt>SessionImpl.getNode()</tt> internally calls <tt>SessionDelegate.getNode()</tt>
 which calls <tt>Root.getTree()</tt> which calls <tt>Tree.getTree()</tt>
on the root tree.  This creates a bunch of linked <tt>MutableTree</tt> objects.</p></li>
-  
-<li>
-<p>The session delegate then checks if the tree really exists, by calling <tt>Tree.exists()</tt>
 which then calls <tt>NodeBuilder.exists()</tt>.</p></li>
-  
-<li>
-<p>If the session performing the operation is an <i>admin</i> session,
then the node builder from  the persistence layer is directly used. In all other cases, the
original node builder  is wrapped by a <tt>SecureNodeBuilder</tt>. The <tt>SecureNodeBuilder</tt>
performs access control  checks before delegating the calls to the delegated builder.</p></li>
-  
-<li>
-<p>For non <i>admin</i> sessions the <tt>SecureNodeBuilder</tt>
fetches its <i>tree permissions</i> via  <tt>getTreePermissions()</tt>
(See <a href="#getTreePermissions">below</a> of how this works) and then  calls
<tt>TreePermission.canRead()</tt>. This method (signature with no arguments) checks
the  <tt>READ_NODE</tt> permission for normal trees (as in this example) or the
<tt>READ_ACCESS_CONTROL</tt>  permission on <i>AC trees</i> [^1] and
stores the result in the <tt>ReadStatus</tt>.</p>
-<p>For that an iterator of the <i>permission entries</i> is <a href="#getEntrtyIterator">retrieved</a>
which  provides all the relevant permission entries needed to be evaluated for this tree (and
 <i>subject</i>). </p></li>
-  
-<li>
-<p>The <i>permission entries</i> are analyzed if they include the respective
permission and if so,  the read status is set accordingly. Note that the sequence of the permission
entries from  the iterator is already in the correct order for this kind of evaluation. this
is ensured  by the way how they are stored in the <a href="#permissionStore">permission
store</a> and how they  are feed into the iterator.</p>
-<p>The iteration also detects if the evaluated permission entries cover <i>this</i>
node and all  its properties. If this is the case, subsequent calls that evaluate the property
read  permissions would then not need to do the same iteration again. In order to detect this,
 the iteration checks if a non-matching permission entry or privilege was skipped  and eventually
sets the respective flag in the <tt>ReadStatus</tt>. This flag indicates if the
 present permission entries are sufficient to tell if the session is allowed to read  <i>this</i>
node and all its properties. If there are more entries present than the ones needed  for evaluating
the <tt>READ_NODE</tt> permission, then it&#x2019;s ambiguous to determine
if all  properties can be read. </p></li>
-  
-<li>
-<p>Once the <tt>ReadStatus</tt> is calculated (or was calculated earlier)
the <tt>canRead()</tt> method  returns <tt>ReadStatus.allowsThis()</tt>
which specifies if <i>this</i> node is allowed to be read.</p></li>
-  
-<li>
-<p>next up: getProperty() (WIP)</p></li>
-</ol>
-<p>[^1]: AC trees are usually the <tt>rep:policy</tt> subtrees of access
controlled nodes.</p></div>
-<div class="section">
-<h3>A Shortcut for evaluating read access: <i>readable tree configuration</i><a
name="A_Shortcut_for_evaluating_read_access:_readable_tree_configuration"></a></h3>
-
-<ol style="list-style-type: decimal">
-  
-<li>&#x2026;.</li>
-</ol></div>
-<div class="section">
-<h3><a name="getTreePermissions"></a> How does the <tt>SecureNodeBuilder</tt>
obtain his <i>tree permissions</i> ?<a name="How_does_the_SecureNodeBuilder_obtain_his_tree_permissions_"></a></h3>
-
-<ol style="list-style-type: decimal">
-  
-<li>&#x2026;</li>
-</ol></div>
-<div class="section">
-<h3><a name="getEntryIterator"></a> How does the <tt>TreePermission</tt>
obtain the permission entry iterator?<a name="How_does_the_TreePermission_obtain_the_permission_entry_iterator"></a></h3>
-
-<ol style="list-style-type: decimal">
-  
-<li>&#x2026;</li>
-</ol></div>
-<div class="section">
-<h3><a name="permissionStore"></a> How are the access control entries preprocessed
and stored in the permission store?<a name="How_are_the_access_control_entries_preprocessed_and_stored_in_the_permission_store"></a></h3>
-
-<ol style="list-style-type: decimal">
-  
-<li>&#x2026;.</li>
-</ol></div></div>
-                  </div>
-            </div>
-          </div>
-
-    <hr/>
-
-    <footer>
-            <div class="container-fluid">
-              <div class="row span12">Copyright &copy;                    2012-2013
-                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
-            All Rights Reserved.      
-                    
-      </div>
-
-        
-        
-          
-    
-    
-    <div id="ohloh" class="pull-right">
-      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
-    </div>
-        </div>
-    </footer>
-  </body>
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2013-11-22
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20131122" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - </title>
+    <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../css/site.css" />
+    <link rel="stylesheet" href="../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../index.html"  title="Jackrabbit Oak">Jackrabbit
Oak</a>
+</li>
+                  
+                      <li>      <a href="../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                  
+                      <li>      <a href="../from_here.html"  title="From here">From
here</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture
<b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../nodestate.html"  title="Understanding
the node state model">Understanding the node state model</a>
+</li>
+                  
+                      <li>      <a href="../microkernel.html"  title="Microkernel">Microkernel</a>
+</li>
+                  
+                      <li>      <a href="../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b
class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../use_getting_started.html"  title="Getting
Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../differences.html"  title="Differences
to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../known_issues.html"  title="Known Issues">Known
Issues</a>
+</li>
+                  
+                      <li>      <a href="../dos_and_donts.html"  title="Dos and
don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../when_things_go_wrong.html"  title="When
things go wrong">When things go wrong</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b
class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../dev_getting_started.html"  title="Getting
Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../apidocs/index.html"  title="API docs">API
docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache
Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache
Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2013-11-22</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version:
0.12-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../from_here.html" title="From here">
+          <i class="none"></i>
+        From here</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../nodestate.html" title="Understanding the node state
model">
+          <i class="none"></i>
+        Understanding the node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../microkernel.html" title="Microkernel">
+          <i class="none"></i>
+        Microkernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../differences.html" title="Differences to Jackrabbit
2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../when_things_go_wrong.html" title="When things go
wrong">
+          <i class="none"></i>
+        When things go wrong</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink"
title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink"
title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall"
></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven"
class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png"
/>
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><h1>The Oak Security Layer</h1>
+<div class="section">
+<h2>Internals of Permission Evaluation<a name="Internals_of_Permission_Evaluation"></a></h2>
+<div class="section">
+<h3>What happens on <tt>session.getNode(&quot;/foo&quot;).getProperty(&quot;jar:title&quot;).getString()</tt>
in respect to access control?<a name="What_happens_on_session.getNodefoo.getPropertyjar:title.getString_in_respect_to_access_control"></a></h3>
+
+<ol style="list-style-type: decimal">
+  
+<li>
+<p><tt>SessionImpl.getNode()</tt> internally calls <tt>SessionDelegate.getNode()</tt>
 which calls <tt>Root.getTree()</tt> which calls <tt>Tree.getTree()</tt>
on the root tree.  This creates a bunch of linked <tt>MutableTree</tt> objects.</p></li>
+  
+<li>
+<p>The session delegate then checks if the tree really exists, by calling <tt>Tree.exists()</tt>
 which then calls <tt>NodeBuilder.exists()</tt>.</p></li>
+  
+<li>
+<p>If the session performing the operation is an <i>admin</i> session,
then the node builder from  the persistence layer is directly used. In all other cases, the
original node builder  is wrapped by a <tt>SecureNodeBuilder</tt>. The <tt>SecureNodeBuilder</tt>
performs access control  checks before delegating the calls to the delegated builder.</p></li>
+  
+<li>
+<p>For non <i>admin</i> sessions the <tt>SecureNodeBuilder</tt>
fetches its <i>tree permissions</i> via  <tt>getTreePermissions()</tt>
(See <a href="#getTreePermissions">below</a> of how this works) and then  calls
<tt>TreePermission.canRead()</tt>. This method (signature with no arguments) checks
the  <tt>READ_NODE</tt> permission for normal trees (as in this example) or the
<tt>READ_ACCESS_CONTROL</tt>  permission on <i>AC trees</i> [^1] and
stores the result in the <tt>ReadStatus</tt>.</p>
+<p>For that an iterator of the <i>permission entries</i> is <a href="#getEntrtyIterator">retrieved</a>
which  provides all the relevant permission entries needed to be evaluated for this tree (and
 <i>subject</i>). </p></li>
+  
+<li>
+<p>The <i>permission entries</i> are analyzed if they include the respective
permission and if so,  the read status is set accordingly. Note that the sequence of the permission
entries from  the iterator is already in the correct order for this kind of evaluation. this
is ensured  by the way how they are stored in the <a href="#permissionStore">permission
store</a> and how they  are feed into the iterator.</p>
+<p>The iteration also detects if the evaluated permission entries cover <i>this</i>
node and all  its properties. If this is the case, subsequent calls that evaluate the property
read  permissions would then not need to do the same iteration again. In order to detect this,
 the iteration checks if a non-matching permission entry or privilege was skipped  and eventually
sets the respective flag in the <tt>ReadStatus</tt>. This flag indicates if the
 present permission entries are sufficient to tell if the session is allowed to read  <i>this</i>
node and all its properties. If there are more entries present than the ones needed  for evaluating
the <tt>READ_NODE</tt> permission, then it&#x2019;s ambiguous to determine
if all  properties can be read. </p></li>
+  
+<li>
+<p>Once the <tt>ReadStatus</tt> is calculated (or was calculated earlier)
the <tt>canRead()</tt> method  returns <tt>ReadStatus.allowsThis()</tt>
which specifies if <i>this</i> node is allowed to be read.</p></li>
+  
+<li>
+<p>next up: getProperty() (WIP)</p></li>
+</ol>
+<p>[^1]: AC trees are usually the <tt>rep:policy</tt> subtrees of access
controlled nodes.</p></div>
+<div class="section">
+<h3>A Shortcut for evaluating read access: <i>readable tree configuration</i><a
name="A_Shortcut_for_evaluating_read_access:_readable_tree_configuration"></a></h3>
+
+<ol style="list-style-type: decimal">
+  
+<li>&#x2026;.</li>
+</ol></div>
+<div class="section">
+<h3><a name="getTreePermissions"></a> How does the <tt>SecureNodeBuilder</tt>
obtain his <i>tree permissions</i> ?<a name="How_does_the_SecureNodeBuilder_obtain_his_tree_permissions_"></a></h3>
+
+<ol style="list-style-type: decimal">
+  
+<li>&#x2026;</li>
+</ol></div>
+<div class="section">
+<h3><a name="getEntryIterator"></a> How does the <tt>TreePermission</tt>
obtain the permission entry iterator?<a name="How_does_the_TreePermission_obtain_the_permission_entry_iterator"></a></h3>
+
+<ol style="list-style-type: decimal">
+  
+<li>&#x2026;</li>
+</ol></div>
+<div class="section">
+<h3><a name="permissionStore"></a> How are the access control entries preprocessed
and stored in the permission store?<a name="How_are_the_access_control_entries_preprocessed_and_stored_in_the_permission_store"></a></h3>
+
+<ol style="list-style-type: decimal">
+  
+<li>&#x2026;.</li>
+</ol></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2013
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
 </html>
\ No newline at end of file



Mime
View raw message