jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mdue...@apache.org
Subject svn commit: r1594576 [5/8] - in /jackrabbit/site/live/oak/docs: ./ security/ security/accesscontrol/ security/authentication/ security/permission/ security/principal/ security/privilege/ security/user/
Date Wed, 14 May 2014 13:30:14 GMT
Added: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1594576&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Wed May 14 13:30:13 2014
@@ -0,0 +1,506 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-14
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Pre-Authenticated Login</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="../../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="../../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository construction">Repository construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../microkernel.html" title="NodeStore and MicroKernel">
+          <i class="none"></i>
+        NodeStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository construction">
+          <i class="none"></i>
+        Repository construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Pre-Authenticated Login<a name="Pre-Authenticated_Login"></a></h2>
+<p>Oak provides two different mechanisms to create pre-authentication that doesn&#x2019;t involve the repositories internal authentication mechanism for credentials validation.</p>
+
+<ul>
+  
+<li>Pre-Authentication combined with Login Module Chain</li>
+  
+<li>Pre-Authentication without Repository Involvement</li>
+</ul>
+<div class="section">
+<h3>Pre-Authentication combined with Login Module Chain<a name="Pre-Authentication_combined_with_Login_Module_Chain"></a></h3>
+<p>This first variant allows to support 3rd party login modules that wish to provide the login context with pre authenticated login names, but still want to rely on the rest of the Oak&#x2019;s login module chain. For example an external SSO login module can extract the userid from a servlet request and use it to authenticate against the repository. But instead of re-implementing the user lookup and subject population (and possible external user synchronization) it just informs any subsequent login modules that the credential validation was already successful.</p>
+<p>The key to understand this mechanism is the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html">PreAuthenticatedLogin</a> marker class, which is pushed to the shared state of the login context and which indicates to any subsequent LoginModule that the credentials present in the state already have been verified and thus can be trusted.</p>
+<p>This setup is particularly recommended in a OSGi setup that includes Apache Sling on top of the Oak repository but still requires user information to be synchronized into the repository.</p>
+<div class="section">
+<h4>How it works<a name="How_it_works"></a></h4>
+<p>The basic steps of the pre-authentication in combination with regular JAAS login module chain are outlined as follows:</p>
+
+<ol style="list-style-type: decimal">
+  
+<li>verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling Authentication Handler)</li>
+  
+<li>pass a custom, non-public Credentials implementation to the repository login</li>
+  
+<li>create a custom login module that only supports these dedicated credentials and  pushes both a new instance of <tt>PreAuthenticatedLogin</tt> and other information  required and processed by subsequent login modules (e.g. credentials and  user name).</li>
+  
+<li>make sure the subsequent login modules in the JAAS configuration are capable  to deal with the <tt>PreAuthenticatedLogin</tt> and the additional information and  will properly populate the subject and optionally synchronize user information  or create login tokens.</li>
+</ol></div>
+<div class="section">
+<h4>Example<a name="Example"></a></h4>
+<p>Example implementation of <tt>LoginModule#login</tt> that pushes the <tt>PreAuthenticatedLogin</tt> marker to the shared state:</p>
+
+<div class="source">
+<pre>public class PreAuthLoginModule extends AbstractLoginModule {
+
+[...]
+
+    @Overwrite
+    public boolean login() throws LoginException {
+        Credentials credentials = getCredentials();
+        if (credentials instanceof MyPreAuthCredentials) {
+            userId = ((MyPreAuthCredentials) credentials).getUserId();
+            if (userId == null) {
+                log.debug(&quot;Could not extract userId/credentials&quot;);
+            } else {
+                sharedState.put(SHARED_KEY_PRE_AUTH_LOGIN, new PreAuthenticatedLogin(userId));
+                sharedState.put(SHARED_KEY_CREDENTIALS, new SimpleCredentials(userId, new char[0]));
+                sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
+                log.debug(&quot;login succeeded with trusted user: {}&quot;, userId);
+            }
+        }
+
+        [...]
+    }
+}
+</pre></div></div></div>
+<div class="section">
+<h3>Pre-Authentication without Repository Involvement<a name="Pre-Authentication_without_Repository_Involvement"></a></h3>
+<p>Like in Jackrabbit-core the repository internal authentication verification can be skipped by calling <tt>Repository#login()</tt> or <tt>Repository#login(null, wspName)</tt>. In this case the repository implementation expects the verification to be performed prior to the login call.</p>
+<p>This behavior is provided by the default implementation of the <tt>LoginContextProvider</tt> [1] which expects a <tt>Subject</tt> to be available with the current <tt>java.security.AccessControlContext</tt>. However, in contrast to Jackrabbit-core the current implementation does not try to extend the pre-authenticated subject but skips the internal verification step altogether.</p>
+<div class="section">
+<h4>Options to modify the default behavior<a name="Options_to_modify_the_default_behavior"></a></h4>
+<p>Since the <tt>LoginContextProvider</tt> is a configurable with the authentication setup OAK users also have the following options by providing a custom <tt>LoginContextProvider</tt>:</p>
+
+<ul>
+  
+<li>Disable pre-authentication by not trying to retrieve a pre-authenticated <tt>Subject</tt>.</li>
+  
+<li>Add support for extending the pre-authenticated subject by always passing writable subjects to the <tt>JaasLoginContext</tt></li>
+  
+<li>Dropping JAAS altogether by providing a custom implementation of the  <tt>org.apache.jackrabbit.oak.spi.security.authentication.LoginContext</tt> [2] interface.</li>
+</ul></div>
+<div class="section">
+<h4>Example<a name="Example"></a></h4>
+<p>Example how to use this type of pre-authentication:</p>
+
+<div class="source">
+<pre>String userId = &quot;test&quot;;
+/**
+ Retrive valid principals e.g. by calling jackrabbit API
+ - PrincipalManager#getPrincipal and/or #getGroupMembership
+ or from Oak SPI
+ - PrincipalProvider#getPrincipals(String userId)
+ */
+Set&lt;? extends Principal&gt; principals = getPrincipals(userId);
+AuthInfo authInfo = new AuthInfoImpl(userId, Collections.&lt;String, Object&gt;emptyMap(), principals);
+Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.&lt;Object&gt;emptySet());
+Session session;
+try {
+    session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction&lt;Session&gt;() {
+        @Override
+        public Session run() throws Exception {
+            return login(null, null);
+        }
+    }, null);
+} catch (PrivilegedActionException e) {
+    throw new RepositoryException(&quot;failed to retrieve session.&quot;, e);
+}
+</pre></div>
+<!-- references --></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Added: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1594576&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Wed May 14 13:30:13 2014
@@ -0,0 +1,652 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-14
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Token Authentication and Token Management</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="../../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="../../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository construction">Repository construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../microkernel.html" title="NodeStore and MicroKernel">
+          <i class="none"></i>
+        NodeStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository construction">
+          <i class="none"></i>
+        Repository construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Token Authentication and Token Management<a name="Token_Authentication_and_Token_Management"></a></h2>
+<div class="section">
+<h3>General<a name="General"></a></h3>
+<p>The token based authentication has been completely refactor in Oak and has the following general characteristics.</p>
+
+<ul>
+  
+<li>Dedicated API for managing login tokens defined in the package <tt>org.apache.jackrabbit.oak.spi.security.authentication.token</tt>.</li>
+  
+<li>Pluggable configuration of the new token management API</li>
+  
+<li>Complete separation of token based authentication into a separate <tt>LoginModule</tt>.</li>
+</ul></div>
+<div class="section">
+<h3>Token Authentication<a name="Token_Authentication"></a></h3>
+<p>As of Oak the token based authentication is handled by a dedicated <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.html">TokenLoginModule</a>. It is both responsible for issueing new login tokens and validating <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authentication/token/TokenCredentials.java">TokenCredentials</a> passed to the repository login.</p>
+<p>This token specific login module implementation obtains the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a> from the security configuration as defined for the content repository. The token management implementation present with a given repository can be changed or extended at runtime (see section Configuration below).</p>
+<div class="section">
+<h4>TokenLoginModule<a name="TokenLoginModule"></a></h4>
+<p>The <tt>TokenLoginModule</tt>designed to support and issue <tt>TokenCredentials</tt>. The authentication phases behave as follows:</p>
+<p><i>Phase 1: Login</i></p>
+
+<ul>
+  
+<li>if no <tt>TokenProvider</tt> is available <b>returns <tt>false</tt></b></li>
+  
+<li>if a <tt>TokenProvider</tt> has been configured it retrieves JCR credentials from the [CallbackHandler] using the [CredentialsCallback]</li>
+  
+<li>in case of <tt>TokenCredentials</tt> validates these credentials: if it succeeds  it pushes the users ID to the shared state and returns <tt>true</tt>; otherwise throws <tt>LoginException</tt></li>
+  
+<li>for other credentials the method returns <tt>false</tt></li>
+</ul>
+<p><i>Phase 1: Commit</i></p>
+
+<ul>
+  
+<li>if phase 1 succeeded the subject is populated and the method returns <tt>true</tt></li>
+  
+<li>in case phase 1 did not succeed this method will test if the shared state contain  credentials that ask for a new token being created; if this succeeds it will  create a new instance of <tt>TokenCredentials</tt>, push the public attributes to the  shared stated and update the subject with the new credentials;  finally the commit call <b>returns <tt>false</tt></b></li>
+</ul></div></div>
+<div class="section">
+<h3>Token Management API<a name="Token_Management_API"></a></h3>
+<p>Oak 1.0 defines the following interfaces used to manage login tokens:</p>
+
+<ul>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a>: Interface to read and manage login tokens.</li>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenInfo.html">TokenInfo</a>: Information associated with a given login token.</li>
+</ul>
+<p>In addition Oak comes with a default implementation of the provider interface that is able to aggregate multiple <tt>TokenProvider</tt>s:</p>
+
+<ul>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/CompositeTokenProvider.html">CompositeTokenProvider</a></li>
+</ul></div>
+<div class="section">
+<h3>Characteristics of the TokenProvider Implementation<a name="Characteristics_of_the_TokenProvider_Implementation"></a></h3>
+<p>The default implementation of the token management API stores login tokens along with the user&#x2019;s home directory in the repository. Along with the hash of the login token separated properties defining the expiration time of the token as well as as additional properties associated with the login tokens. This additional information may be mandatory (thus validated during the login) or optional. The optional properties are meant to have informative value only and will be transferred to public attributes as exposed by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a> present with each <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/ContentSession.html">ContentSession</a>.</p>
+<div class="section">
+<h4>Token Creation<a name="Token_Creation"></a></h4>
+<p>The creation of a new token is triggered by valid <tt>SimpleCredentials</tt> passed to the login module chain that contain an additional, empty <tt>.token</tt> attribute. The default <tt>TokenProvider</tt> implementation will consequently generate a new token and store it&#x2019;s hash along with all mandatory and informative attributes to the new content node representing the new token.</p></div>
+<div class="section">
+<h4>Token Removal<a name="Token_Removal"></a></h4>
+<p>In the default implementation a given login token (and the node associated with it) will be removed if the authentication fails due to an expired token.</p></div>
+<div class="section">
+<h4>Resetting Expiration Time<a name="Resetting_Expiration_Time"></a></h4>
+<p>The default <tt>TokenProvider</tt> implementation will automatically reset the expiration time of a given token upon successful authentication.</p></div>
+<div class="section">
+<h4>Token Representation in the Repository<a name="Token_Representation_in_the_Repository"></a></h4>
+<div class="section">
+<h5>Content Structure<a name="Content_Structure"></a></h5>
+<p>The login tokens issued for a given user are all located underneath a node named <tt>.tokens</tt> that will be created by the <tt>TokenProvider</tt> once the first token is created. The default implementation creates a distinct node for each login token as described below</p>
+
+<div class="source">
+<pre>testUser {
+    &quot;jcr:primaryType&quot;: &quot;rep:User&quot;,
+    ...
+    &quot;.tokens&quot; {
+        &quot;jcr:primaryType&quot;: &quot;rep:Unstructured&quot;,
+        &quot;2014-04-10T16.09.07.159+02.00&quot; {
+            &quot;jcr:primaryType&quot;: &quot;rep:Token&quot;,
+            ...
+        &quot;2014-05-07T12.08.57.683+02.00&quot; {
+            &quot;jcr:primaryType&quot;: &quot;rep:Token&quot;,
+            ...
+        }
+        &quot;2014-06-25T16.00.13.018+02.00&quot; {
+            &quot;jcr:primaryType&quot;: &quot;rep:Token&quot;,
+            ...
+        }
+    }
+}
+</pre></div></div>
+<div class="section">
+<h5>Token Nodes<a name="Token_Nodes"></a></h5>
+<p>As of Oak 1.0 the login token are represented in the repository as follows:</p>
+
+<ul>
+  
+<li>the token node is referenceable with the dedicated node type <tt>rep:Token</tt> (used to be unstructured in Jackrabbit 2.x)</li>
+  
+<li>expiration and key properties are defined to be mandatory and protected</li>
+  
+<li>expiration time is obtained from <tt>PARAM_TOKEN_EXPIRATION</tt> specified in the  login attributes and falls back to the configuration parameter with the same  name as specified in the configuration options of the <tt>TokenConfiguration</tt>.</li>
+</ul>
+<p>The definition of the new built-in node type <tt>rep:Token</tt>:</p>
+
+<div class="source">
+<pre>[rep:Token] &gt; mix:referenceable
+- rep:token.key (STRING) protected mandatory
+- rep:token.exp (DATE) protected mandatory
+- * (UNDEFINED) protected
+- * (UNDEFINED) multiple protected
+</pre></div>
+<p>The following example illustrates the token nodes resulting from this node type definition:</p>
+
+<div class="source">
+<pre>testUser {
+        &quot;jcr:primaryType&quot;: &quot;rep:User&quot;,
+        ...
+        &quot;.tokens&quot; {
+            &quot;2014-04-10T16.09.07.159+02.00&quot; {
+                &quot;jcr:primaryType&quot;: &quot;rep:Token&quot;,
+                &quot;jcr:uuid&quot;: &quot;30c1f361-35a2-421a-9ebc-c781eb8a08f0&quot;,
+                &quot;rep:token.key&quot;: &quot;{SHA-256}afaf64dba5d862f9-1000-3e2d4e58ac16189b9f2ac95d8d5b692e61cb06db437bcd9be5c10bdf3792356a&quot;,
+                &quot;rep:token.exp&quot;: &quot;2014-04-11T04:09:07.159+02:00&quot;,
+                &quot;.token.ip&quot;: &quot;0:0:0:0:0:0:0:1%0&quot;
+                &quot;.token.otherMandatoryProperty&quot;: &quot;expectedValue&quot;,
+                &quot;referer&quot;: &quot;http://localhost:4502/crx/explorer/login.jsp&quot;
+                &quot;otherInformalProperty&quot;: &quot;somevalue&quot;
+            },
+            &quot;2014-05-07T12.08.57.683+02.00&quot; {
+                &quot;jcr:primaryType&quot;: &quot;rep:Token&quot;,
+                &quot;jcr:uuid&quot;: &quot;c95c91e2-2e08-48ab-93db-6e7c8cdd6469&quot;,
+                &quot;rep:token.key&quot;: &quot;{SHA-256}b1d268c55abda258-1000-62e4c368972260576d37e6ba14a10f9f02897e42992624890e22c522220f7e54&quot;,
+                &quot;rep:token.exp&quot;: &quot;2014-05-08T00:08:57.683+02:00&quot;
+            },
+            ...
+        }
+    }
+}
+</pre></div></div></div></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The Oak token management comes with it&#x2019;s own [TokenConfiguration] which allows to obtain a new <tt>TokenProvider</tt> instance with the specified configuration options.</p>
+<p>Apart from the default configuration implementation Oak provides a public [CompositeTokenConfiguration], which is used to combined different implementations plugged at runtime.</p>
+<div class="section">
+<h4>Configuration Parameters<a name="Configuration_Parameters"></a></h4>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Parameter </th>
+      
+<th>Type </th>
+      
+<th>Default </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td>PARAM_TOKEN_EXPIRATION </td>
+      
+<td>long </td>
+      
+<td>2 * 3600 * 1000 (2 hours)</td>
+    </tr>
+    
+<tr class="a">
+      
+<td>PARAM_TOKEN_LENGTH </td>
+      
+<td>int </td>
+      
+<td>8 </td>
+    </tr>
+  </tbody>
+</table></div>
+<div class="section">
+<h4>Examples<a name="Examples"></a></h4>
+<div class="section">
+<h5>Example JAAS Configuration<a name="Example_JAAS_Configuration"></a></h5>
+
+<div class="source">
+<pre>jackrabbit.oak {
+     org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule sufficient;
+     org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
+ };
+</pre></div></div></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>The default security setup as present with Oak 1.0 is able to provide custom <tt>TokenProvider</tt> implementations and will automatically combine the different implementations using the <tt>CompositeTokenProvider</tt>.</p>
+<p>In an OSGi setup the following steps are required in order to add a custom token provider implementation:</p>
+
+<ul>
+  
+<li>implement <tt>TokenProvider</tt> interface</li>
+  
+<li>expose the custom provider by your custom <tt>TokenConfiguration</tt> service</li>
+  
+<li>make the configuration available to the Oak repository.</li>
+</ul>
+<div class="section">
+<h4>Examples<a name="Examples"></a></h4>
+<div class="section">
+<h5>Example TokenConfiguration<a name="Example_TokenConfiguration"></a></h5>
+
+<div class="source">
+<pre>@Component()
+@Service({TokenConfiguration.class, SecurityConfiguration.class})
+public class MyTokenConfiguration extends ConfigurationBase implements TokenConfiguration {
+
+    public TokenConfigurationImpl() {
+        super();
+    }
+
+    public TokenConfigurationImpl(SecurityProvider securityProvider) {
+        super(securityProvider, securityProvider.getParameters(NAME));
+    }
+
+    @Activate
+    private void activate(Map&lt;String, Object&gt; properties) {
+        setParameters(ConfigurationParameters.of(properties));
+    }
+
+    //----------------------------------------------&lt; SecurityConfiguration &gt;---
+    @Nonnull
+    @Override
+    public String getName() {
+        return NAME;
+    }
+
+    //-------------------------------------------------&lt; TokenConfiguration &gt;---
+    @Nonnull
+    @Override
+    public TokenProvider getTokenProvider(Root root) {
+        return new MyTokenProvider(root, getParameters());
+    }
+}
+</pre></div>
+<!-- references --></div></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Added: jackrabbit/site/live/oak/docs/security/authentication/usersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/usersync.html?rev=1594576&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/usersync.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/usersync.html Wed May 14 13:30:13 2014
@@ -0,0 +1,538 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-14
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - User and Group Synchronization</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="../../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="../../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository construction">Repository construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../microkernel.html" title="NodeStore and MicroKernel">
+          <i class="none"></i>
+        NodeStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository construction">
+          <i class="none"></i>
+        Repository construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>User and Group Synchronization<a name="User_and_Group_Synchronization"></a></h2>
+<p>The synchronization of users and groups is triggered by the <a href="externalloginmodule.html">ExternalLoginModule</a>, after a user is successfully authenticated against the IDP or if it&#x2019;s no longer present on the IDP.</p>
+<p>Oak comes with a default implementation of the <tt>SyncHandler</tt> interface: [org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler].</p>
+<div class="section">
+<div class="section">
+<div class="section">
+<h5>Configuration of the DefaultSyncHandler<a name="Configuration_of_the_DefaultSyncHandler"></a></h5>
+<p>Oak provides a default synchronization handler that is configured via [DefaultSyncConfig]. The handler is configured either via OSGi or during manual <a href="../../construct.html">Repository Construction</a>.</p>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Name </th>
+      
+<th>Property </th>
+      
+<th>Description </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td>Sync Handler Name </td>
+      
+<td><tt>handler.name</tt> </td>
+      
+<td>Name of this sync configuration. This is used to reference this handler by the login modules. </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>User auto membership </td>
+      
+<td><tt>user.autoMembership</tt> </td>
+      
+<td>List of groups that a synced user is added to automatically </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>User Expiration Time </td>
+      
+<td><tt>user.expirationTime</tt> </td>
+      
+<td>Duration until a synced user gets expired (eg. &#x2018;1h 30m&#x2019; or &#x2018;1d&#x2019;). </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>User Membership Expiration </td>
+      
+<td><tt>user.membershipExpTime</tt> </td>
+      
+<td>Time after which membership expires (eg. &#x2018;1h 30m&#x2019; or &#x2018;1d&#x2019;). </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>User membership nesting depth </td>
+      
+<td><tt>user.membershipNestingDepth</tt> </td>
+      
+<td>Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>User Path Prefix </td>
+      
+<td><tt>user.pathPrefix</tt> </td>
+      
+<td>The path prefix used when creating new users. </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>User property mapping </td>
+      
+<td><tt>user.propertyMapping</tt> </td>
+      
+<td>List mapping definition of local properties from external ones. eg: &#x2018;profile/email=mail&#x2019;.Use double quotes for fixed values. eg: &#x2019;profile/nt:primaryType=&#x201c;nt:unstructured&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>Group auto membership </td>
+      
+<td><tt>group.autoMembership</tt> </td>
+      
+<td>List of groups that a synced group is added to automatically </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>Group Expiration Time </td>
+      
+<td><tt>group.expirationTime</tt> </td>
+      
+<td>Duration until a synced group expires (eg. &#x2018;1h 30m&#x2019; or &#x2018;1d&#x2019;). </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>Group Path Prefix </td>
+      
+<td><tt>group.pathPrefix</tt> </td>
+      
+<td>The path prefix used when creating new groups. </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>Group property mapping </td>
+      
+<td><tt>group.propertyMapping</tt> </td>
+      
+<td>List mapping definition of local properties from external ones. </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; </td>
+      
+<td> </td>
+      
+<td> </td>
+    </tr>
+  </tbody>
+</table></div></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Modified: jackrabbit/site/live/oak/docs/security/overview.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/overview.html?rev=1594576&r1=1594575&r2=1594576&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/overview.html (original)
+++ jackrabbit/site/live/oak/docs/security/overview.html Wed May 14 13:30:13 2014
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2014-05-06
+ | Generated by Apache Maven Doxia at 2014-05-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20140506" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
     <meta http-equiv="Content-Language" content="en" />
-    <title>Jackrabbit Oak - The Oak Security Layer - Overview</title>
+    <title>Jackrabbit Oak - The Oak Security Layer</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
     <link rel="stylesheet" href="../css/site.css" />
     <link rel="stylesheet" href="../css/print.css" media="print" />
@@ -58,9 +58,6 @@
                   
                       <li>      <a href="../downloads.html"  title="Downloads">Downloads</a>
 </li>
-                  
-                      <li>      <a href="../from_here.html"  title="From here">From here</a>
-</li>
                           </ul>
       </li>
                 <li class="dropdown">
@@ -73,7 +70,7 @@
                       <li>      <a href="../nodestate.html"  title="The node state model">The node state model</a>
 </li>
                   
-                      <li>      <a href="../microkernel.html"  title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+                      <li>      <a href="../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
 </li>
                   
                       <li>      <a href="../query.html"  title="Query">Query</a>
@@ -96,19 +93,22 @@
                       <li>      <a href="../use_getting_started.html"  title="Getting Started">Getting Started</a>
 </li>
                   
-                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+                      <li>      <a href="../construct.html"  title="Repository construction">Repository construction</a>
 </li>
                   
                       <li>      <a href="../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
 </li>
                   
+                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
                       <li>      <a href="../known_issues.html"  title="Known Issues">Known Issues</a>
 </li>
                   
                       <li>      <a href="../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
 </li>
                   
-                      <li>      <a href="../when_things_go_wrong.html"  title="When things go wrong">When things go wrong</a>
+                      <li>      <a href="../FAQ.html"  title="FAQ">FAQ</a>
 </li>
                           </ul>
       </li>
@@ -163,7 +163,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2014-05-06</li>
+                  <li id="publishDate">Last Published: 2014-05-14</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
                       
                 
@@ -201,13 +201,6 @@
           <i class="none"></i>
         Downloads</a>
             </li>
-                  
-      <li>
-    
-                          <a href="../from_here.html" title="From here">
-          <i class="none"></i>
-        From here</a>
-            </li>
                               <li class="nav-header">Concepts and architecture</li>
                                 
       <li>
@@ -226,9 +219,9 @@
                   
       <li>
     
-                          <a href="../microkernel.html" title="NodesStore and MicroKernel">
+                          <a href="../microkernel.html" title="NodeStore and MicroKernel">
           <i class="none"></i>
-        NodesStore and MicroKernel</a>
+        NodeStore and MicroKernel</a>
             </li>
                   
       <li>
@@ -267,9 +260,9 @@
                   
       <li>
     
-                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+                          <a href="../construct.html" title="Repository construction">
           <i class="none"></i>
-        Differences to Jackrabbit 2</a>
+        Repository construction</a>
             </li>
                   
       <li>
@@ -281,6 +274,13 @@
                   
       <li>
     
+                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
                           <a href="../known_issues.html" title="Known Issues">
           <i class="none"></i>
         Known Issues</a>
@@ -295,9 +295,9 @@
                   
       <li>
     
-                          <a href="../when_things_go_wrong.html" title="When things go wrong">
+                          <a href="../FAQ.html" title="FAQ">
           <i class="none"></i>
-        When things go wrong</a>
+        FAQ</a>
             </li>
                               <li class="nav-header">Developing Oak</li>
                                 
@@ -375,22 +375,84 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License. --><h1>The Oak Security Layer - Overview</h1>
+   limitations under the License. --><div class="section">
+<h2>The Oak Security Layer<a name="The_Oak_Security_Layer"></a></h2>
+<div class="section">
+<h3>Authentication<a name="Authentication"></a></h3>
 
 <ul>
   
-<li><a href="authentication.html">Authentication</a></li>
+<li><a href="authentication.html">Overview</a></li>
+  
+<li><a href="authentication/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+  
+<li><a href="authentication/tokenmanagement.html">Token Authentication and Token Management</a></li>
+  
+<li><a href="authentication/externalloginmodule.html">External Authentication</a></li>
+  
+<li><a href="authentication/usersync.html">User and Group Synchronization</a></li>
+  
+<li><a href="authentication/identitymanagement.html">Identity Management</a></li>
+  
+<li><a href="authentication/ldap.html">LDAP Integration</a></li>
+  
+<li><a href="authentication/preauthentication.html">Pre-Authentication</a></li>
+</ul></div>
+<div class="section">
+<h3>Access Control<a name="Access_Control"></a></h3>
+
+<ul>
+  
+<li><a href="accesscontrol.html">Overview</a></li>
+  
+<li><a href="accesscontrol/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+  
+<li><a href="accesscontrol/restriction.html">Restriction Management</a></li>
+</ul></div>
+<div class="section">
+<h3>Permissions<a name="Permissions"></a></h3>
+
+<ul>
+  
+<li><a href="permission.html">Overview</a></li>
+  
+<li><a href="permission/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+  
+<li><a href="permission/evaluation.html">Permission Evaluation in Detail</a></li>
+</ul></div>
+<div class="section">
+<h3>Privilege Management<a name="Privilege_Management"></a></h3>
+
+<ul>
+  
+<li><a href="privilege.html">Overview</a></li>
+  
+<li><a href="privilege/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+</ul></div>
+<div class="section">
+<h3>Principal Management<a name="Principal_Management"></a></h3>
+
+<ul>
+  
+<li><a href="principal.html">Overview</a></li>
+  
+<li><a href="principal/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+</ul></div>
+<div class="section">
+<h3>User Management<a name="User_Management"></a></h3>
+
+<ul>
   
-<li><a href="accesscontrol.html">Access Control</a></li>
+<li><a href="user.html">Overview</a></li>
   
-<li><a href="permission.html">Permission Evaluation</a></li>
+<li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
   
-<li><a href="privilege.html">Privilege Management</a></li>
+<li><a href="user/membership.html">Group Membership</a></li>
   
-<li><a href="principal.html">Principal Management</a></li>
+<li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
   
-<li><a href="user.html">User Management</a></li>
-</ul>
+<li><a href="user/query.html">Searching Users and Groups</a></li>
+</ul></div></div>
                   </div>
             </div>
           </div>



Mime
View raw message