jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mdue...@apache.org
Subject svn commit: r1594576 [7/8] - in /jackrabbit/site/live/oak/docs: ./ security/ security/accesscontrol/ security/authentication/ security/permission/ security/principal/ security/privilege/ security/user/
Date Wed, 14 May 2014 13:30:14 GMT
Modified: jackrabbit/site/live/oak/docs/security/privilege.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege.html?rev=1594576&r1=1594575&r2=1594576&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege.html Wed May 14 13:30:13 2014
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2014-05-06
+ | Generated by Apache Maven Doxia at 2014-05-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20140506" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
     <meta http-equiv="Content-Language" content="en" />
-    <title>Jackrabbit Oak - The Oak Security Layer</title>
+    <title>Jackrabbit Oak - Privilege Management</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
     <link rel="stylesheet" href="../css/site.css" />
     <link rel="stylesheet" href="../css/print.css" media="print" />
@@ -58,9 +58,6 @@
                   
                       <li>      <a href="../downloads.html"  title="Downloads">Downloads</a>
 </li>
-                  
-                      <li>      <a href="../from_here.html"  title="From here">From here</a>
-</li>
                           </ul>
       </li>
                 <li class="dropdown">
@@ -73,7 +70,7 @@
                       <li>      <a href="../nodestate.html"  title="The node state model">The node state model</a>
 </li>
                   
-                      <li>      <a href="../microkernel.html"  title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+                      <li>      <a href="../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
 </li>
                   
                       <li>      <a href="../query.html"  title="Query">Query</a>
@@ -96,19 +93,22 @@
                       <li>      <a href="../use_getting_started.html"  title="Getting Started">Getting Started</a>
 </li>
                   
-                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+                      <li>      <a href="../construct.html"  title="Repository construction">Repository construction</a>
 </li>
                   
                       <li>      <a href="../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
 </li>
                   
+                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
                       <li>      <a href="../known_issues.html"  title="Known Issues">Known Issues</a>
 </li>
                   
                       <li>      <a href="../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
 </li>
                   
-                      <li>      <a href="../when_things_go_wrong.html"  title="When things go wrong">When things go wrong</a>
+                      <li>      <a href="../FAQ.html"  title="FAQ">FAQ</a>
 </li>
                           </ul>
       </li>
@@ -163,7 +163,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2014-05-06</li>
+                  <li id="publishDate">Last Published: 2014-05-14</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
                       
                 
@@ -201,13 +201,6 @@
           <i class="none"></i>
         Downloads</a>
             </li>
-                  
-      <li>
-    
-                          <a href="../from_here.html" title="From here">
-          <i class="none"></i>
-        From here</a>
-            </li>
                               <li class="nav-header">Concepts and architecture</li>
                                 
       <li>
@@ -226,9 +219,9 @@
                   
       <li>
     
-                          <a href="../microkernel.html" title="NodesStore and MicroKernel">
+                          <a href="../microkernel.html" title="NodeStore and MicroKernel">
           <i class="none"></i>
-        NodesStore and MicroKernel</a>
+        NodeStore and MicroKernel</a>
             </li>
                   
       <li>
@@ -269,9 +262,9 @@
                   
       <li>
     
-                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+                          <a href="../construct.html" title="Repository construction">
           <i class="none"></i>
-        Differences to Jackrabbit 2</a>
+        Repository construction</a>
             </li>
                   
       <li>
@@ -283,6 +276,13 @@
                   
       <li>
     
+                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
                           <a href="../known_issues.html" title="Known Issues">
           <i class="none"></i>
         Known Issues</a>
@@ -297,9 +297,9 @@
                   
       <li>
     
-                          <a href="../when_things_go_wrong.html" title="When things go wrong">
+                          <a href="../FAQ.html" title="FAQ">
           <i class="none"></i>
-        When things go wrong</a>
+        FAQ</a>
             </li>
                               <li class="nav-header">Developing Oak</li>
                                 
@@ -377,13 +377,159 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License. --><h1>The Oak Security Layer</h1>
-<div class="section">
+   limitations under the License. --><div class="section">
 <h2>Privilege Management<a name="Privilege_Management"></a></h2>
-<p><i>TODO</i></p>
 <div class="section">
-<h3>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h3>
-<p>see the corresponding <a href="../differences_privileges.html">documentation</a>.</p></div></div>
+<h3>Characteristics of the Privilege Management Implementation<a name="Characteristics_of_the_Privilege_Management_Implementation"></a></h3>
+<div class="section">
+<h4>General Notes<a name="General_Notes"></a></h4>
+<p>As of Oak the built-in and custom privileges are stored in the repository underneath <tt>/jcr:system/rep:privileges</tt>. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type definition and cannot be modified using regular JCR write methods. In addition a specific <tt>Validator</tt> and <tt>CommitHook</tt> implementations assert the consistency of the privilege store. The built-in privileges are installed using a dedicated implementation of the <tt>RepositoryInitializer</tt>.</p></div>
+<div class="section">
+<h4>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h4>
+<p>A comprehensive list of changes compared to Jackrabbit 2.x can be found in the corresponding <a href="privilege/differences.html">documentation</a>.</p></div>
+<div class="section">
+<h4>Built-in Privilege Definitions<a name="Built-in_Privilege_Definitions"></a></h4>
+
+<ul>
+  
+<li>
+<p>All Privileges as defined by JSR 283</p>
+  
+<div class="source">
+<pre>jcr:read (NOTE: Aggregate since Oak 1.0)
+jcr:modifyProperties (NOTE: Aggregate since Oak 1.0)
+jcr:addChildNodes
+jcr:removeNode
+jcr:removeChildNodes
+jcr:readAccessControl
+jcr:modifyAccessControl
+jcr:lockManagement
+jcr:versionManagement
+jcr:nodeTypeManagement
+jcr:retentionManagement (NOTE: retention management not yet implemented)
+jcr:lifecycleManagement (NOTE: lifecycle management not yet implemented)
+jcr:write
+jcr:all
+</pre></div></li>
+  
+<li>
+<p>All Privileges defined by JSR 333</p>
+  
+<div class="source">
+<pre>jcr:workspaceManagement (NOTE: wsp management not yet implemented)
+jcr:nodeTypeDefinitionManagement
+jcr:namespaceManagement
+</pre></div></li>
+  
+<li>
+<p>All Privileges defined by Jackrabbit 2.x</p>
+  
+<div class="source">
+<pre>rep:write
+rep:privilegeManagement
+</pre></div></li>
+  
+<li>
+<p>New Privileges defined by OAK 1.0:</p>
+  
+<div class="source">
+<pre>rep:userManagement
+rep:readNodes
+rep:readProperties
+rep:addProperties
+rep:alterProperties
+rep:removeProperties
+rep:indexDefinitionManagement
+</pre></div></li>
+</ul>
+<p>Please note the following differences with respect to Jackrabbit 2.x definitions:</p>
+
+<ul>
+  
+<li><tt>jcr:read</tt> is now an aggregation of <tt>rep:readNodes</tt> and <tt>rep:readProperties</tt></li>
+  
+<li><tt>jcr:modifyProperties</tt> is now an aggregation of <tt>rep:addProperties</tt>, <tt>rep:alterProperties</tt> and <tt>rep:removeProperties</tt></li>
+</ul>
+<div class="section">
+<h5>New Privileges<a name="New_Privileges"></a></h5>
+<p>The new Privileges introduced with Oak 1.0 have the following effect:</p>
+
+<ul>
+  
+<li><tt>rep:userManagement</tt>: Privilege required in order to write items that define user or group specific content.</li>
+  
+<li><tt>rep:readNodes</tt>: Privilege used to allow/deny read access to nodes (aggregate of <tt>jcr:read</tt>)</li>
+  
+<li><tt>rep:readProperties</tt>: Privilege used to allow/deny read access to properties (aggregate of <tt>jcr:read</tt>)</li>
+  
+<li><tt>rep:addProperties</tt>: Privilege required in order to create new properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
+  
+<li><tt>rep:alterProperties</tt>: Privilege required in order to change existing properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
+  
+<li><tt>rep:removeProperties</tt>: Privilege required in order to remove existing properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
+  
+<li><tt>rep:indexDefinitionManagement</tt>: Privilege required to create, modify or deleate index definitions.</li>
+</ul></div></div></div>
+<div class="section">
+<h3>Privilege Representation in the Repository<a name="Privilege_Representation_in_the_Repository"></a></h3>
+<p>As of Oak 1.0 all privilege definitions are stored in the repository itself underneath <tt>/jcr:system/rep:privileges</tt>. The following privilege related built-in node types have been added in OAK 1.0 in order to represent built-in and custom privilege definitions.</p>
+
+<div class="source">
+<pre>[rep:Privileges]
+  + * (rep:Privilege) = rep:Privilege protected ABORT
+  - rep:next (LONG) protected multiple mandatory
+
+[rep:Privilege]
+  - rep:isAbstract (BOOLEAN) protected
+  - rep:aggregates (NAME) protected multiple
+  - rep:bits (LONG) protected multiple mandatory
+</pre></div>
+<p>Note the protection status of all child items defined by these node type definitions as they prevent modification of the privilege definitions using regular JCR write operations.</p></div>
+<div class="section">
+<h3>API Extensions<a name="API_Extensions"></a></h3>
+
+<ul>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.html">PrivilegeConfiguration</a> : Oak level entry point to retrieve <tt>PrivilegeManager</tt> and privilege related configuration options.</li>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html">PrivilegeConstants</a> : Constants related to privilege management such as Oak names of the built-in privileges.</li>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.html">PrivilegeBitsProvider</a> : Internal provider to read <tt>PrivilegeBits</tt> from the repository content and map names to internal representation (and vice versa).</li>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.html">PrivilegeBits</a>: Internal representation of JCR privileges.</li>
+</ul></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.html">PrivilegeConfiguration</a> is the Oak level entry point to obtain a new <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManager.java">PrivilegeManager</a> as well as privilege related configuration options. The default implementation of the <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrivilegeManager.java">PrivilegeManager</a> interface is based on Oak API and can equally be used for privilege related tasks in the Oak layer.</p>
+<p>Please note: While it&#x2019;s in theory possible to replace the default privilege management implementation in Oak, this is only recommended if you have in depth knowledge and understanding of Jackrabbit/Oak internals and are familiar with the security risk associated with it.</p>
+<div class="section">
+<h4>Examples<a name="Examples"></a></h4>
+<div class="section">
+<h5>Access PrivilegeManager in JCR<a name="Access_PrivilegeManager_in_JCR"></a></h5>
+
+<div class="source">
+<pre>PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();
+</pre></div></div>
+<div class="section">
+<h5>Access PrivilegeManager in Oak<a name="Access_PrivilegeManager_in_Oak"></a></h5>
+
+<div class="source">
+<pre>Root root = contentSession.getLatestRoot();
+PrivilegeConfiguration config = securityProvider.getConfiguration(PrivilegeConfiguration.class);
+PrivilegeManager privilegeManage = config.getPrivilegeManager(root, namePathMapper));
+</pre></div></div>
+<div class="section">
+<h5>Register Custom Privilege<a name="Register_Custom_Privilege"></a></h5>
+
+<div class="source">
+<pre>PrivilegeManager privilegeManager = session.getWorkspace().getPrivilegeManager();
+String privilegeName = ...
+boolean isAbstract = ...
+String[] declaredAggregateNames = ...
+// NOTE: workspace operation that doesn't require Session#save()
+privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames);
+</pre></div>
+<!-- references --></div></div></div></div>
                   </div>
             </div>
           </div>

Added: jackrabbit/site/live/oak/docs/security/privilege/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/differences.html?rev=1594576&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/differences.html (added)
+++ jackrabbit/site/live/oak/docs/security/privilege/differences.html Wed May 14 13:30:13 2014
@@ -0,0 +1,452 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-14
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Privilege Management : Differences wrt Jackrabbit 2.x</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="../../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="../../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository construction">Repository construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../microkernel.html" title="NodeStore and MicroKernel">
+          <i class="none"></i>
+        NodeStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository construction">
+          <i class="none"></i>
+        Repository construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<div class="section">
+<h3>Privilege Management : Differences wrt Jackrabbit 2.x<a name="Privilege_Management_:_Differences_wrt_Jackrabbit_2.x"></a></h3>
+<div class="section">
+<h4>Registration of Custom Privileges<a name="Registration_of_Custom_Privileges"></a></h4>
+<p>As far as registration of custom privileges the Oak implementation behaves different to Jackrabbit 2.x in the following two aspects:</p>
+
+<ul>
+  
+<li>Registration of new privileges fails with <tt>IllegalStateException</tt> if the editing session has pending changes.</li>
+  
+<li>Any validation is performed by CommitHooks in order to make sure that modifications made on the Oak API directly is equally verified. Subsequently any violation (permission, privilege consistency) is only detected at the end of the registration process. The privilege manager itself does not perform any validation.</li>
+</ul></div>
+<div class="section">
+<h4>Built-in Privilege Definitions<a name="Built-in_Privilege_Definitions"></a></h4>
+<p>The following changes have been made to built-in privilege definitions:</p>
+
+<ul>
+  
+<li>Modifications:
+  
+<ul>
+    
+<li><tt>jcr:read</tt> is now an aggregation of <tt>rep:readNodes</tt> and <tt>rep:readProperties</tt></li>
+    
+<li><tt>jcr:modifyProperties</tt> is now an aggregation of <tt>rep:addProperties</tt>, <tt>rep:alterProperties</tt> and <tt>rep:removeProperties</tt></li>
+  </ul></li>
+  
+<li>New Privileges defined by Oak 1.0:
+  
+<ul>
+    
+<li><tt>rep:userManagement</tt></li>
+    
+<li><tt>rep:readNodes</tt></li>
+    
+<li><tt>rep:readProperties</tt></li>
+    
+<li><tt>rep:addProperties</tt></li>
+    
+<li><tt>rep:alterProperties</tt></li>
+    
+<li><tt>rep:removeProperties</tt></li>
+    
+<li><tt>rep:indexDefinitionManagement</tt></li>
+  </ul></li>
+</ul></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Modified: jackrabbit/site/live/oak/docs/security/user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user.html?rev=1594576&r1=1594575&r2=1594576&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user.html (original)
+++ jackrabbit/site/live/oak/docs/security/user.html Wed May 14 13:30:13 2014
@@ -1,15 +1,15 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2014-05-06
+ | Generated by Apache Maven Doxia at 2014-05-14
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20140506" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
     <meta http-equiv="Content-Language" content="en" />
-    <title>Jackrabbit Oak - The Oak Security Layer</title>
+    <title>Jackrabbit Oak - User Management</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
     <link rel="stylesheet" href="../css/site.css" />
     <link rel="stylesheet" href="../css/print.css" media="print" />
@@ -58,9 +58,6 @@
                   
                       <li>      <a href="../downloads.html"  title="Downloads">Downloads</a>
 </li>
-                  
-                      <li>      <a href="../from_here.html"  title="From here">From here</a>
-</li>
                           </ul>
       </li>
                 <li class="dropdown">
@@ -73,7 +70,7 @@
                       <li>      <a href="../nodestate.html"  title="The node state model">The node state model</a>
 </li>
                   
-                      <li>      <a href="../microkernel.html"  title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+                      <li>      <a href="../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
 </li>
                   
                       <li>      <a href="../query.html"  title="Query">Query</a>
@@ -96,19 +93,22 @@
                       <li>      <a href="../use_getting_started.html"  title="Getting Started">Getting Started</a>
 </li>
                   
-                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+                      <li>      <a href="../construct.html"  title="Repository construction">Repository construction</a>
 </li>
                   
                       <li>      <a href="../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
 </li>
                   
+                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
                       <li>      <a href="../known_issues.html"  title="Known Issues">Known Issues</a>
 </li>
                   
                       <li>      <a href="../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
 </li>
                   
-                      <li>      <a href="../when_things_go_wrong.html"  title="When things go wrong">When things go wrong</a>
+                      <li>      <a href="../FAQ.html"  title="FAQ">FAQ</a>
 </li>
                           </ul>
       </li>
@@ -163,7 +163,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2014-05-06</li>
+                  <li id="publishDate">Last Published: 2014-05-14</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
                       
                 
@@ -201,13 +201,6 @@
           <i class="none"></i>
         Downloads</a>
             </li>
-                  
-      <li>
-    
-                          <a href="../from_here.html" title="From here">
-          <i class="none"></i>
-        From here</a>
-            </li>
                               <li class="nav-header">Concepts and architecture</li>
                                 
       <li>
@@ -226,9 +219,9 @@
                   
       <li>
     
-                          <a href="../microkernel.html" title="NodesStore and MicroKernel">
+                          <a href="../microkernel.html" title="NodeStore and MicroKernel">
           <i class="none"></i>
-        NodesStore and MicroKernel</a>
+        NodeStore and MicroKernel</a>
             </li>
                   
       <li>
@@ -269,9 +262,9 @@
                   
       <li>
     
-                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+                          <a href="../construct.html" title="Repository construction">
           <i class="none"></i>
-        Differences to Jackrabbit 2</a>
+        Repository construction</a>
             </li>
                   
       <li>
@@ -283,6 +276,13 @@
                   
       <li>
     
+                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
                           <a href="../known_issues.html" title="Known Issues">
           <i class="none"></i>
         Known Issues</a>
@@ -297,9 +297,9 @@
                   
       <li>
     
-                          <a href="../when_things_go_wrong.html" title="When things go wrong">
+                          <a href="../FAQ.html" title="FAQ">
           <i class="none"></i>
-        When things go wrong</a>
+        FAQ</a>
             </li>
                               <li class="nav-header">Developing Oak</li>
                                 
@@ -377,13 +377,407 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License. --><h1>The Oak Security Layer</h1>
-<div class="section">
+   limitations under the License. --><div class="section">
 <h2>User Management<a name="User_Management"></a></h2>
-<p><i>TODO</i></p>
 <div class="section">
-<h3>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h3>
-<p>see the corresponding <a href="../differences_user.html">documentation</a>.</p></div></div>
+<h3>JCR User Management<a name="JCR_User_Management"></a></h3>
+<p>JCR itself doesn&#x2019;t come with a dedicated user management API. The only method related and ultemately used for user management tasks is <tt>Session.getUserID()</tt>. Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.</p></div>
+<div class="section">
+<h3>Jackrabbit User Management API<a name="Jackrabbit_User_Management_API"></a></h3>
+<p>The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user&#x2019; package space:</p>
+
+<ul>
+  
+<li><tt>UserManager</tt></li>
+  
+<li><tt>Authorizable</tt>
+  
+<ul>
+    
+<li><tt>User</tt></li>
+    
+<li><tt>Group</tt></li>
+  </ul></li>
+  
+<li><tt>Impersonation</tt></li>
+  
+<li><tt>QueryBuilder</tt>
+  
+<ul>
+    
+<li><tt>Query</tt></li>
+  </ul></li>
+</ul></div>
+<div class="section">
+<h3>Oak User Management Implementation<a name="Oak_User_Management_Implementation"></a></h3>
+<p>The default user management implementation stores user/group information in the content repository. In contrast to Jackrabbit 2.x, which by default used a single, dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace.</p>
+<p>Consequently the <tt>UserManager</tt> associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x <tt>UserPerWorkspaceUserManager</tt>).</p>
+<div class="section">
+<h4>General<a name="General"></a></h4>
+
+<ul>
+  
+<li>The Oak implementation is build on the Oak API. This allows for double usage as  extension to the JCR API as well as within the Oak layer (aka SPI).</li>
+  
+<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing  <tt>Session</tt> from which the class has been obtained.</li>
+  
+<li>Changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
+  
+<li>In case of any failure during user management related write operations the API  consumer is in charge of specifically revert pending or invalid transient modifications  or calling <tt>Session#refresh(false)</tt>.</li>
+</ul></div>
+<div class="section">
+<h4>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h4>
+<p>A summary of all changes with respect to the former implementation present with Jackrabbit 2.x is present in the corresponding <a href="user/differences.html">section</a>.</p></div>
+<div class="section">
+<h4>Built-in Users and Special Groups<a name="Built-in_Users_and_Special_Groups"></a></h4>
+<p>The setup of builtin user and group accounts is triggered by the configured <tt>WorkspaceInitializer</tt> associated with the user management configuration (see Configuration section below).</p>
+<p>The default user management implementation in OAK comes with an initializer that creates the following builtin user accounts:</p>
+<div class="section">
+<h5>Administrator<a name="Administrator"></a></h5>
+<p>The admin user is always being created. The ID of this user is retrieved from the user configuration parameter <tt>PARAM_ADMIN_ID</tt>, which defaults to <tt>admin</tt>.</p>
+<p>As of OAK 1.0 however the administrator user might be created without initial password forcing the application to set the password upon start (see <tt>PARAM_OMIT_ADMIN_PW</tt> configuration parameter).</p></div>
+<div class="section">
+<h5>Anonymous User<a name="Anonymous_User"></a></h5>
+<p>In contrast to Jackrabbit 2.x the anonymous (or guest) user is optional. Creation will be skipped if the value of the <tt>PARAM_ANONYMOUS_ID</tt> configuration parameter is <tt>null</tt> or empty.</p>
+<p>Note, that the anonymous user will always be created without specifying a password in order to prevent regular login with <tt>SimpleCredentials</tt>. The proper way to obtain a guest session is:</p>
+
+<div class="source">
+<pre>Repository#login(new GuestCredentials(), wspName);
+</pre></div>
+<p>See section <a href="authentication.html">Authentication</a> for further information about guest login.</p></div>
+<div class="section">
+<h5>Everyone Group<a name="Everyone_Group"></a></h5>
+<p>The default user management implementation in Oak contains special handling for the optional group that represents <i>everyone</i>, which is marked by the reserved name <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html#NAME">everyone</a> and corresponds to the <tt>EveryonePrincipal</tt>.</p>
+<p>This special group always contains all Authorizable as member and cannot be edited with user management API. As of OAK this fact is consistently reflected in all group membership related methods. See also <a href="principal.html">Principal Management</a>.</p></div></div>
+<div class="section">
+<h4>Reading Authorizables<a name="Reading_Authorizables"></a></h4>
+<div class="section">
+<h5>Handling of the Authorizable ID<a name="Handling_of_the_Authorizable_ID"></a></h5>
+
+<ul>
+  
+<li>As of Oak the node type definition of <tt>rep:Authorizable</tt> defines a new property <tt>rep:authorizableId</tt> which is intended to store the ID of a user or group.</li>
+  
+<li>The default implementation comes with a dedicated property index for <tt>rep:authorizableId</tt> which asserts the uniqueness of that ID.</li>
+  
+<li><tt>Authorizable#getID</tt> returns the string value contained in <tt>rep:authorizableID</tt> and for backwards compatibility falls back on the node name in case the ID property is missing.</li>
+  
+<li>The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface (see configuration section below). By default it uses the ID as name hint and includes a conversion to a valid JCR node name.</li>
+</ul></div>
+<div class="section">
+<h5>equals() and hashCode()<a name="equals_and_hashCode"></a></h5>
+<p>The implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for user and groups slightly differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</p></div></div>
+<div class="section">
+<h4>Creating Authorizables<a name="Creating_Authorizables"></a></h4>
+
+<ul>
+  
+<li>The <tt>rep:password</tt> property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that <tt>User#changePassword</tt> does not allow to remove the password property.</li>
+  
+<li><tt>UserManager#createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
+  
+<li>Since OAK is designed to scale with flat hierarchies the former configuration options <tt>autoExpandTree</tt> and <tt>autoExpandSize</tt> are no longer supported.</li>
+</ul></div>
+<div class="section">
+<h4>Query<a name="Query"></a></h4>
+<p>See section <a href="user/query.html">Searching Users and Groups</a> for details.</p></div>
+<div class="section">
+<h4>Group Membership<a name="Group_Membership"></a></h4>
+<p>See section <a href="user/membership.html">Group Membership</a> for details.</p></div>
+<div class="section">
+<h4>Autosave Behavior<a name="Autosave_Behavior"></a></h4>
+<p>Due to the nature of the UserManager (see above) we decided to drop the auto-save behavior in the default implementation present with OAK. Consequently,</p>
+
+<ul>
+  
+<li><tt>UserManager#autoSave(boolean)</tt> throws <tt>UnsupportedRepositoryOperationException</tt></li>
+  
+<li><tt>UserManager#isAutoSave()</tt> always returns <tt>false</tt></li>
+</ul>
+<p>See also <tt>PARAM_SUPPORT_AUTOSAVE</tt> below; while this should not be needed if application code has been written against the Jackrabbit API (and thus testing if auto-save mode is enabled or not) this configuration option can be used as last resort.</p></div></div>
+<div class="section">
+<h3>User/Group Representation in the Repository<a name="UserGroup_Representation_in_the_Repository"></a></h3>
+<p>The following block lists the built-in node types related to user management tasks:</p>
+
+<div class="source">
+<pre>[rep:Authorizable] &gt; mix:referenceable, nt:hierarchyNode
+  abstract
+  + * (nt:base) = nt:unstructured VERSION
+  - rep:principalName  (STRING) protected mandatory
+  - rep:authorizableId (STRING) protected /* @since oak 1.0 */
+  - * (UNDEFINED)
+  - * (UNDEFINED) multiple
+
+[rep:Group] &gt; rep:Authorizable, rep:MemberReferences
+  + rep:members (rep:Members) = rep:Members multiple protected VERSION /* @deprecated */
+  + rep:membersList (rep:MemberReferencesList) = rep:MemberReferencesList protected COPY
+
+/** @since oak 1.0 */
+[rep:MemberReferences]
+  - rep:members (WEAKREFERENCE) protected multiple &lt; 'rep:Authorizable'
+
+/** @since oak 1.0 */
+[rep:MemberReferencesList]
+  + * (rep:MemberReferences) = rep:MemberReferences protected COPY
+
+/** @deprecated since oak 1.0 */
+[rep:Members]
+  orderable
+  + * (rep:Members) = rep:Members protected multiple
+  - * (WEAKREFERENCE) protected &lt; 'rep:Authorizable'
+</pre></div></div>
+<div class="section">
+<h3>XML Import<a name="XML_Import"></a></h3>
+<p>As of Oak 1.0 user and group nodes can be imported both with Session and Workspace import. Other differences compared to Jackrabbit 2.x:</p>
+
+<ul>
+  
+<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-&gt; see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
+  
+<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
+</ul></div>
+<div class="section">
+<h3>API Extensions<a name="API_Extensions"></a></h3>
+<p>The Oak project introduces the following user management related public interfaces and classes:</p>
+<div class="section">
+<h4>Authorizable Actions<a name="Authorizable_Actions"></a></h4>
+<p>The former internal Jackrabbit interface <tt>AuthorizableAction</tt> has been slightly adjusted to match Oak requirements and is now part of the public Oak SPI interfaces. In contrast to Jackrabbit-core the AuthorizableAction(s) now operate directly on the Oak API, which eases the handling of implementation specific tasks such as writing protected items.</p>
+<p>See section <a href="user/authorizableaction.html">Authorizable Actions</a> for further details and examples.</p></div>
+<div class="section">
+<h4>Node Name Generation<a name="Node_Name_Generation"></a></h4>
+<p>The default user management implementation with Oak 1.0 allows to specify how the name of a new authorizable node is being generated. As in Jackrabbit 2.x the ID is used as name-hint by default. In order to prevent exposing identifier related information in the path of the authorizable node, it it&#x2019;s desirable to change this default behavior by pluggin a custom implementation of the <tt>AuthorizableNodeName</tt> interface.</p>
+
+<ul>
+  
+<li><tt>AuthorizableNodeName</tt> : Defines the generation of the authorizable node names  in case the user management implementation stores user information in the repository.</li>
+</ul>
+<p>In the default implementation the corresponding configuration parameter is <tt>PARAM_AUTHORIZABLE_NODE_NAME</tt>. The default name generator can be replace by installing an OSGi service that implementats the <tt>AuthorizableNodeName</tt> interface. In a non-OSGi setup the user configuration must be initialized with configuration parameters that provide the custom generator implementation.</p></div>
+<div class="section">
+<h4>Utilities<a name="Utilities"></a></h4>
+<p><tt>org.apache.jackrabbit.oak.spi.security.user.*</tt></p>
+
+<ul>
+  
+<li><tt>AuthorizableType</tt> : Ease handling with the different authorizable types.</li>
+  
+<li><tt>UserConstants</tt> : Constants (NOTE: OAK names/paths)</li>
+</ul>
+<p><tt>org.apache.jackrabbit.oak.spi.security.user.util.*</tt></p>
+
+<ul>
+  
+<li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds  to the internal jackrabbit utility.  As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2)  function for password generation.</li>
+  
+<li><tt>UserUtil</tt> : Utilities related to general user management tasks.</li>
+</ul></div></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The following user management specific methods are present with the <tt>UserConfiguration</tt> as of OAK 1.0:</p>
+
+<ul>
+  
+<li>getUserManager: Obtain a new user manager instance</li>
+</ul>
+<div class="section">
+<h4>Configuration Parameters supported by the default implementation<a name="Configuration_Parameters_supported_by_the_default_implementation"></a></h4>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Parameter </th>
+      
+<th>Type </th>
+      
+<th>Default </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td><tt>PARAM_ADMIN_ID</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;admin&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_OMIT_ADMIN_PW</tt> </td>
+      
+<td>boolean </td>
+      
+<td>false </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_ANONYMOUS_ID</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;anonymous&#x201d; (nullable) </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_USER_PATH</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;/rep:security/rep:authorizables/rep:users&#x201d; </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_GROUP_PATH</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;/rep:security/rep:authorizables/rep:groups&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_DEFAULT_DEPTH</tt> </td>
+      
+<td>int </td>
+      
+<td>2 </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;SHA-256&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
+      
+<td>int </td>
+      
+<td>1000 </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
+      
+<td>int </td>
+      
+<td>8 </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
+      
+<td>AuthorizableNodeName </td>
+      
+<td>AuthorizableNodeName#DEFAULT </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
+      
+<td>AuthorizableActionProvider </td>
+      
+<td>DefaultAuthorizableActionProvider </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
+      
+<td>boolean </td>
+      
+<td>false </td>
+    </tr>
+  </tbody>
+</table>
+<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
+
+<ul>
+  
+<li>&#x201c;compatibleJR16&#x201d;</li>
+  
+<li>&#x201c;autoExpandTree&#x201d;</li>
+  
+<li>&#x201c;autoExpandSize&#x201d;</li>
+  
+<li>&#x201c;groupMembershipSplitSize&#x201d;</li>
+</ul></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>The default security setup as present with Oak 1.0 is able to provide custom implementation on various levels:</p>
+
+<ol style="list-style-type: decimal">
+  
+<li>The complete user management implementation can be changed by plugging a different  <tt>UserConfiguration</tt> implementations. In OSGi-base setup this is achieved by making  the configuration a service. In a non-OSGi-base setup the custom configuration  must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
+  
+<li>Within the default user management implementation the following parts can be  change/extended at runtime by providing corresponding OSGi services or passing  appropriate configuration parameters exposing the custom implementations:
+  
+<ul>
+    
+<li><tt>AuthorizableActionProvider</tt>: Defines the authorizable actions, see <a href="user/authorizableaction.html">Authorizable Actions</a>.</li>
+    
+<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names  in case the user management implementation stores user information in the repository.</li>
+  </ul></li>
+</ol>
+<div class="section">
+<h4>Examples<a name="Examples"></a></h4>
+<div class="section">
+<h5>Example AuthorizableNodeName<a name="Example_AuthorizableNodeName"></a></h5>
+<p>In an OSGi-based setup it&#x2019;s sufficient to make the service available to the repository in order to enable this custom node name generator.</p>
+
+<div class="source">
+<pre>@Component
+@Service(value = {AuthorizableNodeName.class})
+/**
+ * Custom implementation of the {@code AuthorizableNodeName} interface
+ * that uses a uuid as authorizable node name.
+ */
+final class UUIDNodeName implements AuthorizableNodeName {
+
+    @Override
+    @Nonnull
+    public String generateNodeName(@Nonnull String authorizableId) {
+        return UUID.randomUUID().toString();
+    }
+}
+</pre></div>
+<p>In a non-OSGi setup this custom name generator can be plugged by making it available to the user configuration as follows:</p>
+
+<div class="source">
+<pre>Map&lt;String, Object&gt; userParams = new HashMap&lt;String, Object&gt;();
+userParams.put(UserConstants.PARAM_AUTHORIZABLE_NODE_NAME, new UUIDNodeName());
+ConfigurationParameters config =  ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams)));
+SecurityProvider securityProvider = new SecurityProviderImpl(config));
+Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository();
+</pre></div></div></div></div>
+<div class="section">
+<h3>Further Reading<a name="Further_Reading"></a></h3>
+
+<ul>
+  
+<li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+  
+<li><a href="user/membership.html">Group Membership</a></li>
+  
+<li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
+  
+<li><a href="user/query.html">Searching Users and Groups</a></li>
+</ul>
+<!-- hidden references --></div></div>
                   </div>
             </div>
           </div>

Added: jackrabbit/site/live/oak/docs/security/user/authorizableaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizableaction.html?rev=1594576&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizableaction.html (added)
+++ jackrabbit/site/live/oak/docs/security/user/authorizableaction.html Wed May 14 13:30:13 2014
@@ -0,0 +1,578 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-14
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Authorizable Actions</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="../../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="../../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository construction">Repository construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../microkernel.html" title="NodeStore and MicroKernel">
+          <i class="none"></i>
+        NodeStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository construction">
+          <i class="none"></i>
+        Repository construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Authorizable Actions<a name="Authorizable_Actions"></a></h2>
+<div class="section">
+<h3>Overview<a name="Overview"></a></h3>
+<p>Oak 1.0 comes with a extension to the Jackrabbit user management API that allows to perform additional actions or validations upon common user management tasks such as</p>
+
+<ul>
+  
+<li>create authorizables</li>
+  
+<li>remove authorizables</li>
+  
+<li>change a user&#x2019;s password</li>
+</ul>
+<p>Similar functionality has been present in Jackrabbit 2.x as internal interface. Compared to the Jackrabbit interface the new <tt>AuthorizableAction</tt> has been slightly adjusted to match Oak requirements operate directly on the Oak API, which eases the handling of implementation specific tasks such as writing protected items.</p></div>
+<div class="section">
+<h3>AuthorizableAction API<a name="AuthorizableAction_API"></a></h3>
+<p>The following public interfaces are provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.user.action</tt>:</p>
+
+<ul>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.html">AuthorizableAction</a></li>
+  
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableActionProvider.html">AuthorizableActionProvider</a></li>
+</ul>
+<p>The <tt>AuthorizableAction</tt> interface itself allows to perform validations or write addition application specific content while executing user management related write operations. Note that the actions are consequently executed as part of the transient modifications and contrast to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s that are triggered upon persisting content modifications.</p></div>
+<div class="section">
+<h3>Default Implementations<a name="Default_Implementations"></a></h3>
+<p>Oak 1.0 provides the following base implementations:</p>
+
+<ul>
+  
+<li><tt>AbstractAuthorizableAction</tt>: abstract base implementation that doesn&#x2019;t perform any action.</li>
+  
+<li><tt>DefaultAuthorizableActionProvider</tt>: default action provider service that allows to enable the built-in actions provided with oak.</li>
+  
+<li><tt>CompositeActionProvider</tt>: Allows to aggregate multiple provider implementations.</li>
+</ul>
+<div class="section">
+<h4>Changes wrt Jackrabbit 2.x<a name="Changes_wrt_Jackrabbit_2.x"></a></h4>
+
+<ul>
+  
+<li>actions no longer operate on JCR API but rather on the Oak API direct.</li>
+  
+<li>provider interface simplifies pluggability</li>
+</ul></div>
+<div class="section">
+<h4>Built-in AuthorizableAction Implementations<a name="Built-in_AuthorizableAction_Implementations"></a></h4>
+<p>The following implementations of the <tt>AuthorizableAction</tt> interface are provided:</p>
+
+<ul>
+  
+<li><tt>AccessControlAction</tt>: set up permission for new authorizables</li>
+  
+<li><tt>PasswordAction</tt>: simplistic password verification upon user creation and password modification</li>
+  
+<li><tt>PasswordChangeAction</tt>: verifies that the new password is different from the old one</li>
+  
+<li><tt>ClearMembershipAction</tt>: clear group membership upon removal of an authorizable.</li>
+</ul>
+<p>As in Jackrabbit 2.x the actions are executed with the editing session and the target operation will fail if any of the configured actions fails (e.g. due to insufficient permissions by the editing Oak ContentSession).</p></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>The default security setup as present with Oak 1.0 is able to provide custom <tt>AuthorizableActionProvider</tt> implementations and will automatically combine the different implementations using the <tt>CompositeActionProvider</tt>.</p>
+<p>In an OSGi setup the following steps are required in order to add a action provider implementation:</p>
+
+<ul>
+  
+<li>implement <tt>AuthorizableActionProvider</tt> interface exposing your custom action(s).</li>
+  
+<li>make the provider implementation an OSGi service and make it available to the Oak repository.</li>
+</ul>
+<div class="section">
+<h4>Examples<a name="Examples"></a></h4>
+<div class="section">
+<h5>Example Action Provider<a name="Example_Action_Provider"></a></h5>
+
+<div class="source">
+<pre>@Component()
+@Service(AuthorizableActionProvider.class)
+public class MyAuthorizableActionProvider implements AuthorizableActionProvider {
+
+    private static final String PUBLIC_PROFILE_NAME = &quot;publicProfileName&quot;;
+    private static final String PRIVATE_PROFILE_NAME = &quot;privateProfileName&quot;;
+    private static final String FRIENDS_PROFILE_NAME = &quot;friendsProfileName&quot;;
+
+    @Property(name = PUBLIC_PROFILE_NAME, value = &quot;publicProfile&quot;)
+    private String publicName;
+
+    @Property(name = PRIVATE_PROFILE_NAME, value = &quot;privateProfile&quot;)
+    private String privateName;
+
+    @Property(name = FRIENDS_PROFILE_NAME, value = &quot;friendsProfile&quot;)
+    private String friendsName;
+
+    private ConfigurationParameters config = ConfigurationParameters.EMPTY;
+
+    public MyAuthorizableActionProvider() {}
+
+    public MyAuthorizableActionProvider(ConfigurationParameters config) {
+        this.config = config;
+    }
+
+    //-----------------------------------------&lt; AuthorizableActionProvider &gt;---
+    @Override
+    public List&lt;? extends AuthorizableAction&gt; getAuthorizableActions(SecurityProvider securityProvider) {
+        AuthorizableAction action = new ProfileAction(publicName, privateName, friendsName);
+        action.init(securityProvider, config);
+        return Collections.singletonList(action);
+    }
+
+    //----------------------------------------------------&lt; SCR Integration &gt;---
+    @Activate
+    private void activate(Map&lt;String, Object&gt; properties) {
+        config = ConfigurationParameters.of(properties);
+    }
+}
+</pre></div></div>
+<div class="section">
+<h5>Example Action<a name="Example_Action"></a></h5>
+<p>This example action generates additional child nodes upon user/group creation that will later be used to store various target-specific profile information:</p>
+
+<div class="source">
+<pre>class ProfileAction extends AbstractAuthorizableAction {
+
+    private final String publicName;
+    private final String privateName;
+    private final String friendsName;
+
+    ProfileAction(@Nullable String publicName, @Nullable String privateName, @Nullable String friendsName) {
+        this.publicName = publicName;
+        this.privateName = privateName;
+        this.friendsName = friendsName;
+    }
+
+    @Override
+    public void onCreate(Group group, Root root, NamePathMapper namePathMapper) throws RepositoryException {
+        createProfileNodes(group.getPath(), root);
+    }
+
+    @Override
+    public void onCreate(User user, String password, Root root, NamePathMapper namePathMapper) throws RepositoryException {
+        createProfileNodes(user.getPath(), root);
+    }
+
+    private void createProfileNodes(@Nonnull String authorizablePath, @Nonnull Root root) throws AccessDeniedException {
+        Tree tree = root.getTree(authorizablePath);
+        if (tree.exists()) {
+            NodeUtil authorizableNode = new NodeUtil(tree);
+            if (publicName != null) {
+                authorizableNode.addChild(publicName, NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+            }
+            if (privateName != null) {
+                authorizableNode.addChild(privateName, NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+            }
+            if (friendsName != null) {
+                authorizableNode.addChild(friendsName, NodeTypeConstants.NT_OAK_UNSTRUCTURED);
+            }
+        }
+    }
+</pre></div></div>
+<div class="section">
+<h5>Example Non-OSGI Setup<a name="Example_Non-OSGI_Setup"></a></h5>
+
+<div class="source">
+<pre>Map&lt;String, Object&gt; userParams = new HashMap&lt;String, Object&gt;();
+userParams.put(UserConstants.PARAM_AUTHORIZABLE_ACTION_PROVIDER, new MyAuthorizableActionProvider());
+ConfigurationParameters config =  ConfigurationParameters.of(ImmutableMap.of(UserConfiguration.NAME, ConfigurationParameters.of(userParams)));
+SecurityProvider securityProvider = new SecurityProviderImpl(config));
+Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository();
+</pre></div>
+<!-- hidden references --></div></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file



Mime
View raw message