jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1595256 [3/5] - in /jackrabbit/site/live/oak/docs: ./ security/ security/accesscontrol/ security/authentication/ security/permission/ security/user/
Date Fri, 16 May 2014 16:36:01 GMT
Added: jackrabbit/site/live/oak/docs/from_here.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/from_here.html?rev=1595256&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/from_here.html (added)
+++ jackrabbit/site/live/oak/docs/from_here.html Fri May 16 16:36:00 2014
@@ -0,0 +1,404 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-13
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140513" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - </title>
+    <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="./css/site.css" />
+    <link rel="stylesheet" href="./css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="downloads.html"  title="Downloads">Downloads</a>
+</li>
+                  
+                      <li>      <a href="from_here.html"  title="From here">From here</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="microkernel.html"  title="NodesStore and MicroKernel">NodesStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="when_things_go_wrong.html"  title="When things go wrong">When things go wrong</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-13</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                  
+      <li class="active">
+    
+            <a href="#"><i class="none"></i>From here</a>
+          </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="microkernel.html" title="NodesStore and MicroKernel">
+          <i class="none"></i>
+        NodesStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="when_things_go_wrong.html" title="When things go wrong">
+          <i class="none"></i>
+        When things go wrong</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><p>TODO</p>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Propchange: jackrabbit/site/live/oak/docs/from_here.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/site/live/oak/docs/osgi_config.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/osgi_config.html?rev=1595256&r1=1595255&r2=1595256&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/osgi_config.html (original)
+++ jackrabbit/site/live/oak/docs/osgi_config.html Fri May 16 16:36:00 2014
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2014-05-14
+ | Generated by Apache Maven Doxia at 2014-05-16
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta name="Date-Revision-yyyymmdd" content="20140516" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Repository OSGi Configuration</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -163,7 +163,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li id="publishDate">Last Published: 2014-05-16</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
                       
                 
@@ -387,9 +387,10 @@
 </dl>
 <p>Each OSGi configuration is referred via a PID i.e. persistent identifier. Sections below provide details around various PID used in Oak</p>
 <div class="section">
-<h2>NodeStore<a name="NodeStore"></a></h2>
 <div class="section">
-<h3>SegmentNodeStore<a name="SegmentNodeStore"></a></h3>
+<h3>NodeStore<a name="NodeStore"></a></h3>
+<div class="section">
+<h4>SegmentNodeStore<a name="SegmentNodeStore"></a></h4>
 <p><i>PID <tt>org.apache.jackrabbit.oak.plugins.segment.SegmentNodeStoreService</tt></i></p>
 
 <dl>
@@ -398,9 +399,10 @@
 <dt>tarmk.size</dt>
 <dd>Default - 256 (in MB)</dd>
 <dd>Maximum file size (in MB)</dd>
-</dl></div>
+</dl>
+<p><a name="document-node-store"></a></p></div>
 <div class="section">
-<h3>DocumentNodeStore<a name="DocumentNodeStore"></a></h3>
+<h4>DocumentNodeStore<a name="DocumentNodeStore"></a></h4>
 <p><i>PID <tt>org.apache.jackrabbit.oak.plugins.document.DocumentNodeStoreService</tt></i></p>
 
 <dl>
@@ -425,7 +427,7 @@
 <div class="source">
 <pre>mongouri=mongodb://localhost:27017
 db=oak
-</pre></div></div>
+</pre></div></div></div>
 <div class="section">
 <h3>Configuring DataStore/BlobStore<a name="Configuring_DataStoreBlobStore"></a></h3>
 <p>BlobStores are used to store the binary content. Support for Jackrabbit 2 <tt>DataStore</tt> is also provided via a <tt>DataStoreBlobStore</tt> wrapper. To use a specific BlobStore implementation following two steps need to be performed</p>
@@ -485,6 +487,22 @@ db=oak
 <dd>Size in MB. In memory cache for storing small files whose size is less than <tt>maxCachedBinarySize</tt>. This  helps in better performance when lots of small binaries are accessed frequently.</dd>
 </dl></div></div>
 <div class="section">
+<h3>System properties and Framework properties<a name="System_properties_and_Framework_properties"></a></h3>
+<p>Following properties are supported by Oak. They are grouped in two parts <i>Stable</i> and <i>Experimental</i>. The stable properties would be supported in future version but the experimental properties would <i>might</i> not be supported in future versions</p>
+<div class="section">
+<h4>Stable<a name="Stable"></a></h4>
+
+<dl>
+<dt>oak.mongo.uri</dt>
+<dd>Type - System property and Framework Property</dd>
+<dd>Specifies the <a class="externalLink" href="http://docs.mongodb.org/manual/reference/connection-string/">MongoURI</a> required to connect to Mongo Database</dd>
+<dt>oak.mongo.db</dt>
+<dd>Type - System property and Framework Property</dd>
+<dd>Name of the database in Mongo</dd>
+</dl></div>
+<div class="section">
+<h4>Experimental<a name="Experimental"></a></h4></div></div>
+<div class="section">
 <h3>Configuration Steps for Apache Sling<a name="Configuration_Steps_for_Apache_Sling"></a></h3>
 <p>The OSGi Configuration Admin service defines a mechanism for passing configuration settings to an OSGi bundle. How a configuration is registered with the OSGi system varies depending on the application.</p>
 <p><a name="config-sling"></a> For example to configure <tt>DocumentNodeStore</tt> to use <tt>FileDataStore</tt> in Apache Sling</p>

Added: jackrabbit/site/live/oak/docs/security/.DS_Store
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/.DS_Store?rev=1595256&view=auto
==============================================================================
Binary file - no diff available.

Propchange: jackrabbit/site/live/oak/docs/security/.DS_Store
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Modified: jackrabbit/site/live/oak/docs/security/accesscontrol.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol.html?rev=1595256&r1=1595255&r2=1595256&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol.html Fri May 16 16:36:00 2014
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2014-05-14
+ | Generated by Apache Maven Doxia at 2014-05-16
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta name="Date-Revision-yyyymmdd" content="20140516" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Access Control</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -163,7 +163,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li id="publishDate">Last Published: 2014-05-16</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
                       
                 
@@ -381,40 +381,195 @@
 <h2>Access Control<a name="Access_Control"></a></h2>
 <div class="section">
 <h3>JCR API<a name="JCR_API"></a></h3>
-<p><i>todo</i></p></div>
+<p>Access Control Management is an optional feature defined by <a class="externalLink" href="http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html">JSR 283</a> consisting of</p>
+
+<blockquote>
+<p>&#x2022; Privilege discovery: Determining the privileges that a user has in relation to a node.</p>
+<p>&#x2022; Assigning access control policies: Setting the privileges that a user has in relation to a node using access control policies specific to the implementation.</p>
+</blockquote>
+<p>Whether or not a given implementation supports access control management is defined by the <tt>Repository.OPTION_ACCESS_CONTROL_SUPPORTED</tt> descriptor.</p>
+<p>Since Oak comes with a dedicated <a href="privilege.html">privilege management</a> this section focuses on reading and editing access control information. The main interfaces defined by JSR 283 are:</p>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>: Main entry point for access control related operations</li>
+  
+<li><tt>AccessControlPolicy</tt>: Marker interface for any kind of policies defined by the implementation.
+  
+<ul>
+    
+<li><tt>AccessControlList</tt>: mutable policy that may have a list of entries.</li>
+    
+<li><tt>NamedAccessControlPolicy</tt>: opaque immutable policy with a JCR name.</li>
+  </ul></li>
+  
+<li><tt>AccessControlEntry</tt>: association of privilege(s) with a given principal bound to a given node by the <tt>AccessControlList</tt>.</li>
+</ul>
+<p>The JCR access control management has the following characteristics:</p>
+
+<ul>
+  
+<li><i>path-based</i>: policies are bound to nodes; a given node may have multiple policies; the <tt>null</tt> path identifies repository level policies.</li>
+  
+<li><i>transient</i>: access control related modifications are always transient</li>
+  
+<li><i>binding</i>: policies are decoupled from the repository; in order to bind a policy to a node or apply modifications made to an existing policy <tt>AccessControlManager.setPolicy</tt> must be called.</li>
+  
+<li><i>effect</i>: policies bound to a given node only take effect upon <tt>Session.save()</tt>. Access to properties is defined by the their parent node.</li>
+  
+<li><i>scope</i>: a given policy may not only affect the node it is bound to but may have an effect on accessibility of items elsewhere in the workspace.</li>
+</ul></div>
 <div class="section">
 <h3>Jackrabbit API<a name="Jackrabbit_API"></a></h3>
-<p><i>todo</i></p></div>
+<p>The Jackrabbit API defines various access control related extensions to the JCR API in order to cover common needs such as for example:</p>
+
+<ul>
+  
+<li><i>deny access</i>: access control entries can be defined to deny privileges at a given path (JCR only defines allowing access control entries)</li>
+  
+<li><i>restrictions</i>: limit the effect of a given access control entry by the mean of restrictions</li>
+  
+<li><i>convenience</i>:
+  
+<ul>
+    
+<li>reordering of access control entries in a access control list</li>
+    
+<li>retrieve the path of the node a given policy is (or can be) bound to</li>
+  </ul></li>
+  
+<li><i>principal-based</i>:
+  
+<ul>
+    
+<li>principal-based access control management API (in contrast to the path-based default specified by JSR 283)</li>
+    
+<li>privilege discovery for a set of principals</li>
+  </ul></li>
+</ul>
+<p>The following interfaces and extensions are defined:</p>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlManager</tt></li>
+  
+<li><tt>JackrabbitAccessControlPolicy</tt></li>
+  
+<li><tt>JackrabbitAccessControlList</tt></li>
+  
+<li><tt>JackrabbitAccessControlEntry</tt></li>
+</ul></div>
 <div class="section">
-<h3>Oak API<a name="Oak_API"></a></h3>
-<p><i>todo</i></p></div>
+<h3>Edit Access Control<a name="Edit_Access_Control"></a></h3>
+<p>see section <a href="accesscontrol/editing.html">Using the Access Control Management API</a> for a comprehensive list of method calls as well as examples that may be used to edit the access control content of the repository.</p></div>
 <div class="section">
 <h3>Characteristics of the Default Implementation<a name="Characteristics_of_the_Default_Implementation"></a></h3>
 <div class="section">
 <h4>General<a name="General"></a></h4>
-<p>In general the authorization related code in Oak clearly separates between access control management (such as defined by the JCR and Jackrabbit API) and the internal permission evaluation (see also <a href="differences_permissions.html">Permission Evaluation</a>).</p>
-<p>The default implementation of the access control management corresponds to the resource-based implementation present with Jackrabbit 2.x. The former principal-base access control management is no longer available but it&#x2019;s functionality has been incorporated both in the default ac management implementation and the permission evaluation.</p></div>
+<p>In general the authorization related code in Oak clearly separates between access control management (such as defined by the JCR and Jackrabbit API) and the internal permission evaluation (see also <a href="permission/differences.html">Permission Evaluation</a>).</p></div>
 <div class="section">
 <h4>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h4>
 <p>see the corresponding <a href="accesscontrol/differences.html">documentation</a>.</p></div>
 <div class="section">
-<h4>Resource Based Access Control<a name="Resource_Based_Access_Control"></a></h4>
-<p><i>todo</i></p></div>
-<div class="section">
-<h4>Principal Base Access Control<a name="Principal_Base_Access_Control"></a></h4>
-<p><i>todo</i></p></div>
+<h4>Resource vs Principal Based Access Control<a name="Resource_vs_Principal_Based_Access_Control"></a></h4>
+<p>The default implementation present with Oak 1.0 is natively resource-based which corresponds to the way JCR defines access control. Nevertheless the principal based approach as defined by the Jackrabbit API is supported using a best-effort approach: principal-based policies are created using the Oak query API and fully respect the access rights imposed on the different policies that contain entries for a given principal. These principal-based policies can also be modified using the corresponding methods provided by the access control, except for <tt>JackrabbitAccessControlList.orderBefore</tt>.</p>
+<p>Thus the default implementation corresponds to the default implementation present with Jackrabbit 2.x. Note however, that the former principal-base approach that stored policies per principal in a dedicated tree is no longer available.</p></div>
 <div class="section">
 <h4>Access Control Policies<a name="Access_Control_Policies"></a></h4>
-<p><i>todo</i></p></div>
+<p>The Oak access control management exposes two types of policies that cover all use case defined by the specification and required by the default setup:</p>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Name </th>
+      
+<th>Policy </th>
+      
+<th>Description </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td>Default ACL </td>
+      
+<td><tt>JackrabbitAccessControlList</tt> </td>
+      
+<td>access control on individual nodes </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>Repo-Level ACL </td>
+      
+<td><tt>JackrabbitAccessControlList</tt> </td>
+      
+<td>repo-level access control for the <tt>null</tt> path </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>Read Policy </td>
+      
+<td><tt>NamedAccessControlPolicy</tt> </td>
+      
+<td>trees that are configured to be readable to everyone </td>
+    </tr>
+    
+<tr class="a">
+      
+<td> </td>
+      
+<td> </td>
+      
+<td> </td>
+    </tr>
+  </tbody>
+</table>
+<div class="section">
+<h5>Default ACL<a name="Default_ACL"></a></h5>
+<p>The default access control lists are bound to individual nodes. They may be used to grant/deny access for all operations that are in some way related to JCR items: regular read/write, access control management, versioning, locking and as of Oak 1.0 user management and writing index definitions.</p>
+<p>These policies are designed to take effect on the complete subtree spanned by the node they are bound to. The individual access control entries are evaluated in strict order (first entries in a given list, second entries inherited from list bound to parent nodes) with one notable exception: access control entries created for non-group principals always take precedence irrespective of their inheritance status.</p>
+<p>Further details are described in section <a href="permission.html">Permissions</a>.</p></div>
+<div class="section">
+<h5>Repo-Level ACL<a name="Repo-Level_ACL"></a></h5>
+<p>The access control lists bound to the <tt>null</tt> path can be used to grant/deny privileges associated with operations on repository-level such as namespace, node type, privilege and workspace management.</p>
+<p>The effect of these entries is limited to the repository operations and is no inherited to any items inside the repository.</p></div>
+<div class="section">
+<h5>Read Policy<a name="Read_Policy"></a></h5>
+<p>These immutable policy has been introduced in Oak 1.0 in order to allow for opening up trees that need to be readable to all sessions irrespective of other effective policies.</p>
+<p>By default these policies are bound to the following trees:</p>
+
+<ul>
+  
+<li><tt>/jcr:system/rep:namespaces</tt>: stores all registered namespaces</li>
+  
+<li><tt>/jcr:system/jcr:nodeTypes</tt>: stores all registered node types</li>
+  
+<li><tt>/jcr:system/rep:privileges</tt>: stores all registered privileges</li>
+</ul>
+<p>The default set can be changed or extended by setting the corresponding configuration option. However, it is important to note that many JCR API calls rely on the accessibility of the namespace, nodetype and privilege information. Removing the corresponding paths from the configuration will most probably have undesired effects.</p></div></div>
 <div class="section">
 <h4>Access Control Entries<a name="Access_Control_Entries"></a></h4>
-<p><i>todo</i></p></div>
+<p>The access control entries present in a given list are subject to the following rules applied upon editing but not enforced by <tt>CommitHook</tt>s:</p>
+
+<ul>
+  
+<li><i>uniqueness</i>: a given entry may only appear onces in a list</li>
+  
+<li><i>merging</i>: if an entry exists for a given principal with the same allow-status and restrictions, the existing entry will be updated without being moved in the list.</li>
+  
+<li><i>redundancy</i>: if an new entry makes an existing entry (partially) redundant the existing entry will be updated or removed altogether.</li>
+</ul></div>
 <div class="section">
 <h4>Restrictions<a name="Restrictions"></a></h4>
-<p>see section <a href="accesscontrol/restriction.html">Restriction Management</a> for details.</p></div></div>
+<p>Access control entries may be created by limiting their effect by adding restrictions as mentioned by JSR 283. Details about the restriction management in Oak 1.0 as well as a list of built-in restrictions and extensibility can be found in section <a href="accesscontrol/restriction.html">Restriction Management</a>.</p></div>
 <div class="section">
-<h3>Representation in the Repository<a name="Representation_in_the_Repository"></a></h3>
-<p>The node type definition used to represent access control content:</p>
+<h4>Representation in the Repository<a name="Representation_in_the_Repository"></a></h4>
+<p>All access control policies defined with an Oak repository are stores child of the node they are bound to. The node type definition used to represent access control content:</p>
 
 <div class="source">
 <pre>[rep:AccessControllable]
@@ -450,9 +605,57 @@
 [rep:Restrictions]
   - * (UNDEFINED) protected
   - * (UNDEFINED) protected multiple
+</pre></div>
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Regular ACL at /content<a name="Regular_ACL_at_content"></a></h6>
+
+<div class="source">
+<pre>&quot;&quot;: {
+    &quot;jcr:primaryType&quot;: &quot;rep:root&quot;,
+    &quot;content&quot;: {
+        &quot;jcr:primaryType&quot;: &quot;oak:Unstructured&quot;,
+        &quot;jcr:mixinTypes&quot;: &quot;rep:AccessControllable&quot;,
+        &quot;rep:policy&quot;: {
+            &quot;jcr:primaryType&quot;: &quot;rep:ACL&quot;,
+            &quot;allow&quot;: {
+                &quot;jcr:primaryType&quot;: &quot;rep:GrantACE&quot;,
+                &quot;rep:principalName&quot;: &quot;jackrabbit&quot;,
+                &quot;rep:privileges&quot;: [&quot;jcr:read&quot;, &quot;rep:write&quot;]
+            },
+            &quot;deny&quot;: {
+                &quot;jcr:primaryType&quot;: &quot;rep:DenyACE&quot;,
+                &quot;rep:principalName&quot;: &quot;jackrabbit&quot;,
+                &quot;rep:privileges&quot;: [&quot;jcr:addNodes&quot;, &quot;rep:addProperties&quot;],
+                &quot;rep:restrictions&quot; {
+                    &quot;jcr:primaryType&quot;: &quot;rep:Restrictions&quot;,
+                    &quot;rep:ntNames&quot;: [&quot;nt:hierarchyNode&quot;, &quot;nt:resource&quot;]
+                }
+            }
+        }
+    }
+}
 </pre></div></div>
 <div class="section">
-<h3>XML Import<a name="XML_Import"></a></h3>
+<h6>Repo-Level Policy<a name="Repo-Level_Policy"></a></h6>
+
+<div class="source">
+<pre>&quot;&quot;: {
+    &quot;jcr:primaryType&quot;: &quot;rep:root&quot;,
+    &quot;jcr:mixinTypes&quot;: &quot;rep:RepoAccessControllable&quot;,
+    &quot;rep:repoPolicy&quot;: {
+        &quot;jcr:primaryType&quot;: &quot;rep:ACL&quot;,
+        &quot;allow&quot;: {
+            &quot;jcr:primaryType&quot;: &quot;rep:GrantACE&quot;,
+            &quot;rep:principalName&quot;: &quot;elefant&quot;,
+            &quot;rep:privileges&quot;: [&quot;rep:privilegeManagement&quot;]
+        }
+    }
+}
+</pre></div></div></div></div>
+<div class="section">
+<h4>XML Import<a name="XML_Import"></a></h4>
 <p>As of OAK 1.0 access control content can be imported both with Session and Workspace import.</p>
 <p>In addition the JCR XML import behavior has been extended to respect the <tt>o.a.j.oak.spi.xml.ImportBehavior</tt> flags instead of just performing a best effort import.</p>
 <p>Currently the <tt>ImportBehavior</tt> is only used to switch between different ways of handling principals unknown to the repository. For consistency and in order to match the validation requirements as specified by <tt>AccessControlList#addAccessControlEntry</tt> the default behavior is ABORT (while in Jackrabbit 2.x the behavior always was BESTEFFORT).</p>
@@ -462,44 +665,122 @@
 <div class="source">
 <pre>importBehavior = &quot;besteffort&quot;
 </pre></div>
-<p>See also (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>))</p></div>
+<p>See also (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>))</p></div></div>
 <div class="section">
 <h3>API Extensions<a name="API_Extensions"></a></h3>
-<p><i>todo</i></p>
-<p>org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/">1</a></p>
+<p>Oak defines the following interfaces extending the access control management API:</p>
 
 <ul>
   
-<li><tt>AbstractAccessControlList</tt></li>
+<li><tt>PolicyOwner</tt>: Interface to improve pluggability of the access control management  and allows to termine if a giving manager handles a given policy.</li>
   
-<li><tt>ImmutableACL</tt></li>
+<li><tt>AccessControlConstants</tt>: Constants related to access control management.</li>
+</ul>
+<p>In addition it provides some access control related base classes in <tt>org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol</tt> that may be used for a custom implementation:</p>
+
+<ul>
   
-<li><tt>ACE</tt></li>
+<li><tt>AbstractAccessControlList</tt>: abstract base implementation of the <tt>JackrabbitAccessControlList</tt> interface
+  
+<ul>
+    
+<li><tt>ImmutableACL</tt>: immutable subclass of <tt>AbstractAccessControlList</tt></li>
+    
+<li><tt>ACE</tt>: abstract subclass that implements common methods of a mutable access control list.</li>
+  </ul></li>
 </ul>
 <div class="section">
 <h4>Restriction Management<a name="Restriction_Management"></a></h4>
+<p>Oak 1.0 defines a dedicated restriction management API. See <a href="accesscontrol/restriction.html">Restriction Management</a> for details and further information regarding extensibility and pluggability.</p></div></div>
+<div class="section">
+<h3>Utilities<a name="Utilities"></a></h3>
+<p>The jcr-commons module present with Jackrabbit provide some access control related utilities that simplify the creation of new policies and entries such as for example:</p>
 
 <ul>
   
-<li><tt>RestrictionProvider</tt>:</li>
-  
-<li><tt>RestrictionDefinition</tt></li>
+<li><tt>AccessControlUtils.getAccessControlList(Session, String)</tt></li>
   
-<li><tt>RestrictionPattern</tt></li>
+<li><tt>AccessControlUtils.getAccessControlList(AccessControlManager, String)</tt></li>
   
-<li><tt>Restriction</tt></li>
+<li><tt>AccessControlUtils.addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
 </ul>
-<p>See <a href="accesscontrol/restriction.html">Restriction Management</a> for details.</p></div></div>
+<p>See <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/jackrabbit/authorization/AccessControlUtils.java">org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils</a> for the complete list of methods.</p>
+<div class="section">
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+
+<div class="source">
+<pre>String path = node.getPath();
+JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, path);
+acl.addEntry(principal, privileges, true);
+acMgr.setPolicy(path, acl);
+session.save();
+</pre></div></div></div></div>
 <div class="section">
 <h3>Configuration<a name="Configuration"></a></h3>
-<p>The following access control related configuration options are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a> as of Oak 1.0:</p>
+<p>The configuration of the access control management implementation is handled within the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>, which is used for all authorization related matters. This class provides the following two access control related methods:</p>
 
 <ul>
   
-<li><tt>getAccessControlManager</tt></li>
+<li><tt>getAccessControlManager</tt>: get a new ac manager instance.</li>
   
-<li><tt>getRestrictionProvider</tt></li>
+<li><tt>getRestrictionProvider</tt>: get a new instance of the restriction provider.</li>
 </ul>
+<div class="section">
+<h4>Configuration Parameters<a name="Configuration_Parameters"></a></h4>
+<p>The default implementation supports the following configuration parameters:</p>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Parameter </th>
+      
+<th>Type </th>
+      
+<th>Default </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td><tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
+      
+<td>RestrictionProvider </td>
+      
+<td>RestrictionProviderImpl </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_READ_PATHS</tt> </td>
+      
+<td>Set&lt;String&gt; </td>
+      
+<td>paths to namespace, nodetype and privilege root nodes </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+      
+<td>String (&#x201c;abort&#x201d;, &#x201c;ignore&#x201d;, &#x201c;besteffort&#x201d;) </td>
+      
+<td>&#x201c;abort&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td> </td>
+      
+<td> </td>
+      
+<td> </td>
+    </tr>
+  </tbody>
+</table>
 <p>Differences to Jackrabbit 2.x:</p>
 
 <ul>
@@ -507,7 +788,19 @@
 <li>The &#x201c;omit-default-permission&#x201d; configuration option present with the Jackrabbit&#x2019;s AccessControlProvider implementations is no longer supported with Oak.</li>
   
 <li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
-</ul></div>
+</ul></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>There are multiple levels for plugging access control related custom implementations:</p>
+
+<ol style="list-style-type: decimal">
+  
+<li>replace <tt>AuthorizationConfiguration</tt>: if you want to completely replace the way  authorization is handled in the repository. In OSGi-base setup this is achieved  by making the configuration implementation a service. In a non-OSGi-base setup the  custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
+  
+<li>extend <tt>AuthorizationConfiguration</tt>: it is planned to provide a <tt>CompositeAuthorizationConfiguration</tt>  that allows to aggregate different authorization implementations (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1268">OAK-1268</a>).</li>
+  
+<li>extend the existing implementation by providing custom restrictions (see <a href="authorization/restriction.html">RestrictionManagement</a>.</li>
+</ol></div>
 <div class="section">
 <h3>Further Reading<a name="Further_Reading"></a></h3>
 

Added: jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html?rev=1595256&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html (added)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html Fri May 16 16:36:00 2014
@@ -0,0 +1,792 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2014-05-16
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20140516" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Using the Access Control Management API</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../nodestate.html"  title="The node state model">The node state model</a>
+</li>
+                  
+                      <li>      <a href="../../microkernel.html"  title="NodeStore and MicroKernel">NodeStore and MicroKernel</a>
+</li>
+                  
+                      <li>      <a href="../../query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../blobstore.html"  title="BlobStore">BlobStore</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository construction">Repository construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and don'ts">Dos and don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../apidocs/index.html"  title="API docs">API docs</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2014-05-16</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and architecture</li>
+                                
+      <li>
+    
+                          <a href="../../overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestate.html" title="The node state model">
+          <i class="none"></i>
+        The node state model</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../microkernel.html" title="NodeStore and MicroKernel">
+          <i class="none"></i>
+        NodeStore and MicroKernel</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../blobstore.html" title="BlobStore">
+          <i class="none"></i>
+        BlobStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository construction">
+          <i class="none"></i>
+        Repository construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and don'ts">
+          <i class="none"></i>
+        Dos and don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../apidocs/index.html" title="API docs">
+          <i class="none"></i>
+        API docs</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak-doc/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Using the Access Control Management API<a name="Using_the_Access_Control_Management_API"></a></h2>
+<div class="section">
+<h3>Reading<a name="Reading"></a></h3>
+<div class="section">
+<h4>Privilege Discovery<a name="Privilege_Discovery"></a></h4>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>hasPrivileges(String, Privilege[])</tt></li>
+    
+<li><tt>getPrivileges(String)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>hasPrivileges(String, Set&lt;Principal&gt;, Privilege[])</tt></li>
+    
+<li><tt>getPrivileges(String, Set&lt;Principal&gt;, Privilege[])</tt></li>
+  </ul></li>
+</ul>
+<div class="section">
+<h5>Note<a name="Note"></a></h5>
+<p>Usually it is not required for a application to check the privileges/permissions of a given session (or set of principals) as this evaluation can be left to the repository. For rare cases where the application needs to understand if a given set of principals is actually allowed to perform a given action, it is recommend to use <tt>Session.hasPermission(String, String)</tt> and either pass the actions strings defined by JCR or the names of the Oak permissions.</p></div></div>
+<div class="section">
+<h4>Reading Policies<a name="Reading_Policies"></a></h4>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>getApplicablePolicies(String)</tt></li>
+    
+<li><tt>getPolicies(String)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>getApplicablePolicies(Principal)</tt></li>
+    
+<li><tt>getPolicies(Principal)</tt></li>
+  </ul></li>
+</ul>
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Read policies bound to a node<a name="Read_policies_bound_to_a_node"></a></h6>
+
+<div class="source">
+<pre>AccessControlManager acMgr = session.getAccessControlManager();
+AccessControlPolicy[] policies = acMgr.getPolicies(&quot;/content&quot;);
+</pre></div></div>
+<div class="section">
+<h6>Read policies that have not yet been bound to the node<a name="Read_policies_that_have_not_yet_been_bound_to_the_node"></a></h6>
+
+<div class="source">
+<pre>AccessControlManager acMgr = session.getAccessControlManager();
+AccessControlPolicyIterator it = acMgr.getApplicablePolicies(&quot;/content&quot;);
+</pre></div></div></div></div>
+<div class="section">
+<h4>Reading Policy Content<a name="Reading_Policy_Content"></a></h4>
+
+<ul>
+  
+<li>
+<p><tt>AccessControlList</tt></p>
+  
+<ul>
+    
+<li><tt>getAccessControlEntries()</tt></li>
+  </ul></li>
+  
+<li>
+<p><tt>JackrabbitAccessControlList</tt></p>
+  
+<ul>
+    
+<li><tt>getRestrictionNames()</tt></li>
+    
+<li><tt>getRestrictionType(String)</tt></li>
+    
+<li><tt>isEmpty()</tt></li>
+    
+<li><tt>size()</tt></li>
+  </ul></li>
+</ul></div>
+<div class="section">
+<h4>Reading Effective Policies<a name="Reading_Effective_Policies"></a></h4>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>getEffectivePolicies(String)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>getEffectivePolicies(Set&lt;Principal&gt;)</tt></li>
+  </ul></li>
+</ul></div></div>
+<div class="section">
+<h3>Writing<a name="Writing"></a></h3>
+<div class="section">
+<h4>Adding Policies<a name="Adding_Policies"></a></h4>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>setPolicy(String, AccessControlPolicy)</tt></li>
+  </ul></li>
+</ul>
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Bind a policy to a node<a name="Bind_a_policy_to_a_node"></a></h6>
+
+<div class="source">
+<pre>AccessControlPolicyIterator it = acMgr.getApplicablePolicies(&quot;/content&quot;);
+while (it.hasNext()) {
+    AccessControlPolicy policy = it.nextPolicy();
+    if (policy instanceof NamedAccessControlPolicy &amp;&amp; &quot;myPolicy&quot;.equals((NamedAccessControlPolicy) policy).getName()) {
+        acMgr.setPolicy(&quot;/content&quot;, policy);
+        session.save();
+    }
+}
+</pre></div></div></div></div>
+<div class="section">
+<h4>Modifying Policies<a name="Modifying_Policies"></a></h4>
+<p>Modification of policies is specific to the policy type. JCR/Jackrabbit API only define a single mutable type of policies: the access control list. Depending on the access control implementation there may be other mutable policies.</p>
+
+<ul>
+  
+<li><tt>AccessControlList</tt>
+  
+<ul>
+    
+<li><tt>addAccessControlEntry(Principal, Privilege[])</tt></li>
+    
+<li><tt>removeAccessControlEntry(AccessControlEntry)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlList</tt>
+  
+<ul>
+    
+<li><tt>addAccessControlEntry(Principal, Privilege[], boolean)</tt></li>
+    
+<li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map&lt;String, Value&gt;)</tt></li>
+    
+<li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map&lt;String, Value&gt;, Map&lt;String, Value[]&gt;)</tt></li>
+    
+<li><tt>orderBefore(AccessControlEntry, AccessControlEntry)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>AccessControlUtils</tt>
+  
+<ul>
+    
+<li><tt>getAccessControlList(Session, String)</tt></li>
+    
+<li><tt>getAccessControlList(AccessControlManager, String)</tt></li>
+    
+<li><tt>addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
+    
+<li><tt>addAccessControlEntry(Session, String, Principal, Privilege[], boolean)</tt></li>
+    
+<li><tt>grantAllToEveryone(Session, String)</tt></li>
+    
+<li><tt>denyAllToEveryone(Session, String)</tt></li>
+  </ul></li>
+</ul>
+<div class="section">
+<h5>Retrieve Principals<a name="Retrieve_Principals"></a></h5>
+
+<ul>
+  
+<li><tt>PrincipalManager</tt> (see section <a href="../principal.html">Principal Management</a>)
+  
+<ul>
+    
+<li><tt>getPrincipal(String)</tt></li>
+    
+<li><tt>getPrivilege(String)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>Authorizable</tt> (see section <a href="../user.html">User Management</a>)
+  
+<ul>
+    
+<li><tt>getPrincipal()</tt></li>
+  </ul></li>
+</ul></div>
+<div class="section">
+<h5>Retrieve Privileges<a name="Retrieve_Privileges"></a></h5>
+
+<ul>
+  
+<li><tt>PrivilegeManager</tt> (see section <a href="../privilege.html">Privilege Management</a>)
+  
+<ul>
+    
+<li><tt>getRegisteredPrivileges()</tt></li>
+    
+<li><tt>getPrivilege(String)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>getSupportedPrivileges(String)</tt></li>
+    
+<li><tt>privilegeFromName(String)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>AccessControlUtils</tt>
+  
+<ul>
+    
+<li><tt>privilegesFromNames(Session session, String... privilegeNames)</tt></li>
+    
+<li><tt>privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)</tt></li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</li>
+</ul></div>
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Modify an AccessControlList<a name="Modify_an_AccessControlList"></a></h6>
+
+<div class="source">
+<pre>JackrabbitAccessControlList acl = null;
+// try if there is an acl that has been set before
+for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;)) {
+    if (policy instanceof JackrabbitAccessControlList) {
+        acl = (JackrabbitAccessControlList) policy;
+        break;
+    }
+}
+if (acl != null) {
+    PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
+    Principal principal = principalManager.getPrincipal(&quot;jackrabbit&quot;);
+    Privilege[] privileges = AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_READ, Privilege.JCR_WRITE);
+
+    acl.addEntry(principal, privileges, true);
+    acMgr.setPolicy(acl.getPath(), acl);
+    session.save();
+}
+</pre></div></div>
+<div class="section">
+<h6>Create or Modify an AccessControlList<a name="Create_or_Modify_an_AccessControlList"></a></h6>
+
+<div class="source">
+<pre>JackrabbitAccessControlList acl = null;
+// try if there is an acl that has been set before
+for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;)) {
+    if (policy instanceof JackrabbitAccessControlList) {
+        acl = (JackrabbitAccessControlList) policy;
+        break;
+    }
+}
+if (acl == null) {
+    // try if there is an applicable policy
+    AccessControlPolicyIterator itr = accessControlManager.getApplicablePolicies(&quot;/content&quot;);
+    while (itr.hasNext()) {
+        AccessControlPolicy policy = itr.nextAccessControlPolicy();
+        if (policy instanceof JackrabbitAccessControlList) {
+            acl = (JackrabbitAccessControlList) policy;
+            break;
+        }
+    }
+}
+if (acl != null) {
+    PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
+    Principal principal = principalManager.getPrincipal(&quot;jackrabbit&quot;);
+    Privilege[] privileges = AccessControlUtils.privilegesFromNames(acMgr, Privilege.JCR_READ, Privilege.JCR_WRITE);
+
+    acl.addEntry(principal, privileges, true);
+    acMgr.setPolicy(acl.getPath(), acl);
+    session.save();
+}
+</pre></div>
+<p>or alternatively use <tt>AccessControlUtils</tt>:</p>
+
+<div class="source">
+<pre>JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, &quot;/content&quot;);
+if (acl != null) {
+    PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
+    Principal principal = principalManager.getPrincipal(&quot;jackrabbit&quot;);
+    Privilege[] privileges = AccessControlUtils.privilegesFromNames(session, Privilege.JCR_READ, Privilege.JCR_WRITE);
+
+    policy.addEntry(principal, privileges, true);
+    acMgr.setPolicy(acl.getPath(), acl);
+    session.save();
+}
+</pre></div></div></div></div>
+<div class="section">
+<h4>Removing Policies<a name="Removing_Policies"></a></h4>
+
+<ul>
+  
+<li><tt>AccessControlManager</tt>
+  
+<ul>
+    
+<li><tt>removePolicy(String, AccessControlPolicy)</tt></li>
+  </ul></li>
+</ul>
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Remove a policy<a name="Remove_a_policy"></a></h6>
+
+<div class="source">
+<pre>for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;);
+    if (policy instanceof NamedAccessControlPolicy &amp;&amp; &quot;myPolicy&quot;.equals((NamedAccessControlPolicy) policy).getName()) {
+        acMgr.removePolicy(&quot;/content&quot;, policy);
+        session.save();
+    }
+}
+</pre></div></div></div></div></div>
+<div class="section">
+<h3>Access Control on Repository Level<a name="Access_Control_on_Repository_Level"></a></h3>
+<div class="section">
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Allow a Principal to Register Namespaces<a name="Allow_a_Principal_to_Register_Namespaces"></a></h6>
+
+<div class="source">
+<pre>JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
+if (acl != null) {
+    PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
+    Principal principal = principalManager.getPrincipal(&quot;dinosaur&quot;);
+    Privilege[] privileges = AccessControlUtils.privilegesFromNames(session, PrivilegeConstants.JCR_NAMESPACE_MANAGEMENT);
+
+    policy.addEntry(principal, privileges, true);
+    acMgr.setPolicy(null, acl);
+    session.save();
+}
+</pre></div></div></div></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2014
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_users_logo.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Propchange: jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/restriction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/restriction.html?rev=1595256&r1=1595255&r2=1595256&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/restriction.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/restriction.html Fri May 16 16:36:00 2014
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2014-05-14
+ | Generated by Apache Maven Doxia at 2014-05-15
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20140514" />
+    <meta name="Date-Revision-yyyymmdd" content="20140515" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Restriction Management</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -163,7 +163,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2014-05-14</li>
+                  <li id="publishDate">Last Published: 2014-05-15</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 0.20-SNAPSHOT</li>
                       
                 
@@ -381,9 +381,63 @@
 <h2>Restriction Management<a name="Restriction_Management"></a></h2>
 <div class="section">
 <h3>Overview<a name="Overview"></a></h3>
-<p><i>todo</i></p></div>
+<p>The concept of restriction has been created as extension to JCR access control management in order to allow for further refinement of individual policy entries.</p>
+<p>Quoting from JSR 283 section 16.6.2 Permissions:</p>
+
+<blockquote>
+<p>[&#x2026;] the permissions encompass the restrictions imposed by privileges, but also include any additional policy-internal refinements with effects too fine-grained to be exposed through privilege discovery. A common case may be to provide finer-grained access restrictions to individual properties or child nodes of the node to which the policy applies.</p>
+</blockquote>
+<p>Furthermore the restriction concept is aimed to allow for custom extensions of the default access control implementation to meet project specific needs without having to implement the common functionality provided by JCR.</p>
+<p>Existing and potential examples of the restriction concept to limit the effect of a given access control entry include:</p>
+
+<ul>
+  
+<li>set of node types</li>
+  
+<li>set of namespaces</li>
+  
+<li>name/path pattern</li>
+  
+<li>dedicated time frame</li>
+  
+<li>size of a value</li>
+</ul>
+<p>While few examples have been present with Jackrabbit 2.x the set of built-in restrictions has been extended as of Oak 1.0 along with some useful extensions of the Jackrabbit API. In addition Oak provides it&#x2019;s own public restriction API that add support for internal validation and evaluation.</p></div>
 <div class="section">
-<h3>Restriction API<a name="Restriction_API"></a></h3>
+<h3>Jackrabbit API<a name="Jackrabbit_API"></a></h3>
+<p>The Jackrabbit API add the following extensions to JCR access control management to read and create entries with restrictions:</p>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlList</tt>
+  
+<ul>
+    
+<li><tt>getRestrictionNames()</tt> : returns the JCR names of the supported restrictions.</li>
+    
+<li><tt>getRestrictionType(String restrictionName)</tt> : returns property type of a given restriction.</li>
+    
+<li><tt>addEntry(Principal, Privilege[], boolean, Map&lt;String, Value&gt;)</tt>: the map contain the restrictions.</li>
+    
+<li><tt>addEntry(Principal, Privilege[], boolean, Map&lt;String, Value&gt;, Map&lt;String, Value[]&gt;)</tt>: allows to specify both single and multivalue restrictions (since Oak 1.0, Jackrabbit API 2.8)</li>
+  </ul></li>
+</ul>
+
+<ul>
+  
+<li><tt>JackrabbitAccessControlEntry</tt>
+  
+<ul>
+    
+<li><tt>getRestrictionNames()</tt>: returns the JCR names of the restrictions present with this entry.</li>
+    
+<li><tt>getRestriction(String restrictionName)</tt>: returns the restriction as JCR value.</li>
+    
+<li><tt>getRestrictions(String restrictionName)</tt>: returns the restriction as array of JCR values (since Oak 1.0, Jackrabbit API 2.8).</li>
+  </ul></li>
+</ul></div>
+<div class="section">
+<h3>Oak Restriction API<a name="Oak_Restriction_API"></a></h3>
 <p>The following public interfaces are provided by Oak in the package <tt>org.apache.jackrabbit.oak.spi.security.authorization.restriction</tt>:</p>
 
 <ul>
@@ -414,18 +468,29 @@
 </ul>
 <div class="section">
 <h4>Changes wrt Jackrabbit 2.x<a name="Changes_wrt_Jackrabbit_2.x"></a></h4>
-<p><i>todo</i></p></div>
+<p>Apart from the fact that the internal Jackrabbit extension has been replaced by a public API, the restriction implementation in Oak differs from Jackrabbit 2.x as follows:</p>
+
+<ul>
+  
+<li>supports multi-valued restrictions</li>
+  
+<li>validation of the restrictions is delegated to a dedicated commit hook</li>
+  
+<li>restriction <tt>rep:glob</tt> limits the number of wildcard characters to 20</li>
+  
+<li>new restrictions <tt>rep:ntNames</tt> and <tt>rep:prefixes</tt></li>
+</ul></div>
 <div class="section">
-<h4>Built-in Restriction Implementations<a name="Built-in_Restriction_Implementations"></a></h4>
+<h4>Built-in Restrictions<a name="Built-in_Restrictions"></a></h4>
 <p>The default implementations of the <tt>Restriction</tt> interface are present with Oak 1.0 access control management:</p>
 
 <ul>
   
-<li><tt>rep:glob</tt>:</li>
+<li><tt>rep:glob</tt>: single name or path pattern with &#x2018;*&#x2019; wildcard(s).</li>
   
-<li><tt>rep:ntNames</tt>:</li>
+<li><tt>rep:ntNames</tt>: multivalued restriction for primary node type names (no inheritence, since Oak 1.0)</li>
   
-<li><tt>rep:prefixes</tt>:</li>
+<li><tt>rep:prefixes</tt>: multivalued restriction for namespace prefixes (session level remapping not respected, since Oak 1.0)</li>
 </ul></div></div>
 <div class="section">
 <h3>Pluggability<a name="Pluggability"></a></h3>
@@ -439,9 +504,10 @@
 <li>make the provider implementation an OSGi service and make it available to the Oak repository.</li>
 </ul>
 <div class="section">
-<h4>Examples<a name="Examples"></a></h4>
 <div class="section">
-<h5>Example RestrictionProvider<a name="Example_RestrictionProvider"></a></h5>
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Example RestrictionProvider<a name="Example_RestrictionProvider"></a></h6>
 <p>Simple example of a <tt>RestrictionProvider</tt> that defines a single time-based <tt>Restriction</tt>, which is expected to have 2 values defining a start and end date, which can then be used to allow or deny access within the given time frame.</p>
 
 <div class="source">
@@ -489,7 +555,7 @@ public class MyRestrictionProvider exten
 }
 </pre></div></div>
 <div class="section">
-<h5>Example RestrictionPattern<a name="Example_RestrictionPattern"></a></h5>
+<h6>Example RestrictionPattern<a name="Example_RestrictionPattern"></a></h6>
 <p>The time-based <tt>RestrictionPattern</tt> used by the example provider above.</p>
 
 <div class="source">
@@ -530,8 +596,18 @@ public class MyRestrictionProvider exten
         return d.after(start) &amp;&amp; d.before(end);
     }
 };
+</pre></div></div>
+<div class="section">
+<h6>Example Non-OSGI Setup<a name="Example_Non-OSGI_Setup"></a></h6>
+
+<div class="source">
+<pre>RestrictionProvider rProvider = CompositeRestrictionProvider.newInstance(new MyRestrictionProvider(), ...);
+Map&lt;String, RestrictionProvider&gt; authorizMap = ImmutableMap.of(PARAM_RESTRICTION_PROVIDER, rProvider);
+ConfigurationParameters config =  ConfigurationParameters.of(ImmutableMap.of(AuthorizationConfiguration.NAME, ConfigurationParameters.of(authorizMap)));
+SecurityProvider securityProvider = new SecurityProviderImpl(config));
+Repository repo = new Jcr(new Oak()).with(securityProvider).createRepository();
 </pre></div>
-<!-- hidden references --></div></div></div></div>
+<!-- hidden references --></div></div></div></div></div>
                   </div>
             </div>
           </div>



Mime
View raw message