jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1730074 [3/8] - in /jackrabbit/site/live/oak/docs: ./ META-INF/ architecture/ coldstandby/ features/ nodestore/ nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/ security/accesscontrol/ security/authentication/ security/a...
Date Fri, 12 Feb 2016 17:09:07 GMT
Added: jackrabbit/site/live/oak/docs/security/authentication/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/default.html?rev=1730074&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/default.html (added)
+++ jackrabbit/site/live/oak/docs/security/authentication/default.html Fri Feb 12 17:09:05 2016
@@ -0,0 +1,741 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-02-10
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Authentication : Implementation Details</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                                                                <a class="brand" href="../../"  title="Oak logo">
+
+                                
+                                                                                                                    <img src="../../oak_logo.png" alt="Oak logo" />
+                
+                </a>
+                    
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../architecture/overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../architecture/nodestate.html"  title="The Node State Model">The Node State Model</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://www.day.com/specs/jcr/2.0/index.html"  title="JCR API">JCR API</a>
+</li>
+                  
+                      <li>      <a href="../../oak_api/overview.html"  title="Oak API">Oak API</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../features/atomic-counter.html"  title="Atomic Counter">Atomic Counter</a>
+</li>
+                  
+                      <li>      <a href="../../plugins/blobstore.html"  title="Blob Storage">Blob Storage</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/documentmk.html"  title="DocumentNodeStore">DocumentNodeStore</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/overview.html"  title="Node Storage">Node Storage</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/persistent-cache.html"  title="Persistent Cache">Persistent Cache</a>
+</li>
+                  
+                      <li>      <a href="../../query/query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/segment/overview.html"  title="Segment Node Store">Segment Node Store</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository Construction">Repository Construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../command_line.html"  title="Command Line Tools">Command Line Tools</a>
+</li>
+                  
+                      <li>      <a href="../../migration.html"  title="Migration">Migration</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and Don'ts">Dos and Don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../coldstandby/coldstandby.html"  title="Cold Standby">Cold Standby</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../developing-with-git.html"  title="Developing with Git">Developing with Git</a>
+</li>
+                  
+                      <li>      <a href="../../diagnostic-builds.html"  title="Cutting diagnostic builds">Cutting diagnostic builds</a>
+</li>
+                  
+                      <li>      <a href="../../attribution.html"  title="Attribution">Attribution</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2016-02-10</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and Architecture</li>
+                                
+      <li>
+    
+                          <a href="../../architecture/overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../architecture/nodestate.html" title="The Node State Model">
+          <i class="none"></i>
+        The Node State Model</a>
+            </li>
+                              <li class="nav-header">Main APIs</li>
+                                
+      <li>
+    
+                          <a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API">
+          <i class="none"></i>
+        JCR API</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../oak_api/overview.html" title="Oak API">
+          <i class="none"></i>
+        Oak API</a>
+            </li>
+                              <li class="nav-header">Features and Plugins</li>
+                                
+      <li>
+    
+                          <a href="../../features/atomic-counter.html" title="Atomic Counter">
+          <i class="none"></i>
+        Atomic Counter</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../plugins/blobstore.html" title="Blob Storage">
+          <i class="none"></i>
+        Blob Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/documentmk.html" title="DocumentNodeStore">
+          <i class="none"></i>
+        DocumentNodeStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/overview.html" title="Node Storage">
+          <i class="none"></i>
+        Node Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/persistent-cache.html" title="Persistent Cache">
+          <i class="none"></i>
+        Persistent Cache</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query/query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/segment/overview.html" title="Segment Node Store">
+          <i class="none"></i>
+        Segment Node Store</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository Construction">
+          <i class="none"></i>
+        Repository Construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../command_line.html" title="Command Line Tools">
+          <i class="none"></i>
+        Command Line Tools</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../migration.html" title="Migration">
+          <i class="none"></i>
+        Migration</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and Don'ts">
+          <i class="none"></i>
+        Dos and Don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../coldstandby/coldstandby.html" title="Cold Standby">
+          <i class="none"></i>
+        Cold Standby</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../developing-with-git.html" title="Developing with Git">
+          <i class="none"></i>
+        Developing with Git</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../diagnostic-builds.html" title="Cutting diagnostic builds">
+          <i class="none"></i>
+        Cutting diagnostic builds</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../attribution.html" title="Attribution">
+          <i class="none"></i>
+        Attribution</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak/docs/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Authentication : Implementation Details<a name="Authentication_:_Implementation_Details"></a></h2>
+<div class="section">
+<h3>General<a name="General"></a></h3>
+<p>Jackrabbit Oak covers different authentication requirements by providing default implementations and extension points for different setup scenarios.</p></div>
+<div class="section">
+<h3>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h3>
+<p>See the corresponding <a href="differences.html">documentation</a>.</p></div>
+<div class="section">
+<h3>Authentication Requirements<a name="Authentication_Requirements"></a></h3>
+<p>Jackrabbit Oak covers the following login requirements and provides dedicated <tt>LoginModule</tt> implementation(s) for each scenario:</p>
+
+<ul>
+  
+<li><a href="#guest">Guest Login</a></li>
+  
+<li><a href="#uid_pw">UserId/Password Login</a></li>
+  
+<li><a href="#impersonation">Impersonation Login</a></li>
+  
+<li><a href="#token">Token Login</a></li>
+  
+<li><a href="#pre_authenticated">Pre-Authenticated Login</a></li>
+  
+<li><a href="#external">External Login</a></li>
+</ul>
+<p><a name="guest"></a></p>
+<div class="section">
+<h4>Guest Login<a name="Guest_Login"></a></h4>
+<p>The proper way to obtain an guest session as of Oak is as specified by JSR 283:</p>
+
+<div class="source">
+<pre>String wspName = null;
+Session anonymous = repository.login(new GuestCredentials(), wspName);
+</pre></div>
+<p>As of Oak 1.0 <tt>Repository#login()</tt> and <tt>Repository#login(null, wspName)</tt> is no longer treated as guest login. This behavior of Jackrabbit-core is violating the specification, which defines that null-login should be used for those cases where the authentication process is handled outside of the repository (see <a href="authentication/preauthentication.html">Pre-Authentication</a>).</p>
+<p>Similarly, any special treatment that Jackrabbit core applied for the guest (anonymous) user has been omitted altogether from the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html">LoginModuleImpl</a>. In the default setup the built-in anonymous user will be created without any password. Therefore explicitly uid/pw login using the anonymous userId will no longer work. This behavior is now consistent with the default login of any other user which doesn&#x2019;t have a password set.</p>
+<div class="section">
+<h5>GuestLoginModule<a name="GuestLoginModule"></a></h5>
+<p>The aim of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.html">GuestLoginModule</a> implementation is to provide backwards compatibility with Jackrabbit 2.x with respect to the guest (anonymous) login: the <tt>GuestLoginModule</tt> can be added as <i>optional</i> entry to the chain of login modules in the JAAS (or corresponding OSGi) configuration.</p>
+<p>Example JAAS Configuration:</p>
+
+<div class="source">
+<pre>jackrabbit.oak {
+   org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule  optional;
+   org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
+};
+</pre></div>
+<p>The behavior of the <tt>GuestLoginModule</tt> is as follows:</p>
+<p><i>Phase 1: Login</i></p>
+
+<ul>
+  
+<li>tries to retrieve JCR credentials from the [CallbackHandler] using the [CredentialsCallback]</li>
+  
+<li>in case no credentials could be obtained it pushes a new instance of <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/GuestCredentials.html">GuestCredentials</a> to the shared stated  and <b>returns</b> <tt>true</tt></li>
+  
+<li>otherwise it <b>returns</b> <tt>false</tt></li>
+</ul>
+<p><i>Phase 2: Commit</i></p>
+
+<ul>
+  
+<li>if the phase 1 succeeded it will add the <tt>GuestCredentials</tt> created above and  <tt>EveryonePrincipal</tt> the <tt>Subject</tt> in phase 2 of the login process and <b>returns</b> <tt>true</tt></li>
+  
+<li>otherwise it <b>returns</b> <tt>false</tt></li>
+</ul>
+<p><a name="uid_pw"></a></p></div></div>
+<div class="section">
+<h4>UserId/Password Login<a name="UserIdPassword_Login"></a></h4>
+<p>Oak 1.0 comes with 2 different login module implementations that can handle <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html">SimpleCredentials</a>:</p>
+
+<ul>
+  
+<li>Default (<tt>LoginModuleImpl</tt>) as described below</li>
+  
+<li><tt>ExternalLoginModule</tt> as described in section <a href="authentication/externalloginmodule.html">External Authentication</a></li>
+</ul>
+<div class="section">
+<h5>LoginModuleImpl<a name="LoginModuleImpl"></a></h5>
+<p>The <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html">LoginModuleImpl</a> defines a regular userId/password login and requires a repository setup that supports <a href="user.html">User Management</a> and is designed to supports the following <tt>Credentials</tt>:</p>
+
+<ul>
+  
+<li><tt>SimpleCredentials</tt></li>
+  
+<li><tt>GuestCredentials</tt> (see above)</li>
+  
+<li><tt>ImpersonationCredentials</tt> (see below)</li>
+</ul>
+<p>This login module implementations behaves as follows:</p>
+<p><i>Phase 1: Login</i></p>
+
+<ul>
+  
+<li>if a user does not exist in the repository (i.e. cannot be provided by the user manager) it <b>returns <tt>false</tt></b>.</li>
+  
+<li>if an authorizable with the respective userId exists but is a group or a disabled users, it <b>throws <tt>LoginException</tt></b></li>
+  
+<li>if a user exists in the repository and the credentials don&#x2019;t match, it <b>throws <tt>LoginException</tt></b></li>
+  
+<li>if a user exists in the repository and the credentials match, it <b>returns <tt>true</tt></b>
+  
+<ul>
+    
+<li>also, it adds the credentials to the shared state</li>
+    
+<li>also, it adds the login name to the shared state</li>
+    
+<li>also, it calculates the principals and adds them to the private state</li>
+    
+<li>also, it adds the credentials to the private state</li>
+  </ul></li>
+</ul>
+<p><i>Phase 2: Commit</i></p>
+
+<ul>
+  
+<li>if the private state contains the credentials and principals, it adds them (both) to the subject and <b>returns <tt>true</tt></b></li>
+  
+<li>if the private state does not contain credentials and principals, it clears the state and <b>returns <tt>false</tt></b></li>
+</ul>
+<p><a name="user_authentication"></a></p>
+<div class="section">
+<h6>User Authentication<a name="User_Authentication"></a></h6>
+<p>The <tt>LoginModuleImpl</tt> uses a configured <tt>Authentication</tt>-implementation for performing the login step. Which implementation to use is determined by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a> obtained by the given <tt>UserConfiguration</tt>. It is expected to provides an <tt>Authentication</tt> implementation if the given <tt>UserConfiguration</tt> is accepted.</p>
+<p>In case multiple implementations of the <tt>UserAuthenticationFactory</tt> are available, the precendece depends on its OSGi service ranking property. The default factory implementation has a ranking of 0 (OSGi default). Services with the highest ranking will take precedence.</p>
+<p>See also section <a href="../user/default.html#pluggability">user management</a>.</p>
+<p><a name="impersonation"></a></p></div></div></div>
+<div class="section">
+<h4>Impersonation Login<a name="Impersonation_Login"></a></h4>
+<p>Another flavor of the Oak authentication implementation is covered by <tt>javax.jcr.Session#impersonate(Credentials)</tt>, which allows to obtain an new <tt>Session</tt> for a user identified by the specified credentials. As of JSR 333 this method can also be used in order to clone the existing session (i.e. self-impersonation of the user that holds the session.</p>
+<p>With Oak 1.0 impersonation is implemented as follows:</p>
+
+<ol style="list-style-type: decimal">
+  
+<li><tt>Session#impersonate</tt> takes any kind of <tt>Credentials</tt></li>
+  
+<li>the specified credentials are wrapped in a new instance of <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html">ImpersonationCredentials</a>  along with the current <tt>AuthInfo</tt> object.</li>
+  
+<li>these <tt>ImpersonationCredentials</tt> are passed to <tt>Repository.login</tt></li>
+</ol>
+<p>Whether or not impersonation succeeds consequently both depends on the authentication setup and on some implementation specific validation that make sure the editing session is allowed to impersonate the user identified by the credentials passed to the impersonate call.</p>
+<p>With Oak 1.0 only the default login module (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.html">LoginModuleImpl</a>) is able to deal with <tt>ImpersonationCredentials</tt> and applies the following logic:</p>
+
+<ul>
+  
+<li><b>Self-Impersonation</b>: Any attempt to impersonate the same session will succeed  as long as the user is still valid (i.e. exists and has not been disabled).</li>
+  
+<li><b>Regular Impersonation</b>: Impersonation another user will only succeed if  the impersonated user is valid (i.e. exists and is not disabled) <i>and</i> the  the user associated with the editing session is allowed to impersonate this  user. The latter depends on the <a href="user.html">User Management</a> implementation  specifically on the return value of <tt>User.getImpersonation().allows(Subject subject)</tt>.</li>
+</ul>
+<div class="section">
+<h5>ImpersonationCredentials<a name="ImpersonationCredentials"></a></h5>
+<p>Since the implementation of <tt>Session.impersonate</tt> no longer uses <tt>SimpleCredentials</tt> to transport the original <tt>Subject</tt> but rather performs the login with dedicated <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.html">ImpersonationCredentials</a>, impersonation is no longer restricted to <tt>SimpleCredentials</tt> being passed to <tt>Session#impersonate</tt> call. Instead the specified credentials are passed to a new instance of <tt>ImpersonationCredentials</tt> delegating the evaluation and validation of the specified <tt>Credentials</tt> to the configured login module(s).</p>
+<p>This modification will not affect applications that used JCR API to impersonate a given session. Note however that applications relying on the Jackrabbit implementation and manually creating <tt>SimpleCredentials</tt> with a <tt>SecurityConstants.IMPERSONATOR_ATTRIBUTE</tt>, would need to be refactor after migration to Oak.</p></div>
+<div class="section">
+<h5>Impersonation with Custom Authentication Setup<a name="Impersonation_with_Custom_Authentication_Setup"></a></h5>
+<p>Applications that wish to use a custom authentication setup need to ensure the following steps in order to get JCR impersonation working:</p>
+
+<ul>
+  
+<li>Respect <tt>ImpersonationCredentials</tt> in the authentication setup.</li>
+  
+<li>Identify the impersonated from <tt>ImpersonationCredentials.getBaseCredentials</tt>  and verify if it can be authenticated.</li>
+  
+<li>Validate that the editing session is allowed to impersonate: The user associated  with the editing session can be identified by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a> obtained from  from <tt>ImpersonationCredentials.getImpersonatorInfo()</tt>.</li>
+</ul>
+<p><a name="token"></a></p></div></div>
+<div class="section">
+<h4>Token Login<a name="Token_Login"></a></h4>
+<p>See section <a href="authentication/tokenmanagement.html">Token Authentication</a> for details regarding token based authentication.</p>
+<div class="section">
+<h5>TokenLoginModule<a name="TokenLoginModule"></a></h5>
+<p>The <tt>TokenLoginModule</tt> is in charge of creating new login tokens and validate repository logins with <tt>TokenCredentials</tt>. The exact behavior of this login module is described in section <a href="authentication/tokenmanagement.html">Token Authentication</a>.</p>
+<p><a name="pre_authenticated"></a></p></div></div>
+<div class="section">
+<h4>Pre-Authenticated Login<a name="Pre-Authenticated_Login"></a></h4>
+<p>Oak provides two different mechanisms to create pre-authentication that doesn&#x2019;t involve the repositories internal authentication mechanism for credentials validation.</p>
+
+<ul>
+  
+<li>Pre-Authentication combined with Login Module Chain</li>
+  
+<li>Pre-Authentication without Repository Involvement (aka <tt>null</tt> login)</li>
+</ul>
+<p>See section <a href="authentication/preauthentication.html">Pre-Authentication Login</a> for further details and examples.</p>
+<p><a name="external"></a></p></div>
+<div class="section">
+<h4>External Login<a name="External_Login"></a></h4>
+<p>While the default setup in Oak is solely relying on repository functionality to ensure proper authentication it quite common to authenticate against different systems (e.g. LDAP). For those setups that wish to combine initial authentication against a third party system with repository functionality, Oak provides a default implementation with extension points:</p>
+
+<ul>
+  
+<li><a href="authentication/externalloginmodule.html">External Authentication</a>: Summary of  the external authentication and details about the <tt>ExternalLoginModule</tt>.</li>
+  
+<li><a href="authentication/usersync.html">User and Group Synchronization</a>: Details regarding  user and group synchronization as well as a list of configuration options provided  by the the default implementations present with Oak.</li>
+  
+<li><a href="authentication/identitymanagement.html">Identity Management</a>: Further information regarding extenal identity management.</li>
+  
+<li><a href="authentication/ldap.html">LDAP Integration</a>: How to make use of the <tt>ExternalLoginModule</tt>  with the LDAP identity provider implementation. This combination is aimed to replace  <a class="externalLink" href="http://dev.day.com/docs/en/crx/current/administering/ldap_authentication.html">com.day.crx.security.ldap.LDAPLoginModule</a>, which relies on Jackrabbit internals  and will no longer work with Oak.</li>
+</ul>
+<div class="section">
+<h5>ExternalLoginModule<a name="ExternalLoginModule"></a></h5>
+<p>The [ExternalLoginModule] is a base implementation that allows easy integration of 3rd party authentication and identity systems, such as <a href="ldap.html">LDAP</a>. The general mode of the external login module is to use the external system as authentication source and as a provider for users and groups that may also be synchronized into the repository.</p>
+<p>This login module implementation requires an valid <tt>SyncHandler</tt> and <tt>IdentityProvider</tt> to be present. The detailed behavior of the <tt>ExternalLoginModule</tt> is described in section <a href="authentication/externalloginmodule.html">External Authentication</a>.</p>
+<!-- hidden references --></div></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2016
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+                
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_thin_badge.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Propchange: jackrabbit/site/live/oak/docs/security/authentication/default.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/site/live/oak/docs/security/authentication/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/differences.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/differences.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Authentication : Differences wrt Jackrabbit 2.x</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Authentication with the External Login Module</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/identitymanagement.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - External Identity Management</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -510,7 +510,7 @@
 <h2>External Identity Management<a name="External_Identity_Management"></a></h2>
 <div class="section">
 <h3>General<a name="General"></a></h3>
-<p><i>todo</i></p></div>
+<p>Jackrabbit Oak provides interfaces and some base classes to ease custom implementation of the external authentication with optional user/group synchronization to the repository.</p></div>
 <div class="section">
 <h3>Identity Management API<a name="Identity_Management_API"></a></h3>
 

Modified: jackrabbit/site/live/oak/docs/security/authentication/ldap.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/ldap.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/ldap.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/ldap.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - LDAP Integration</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Pre-Authenticated Login</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Token Authentication and Token Management</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -553,9 +553,11 @@
 
 <ul>
   
+<li>[TokenConfiguration]: Interface to obtain a <tt>TokenProvider</tt> instance (see section <a href="#configuration">configuration</a> below).</li>
+  
 <li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenProvider.html">TokenProvider</a>: Interface to read and manage login tokens.</li>
   
-<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenInfo.html">TokenInfo</a>: Information associated with a given login token.</li>
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/token/TokenInfo.html">TokenInfo</a>: Information associated with a given login token and token validity.</li>
 </ul>
 <p>In addition Oak comes with a default implementation of the provider interface that is able to aggregate multiple <tt>TokenProvider</tt>s:</p>
 

Modified: jackrabbit/site/live/oak/docs/security/authentication/usersync.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication/usersync.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication/usersync.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication/usersync.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - User and Group Synchronization</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -527,7 +527,7 @@
   
 <li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncResult.html">SyncResult</a>: the result of a sync operation</li>
   
-<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncException.html">SyncException</a></li>
+<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncException.html">SyncException</a>: marker for sync related errors</li>
 </ul>
 <div class="section">
 <h4>JMX Synchronization Tool<a name="JMX_Synchronization_Tool"></a></h4>

Added: jackrabbit/site/live/oak/docs/security/authorization.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authorization.html?rev=1730074&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authorization.html (added)
+++ jackrabbit/site/live/oak/docs/security/authorization.html Fri Feb 12 17:09:05 2016
@@ -0,0 +1,598 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-02-10
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Authorization</title>
+    <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../css/site.css" />
+    <link rel="stylesheet" href="../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                                                                <a class="brand" href="../"  title="Oak logo">
+
+                                
+                                                                                                                    <img src="../oak_logo.png" alt="Oak logo" />
+                
+                </a>
+                    
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../architecture/overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../architecture/nodestate.html"  title="The Node State Model">The Node State Model</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://www.day.com/specs/jcr/2.0/index.html"  title="JCR API">JCR API</a>
+</li>
+                  
+                      <li>      <a href="../oak_api/overview.html"  title="Oak API">Oak API</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../features/atomic-counter.html"  title="Atomic Counter">Atomic Counter</a>
+</li>
+                  
+                      <li>      <a href="../plugins/blobstore.html"  title="Blob Storage">Blob Storage</a>
+</li>
+                  
+                      <li>      <a href="../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                  
+                      <li>      <a href="../nodestore/documentmk.html"  title="DocumentNodeStore">DocumentNodeStore</a>
+</li>
+                  
+                      <li>      <a href="../nodestore/overview.html"  title="Node Storage">Node Storage</a>
+</li>
+                  
+                      <li>      <a href="../nodestore/persistent-cache.html"  title="Persistent Cache">Persistent Cache</a>
+</li>
+                  
+                      <li>      <a href="../query/query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../nodestore/segment/overview.html"  title="Segment Node Store">Segment Node Store</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../construct.html"  title="Repository Construction">Repository Construction</a>
+</li>
+                  
+                      <li>      <a href="../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../command_line.html"  title="Command Line Tools">Command Line Tools</a>
+</li>
+                  
+                      <li>      <a href="../migration.html"  title="Migration">Migration</a>
+</li>
+                  
+                      <li>      <a href="../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../dos_and_donts.html"  title="Dos and Don'ts">Dos and Don'ts</a>
+</li>
+                  
+                      <li>      <a href="../coldstandby/coldstandby.html"  title="Cold Standby">Cold Standby</a>
+</li>
+                  
+                      <li>      <a href="../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../developing-with-git.html"  title="Developing with Git">Developing with Git</a>
+</li>
+                  
+                      <li>      <a href="../diagnostic-builds.html"  title="Cutting diagnostic builds">Cutting diagnostic builds</a>
+</li>
+                  
+                      <li>      <a href="../attribution.html"  title="Attribution">Attribution</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2016-02-10</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and Architecture</li>
+                                
+      <li>
+    
+                          <a href="../architecture/overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../architecture/nodestate.html" title="The Node State Model">
+          <i class="none"></i>
+        The Node State Model</a>
+            </li>
+                              <li class="nav-header">Main APIs</li>
+                                
+      <li>
+    
+                          <a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API">
+          <i class="none"></i>
+        JCR API</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../oak_api/overview.html" title="Oak API">
+          <i class="none"></i>
+        Oak API</a>
+            </li>
+                              <li class="nav-header">Features and Plugins</li>
+                                
+      <li>
+    
+                          <a href="../features/atomic-counter.html" title="Atomic Counter">
+          <i class="none"></i>
+        Atomic Counter</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../plugins/blobstore.html" title="Blob Storage">
+          <i class="none"></i>
+        Blob Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../nodestore/documentmk.html" title="DocumentNodeStore">
+          <i class="none"></i>
+        DocumentNodeStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../nodestore/overview.html" title="Node Storage">
+          <i class="none"></i>
+        Node Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../nodestore/persistent-cache.html" title="Persistent Cache">
+          <i class="none"></i>
+        Persistent Cache</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../query/query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../nodestore/segment/overview.html" title="Segment Node Store">
+          <i class="none"></i>
+        Segment Node Store</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../construct.html" title="Repository Construction">
+          <i class="none"></i>
+        Repository Construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../command_line.html" title="Command Line Tools">
+          <i class="none"></i>
+        Command Line Tools</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../migration.html" title="Migration">
+          <i class="none"></i>
+        Migration</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../dos_and_donts.html" title="Dos and Don'ts">
+          <i class="none"></i>
+        Dos and Don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../coldstandby/coldstandby.html" title="Cold Standby">
+          <i class="none"></i>
+        Cold Standby</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../developing-with-git.html" title="Developing with Git">
+          <i class="none"></i>
+        Developing with Git</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../diagnostic-builds.html" title="Cutting diagnostic builds">
+          <i class="none"></i>
+        Cutting diagnostic builds</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../attribution.html" title="Attribution">
+          <i class="none"></i>
+        Attribution</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak/docs/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Authorization<a name="Authorization"></a></h2>
+<div class="section">
+<h3>General Notes<a name="General_Notes"></a></h3>
+<p>One of main goals for Oak security, was to clearly separates between access control management (such as defined by the JCR and Jackrabbit API) and the internal permission evaluation.</p>
+<p>While access control management is defined to be an optional feature added in JCR 2.0, permission evaluation was mandated since the very first version of JCR even though it remained an implementation detail.</p>
+<p>The documentation follows this separations and handles access control and permission evaluation separately:</p>
+
+<ul>
+  
+<li><a href="accesscontrol.html">Access Control Management</a></li>
+  
+<li><a href="permission.html">Permissions</a></li>
+</ul>
+<p>Despite the fact that there is a distinction between the public facing access control management and the internal permission evaluation, these two topics remain connected to one another and a given authorization model is expected to define and handle both in a consistent manner. Consequently the main entry point for authorization related operations is a single <tt>AuthorizationConfiguration</tt> (see section <a href="#configuration">configuration</a> below).</p>
+<p><a name="api_extensions"></a></p></div>
+<div class="section">
+<h3>API Extensions<a name="API_Extensions"></a></h3>
+<p>The API extensions provided by Oak are covered in the following sections:</p>
+
+<ul>
+  
+<li><a href="accesscontrol.html#api_extensions">Access Control Management</a></li>
+  
+<li><a href="permission.html#api_extensions">Permissions</a></li>
+  
+<li><a href="authorization/restriction.html#api_extensions">Restriction Management</a></li>
+</ul>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The configuration of the authorization related parts is handled by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>. This class provides the following methods:</p>
+
+<ul>
+  
+<li><tt>getAccessControlManager</tt>: get a new ac manager instance (see <a href="accesscontrol.html">Access Control Management</a>).</li>
+  
+<li><tt>getPermissionProvider</tt>: get a new permission provider instance (see <a href="permission.html">Permissions</a>).</li>
+  
+<li><tt>getRestrictionProvider</tt>: get a new instance of the restriction provider (see <a href="authorization/restriction.html">Restriction Management</a>.</li>
+</ul>
+<div class="section">
+<h4>Configuration Parameters<a name="Configuration_Parameters"></a></h4>
+<p>The supported configuration options of the default implementation are described separately for <a href="accesscontrol/default.html#configuration">access control management</a> and <a href="permission/default.html#configuration">permission evalution</a> .</p>
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>There are multiple options for plugging authorization related custom implementations:</p>
+<div class="section">
+<h4>Aggregation of Different Authorization Models<a name="Aggregation_of_Different_Authorization_Models"></a></h4>
+<div class="section">
+<h5>Since Oak 1.4<a name="Since_Oak_1.4"></a></h5>
+<p>As of Oak 1.4 the built-in <tt>SecurityProvider</tt> implementations allow for the aggregation of multiple <tt>AuthorizationConfiguration</tt>s.</p>
+<p>The behaviour of the <tt>CompositeAuthorizationConfiguration</tt> is described in the corresponding <a href="authorization/composite.html">section</a> (see also <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1268">OAK-1268</a>).</p></div>
+<div class="section">
+<h5>Previous Versions<a name="Previous_Versions"></a></h5>
+<p>In previous versions of Oak aggregation of multiple authorization models was not supported and it was only possible to replace the existing <tt>AuthorizationConfiguration</tt>. This would completely replace the default way of handling authorization in the repository.</p>
+<p>In OSGi-base setup this is achieved by making the configuration implementation a service such that it takes precendece over the default. </p>
+<p>In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</p></div></div>
+<div class="section">
+<h4>Extending the Restriction Provider<a name="Extending_the_Restriction_Provider"></a></h4>
+<p>In all versions of Oak it is possible to plug custom implementation(s) for the restriction management that allows to narrow the effect of permissions to items matching a given, defined behavior. Details can be found in section <a href="authorization/restriction.html#pluggability">RestrictionManagement</a>.</p>
+<!-- hidden references --></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2016
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+                
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_thin_badge.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Propchange: jackrabbit/site/live/oak/docs/security/authorization.html
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message