jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1730074 [7/8] - in /jackrabbit/site/live/oak/docs: ./ META-INF/ architecture/ coldstandby/ features/ nodestore/ nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/ security/accesscontrol/ security/authentication/ security/a...
Date Fri, 12 Feb 2016 17:09:07 GMT
Added: jackrabbit/site/live/oak/docs/security/privilege/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/default.html?rev=1730074&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/default.html (added)
+++ jackrabbit/site/live/oak/docs/security/privilege/default.html Fri Feb 12 17:09:05 2016
@@ -0,0 +1,757 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-02-10
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - Privilege Management : The Default Implementation</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                                                                <a class="brand" href="../../"  title="Oak logo">
+
+                                
+                                                                                                                    <img src="../../oak_logo.png" alt="Oak logo" />
+                
+                </a>
+                    
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../architecture/overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../architecture/nodestate.html"  title="The Node State Model">The Node State Model</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://www.day.com/specs/jcr/2.0/index.html"  title="JCR API">JCR API</a>
+</li>
+                  
+                      <li>      <a href="../../oak_api/overview.html"  title="Oak API">Oak API</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../features/atomic-counter.html"  title="Atomic Counter">Atomic Counter</a>
+</li>
+                  
+                      <li>      <a href="../../plugins/blobstore.html"  title="Blob Storage">Blob Storage</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/documentmk.html"  title="DocumentNodeStore">DocumentNodeStore</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/overview.html"  title="Node Storage">Node Storage</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/persistent-cache.html"  title="Persistent Cache">Persistent Cache</a>
+</li>
+                  
+                      <li>      <a href="../../query/query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/segment/overview.html"  title="Segment Node Store">Segment Node Store</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository Construction">Repository Construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../command_line.html"  title="Command Line Tools">Command Line Tools</a>
+</li>
+                  
+                      <li>      <a href="../../migration.html"  title="Migration">Migration</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and Don'ts">Dos and Don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../coldstandby/coldstandby.html"  title="Cold Standby">Cold Standby</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../developing-with-git.html"  title="Developing with Git">Developing with Git</a>
+</li>
+                  
+                      <li>      <a href="../../diagnostic-builds.html"  title="Cutting diagnostic builds">Cutting diagnostic builds</a>
+</li>
+                  
+                      <li>      <a href="../../attribution.html"  title="Attribution">Attribution</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2016-02-10</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and Architecture</li>
+                                
+      <li>
+    
+                          <a href="../../architecture/overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../architecture/nodestate.html" title="The Node State Model">
+          <i class="none"></i>
+        The Node State Model</a>
+            </li>
+                              <li class="nav-header">Main APIs</li>
+                                
+      <li>
+    
+                          <a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API">
+          <i class="none"></i>
+        JCR API</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../oak_api/overview.html" title="Oak API">
+          <i class="none"></i>
+        Oak API</a>
+            </li>
+                              <li class="nav-header">Features and Plugins</li>
+                                
+      <li>
+    
+                          <a href="../../features/atomic-counter.html" title="Atomic Counter">
+          <i class="none"></i>
+        Atomic Counter</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../plugins/blobstore.html" title="Blob Storage">
+          <i class="none"></i>
+        Blob Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/documentmk.html" title="DocumentNodeStore">
+          <i class="none"></i>
+        DocumentNodeStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/overview.html" title="Node Storage">
+          <i class="none"></i>
+        Node Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/persistent-cache.html" title="Persistent Cache">
+          <i class="none"></i>
+        Persistent Cache</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query/query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/segment/overview.html" title="Segment Node Store">
+          <i class="none"></i>
+        Segment Node Store</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository Construction">
+          <i class="none"></i>
+        Repository Construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../command_line.html" title="Command Line Tools">
+          <i class="none"></i>
+        Command Line Tools</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../migration.html" title="Migration">
+          <i class="none"></i>
+        Migration</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and Don'ts">
+          <i class="none"></i>
+        Dos and Don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../coldstandby/coldstandby.html" title="Cold Standby">
+          <i class="none"></i>
+        Cold Standby</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../developing-with-git.html" title="Developing with Git">
+          <i class="none"></i>
+        Developing with Git</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../diagnostic-builds.html" title="Cutting diagnostic builds">
+          <i class="none"></i>
+        Cutting diagnostic builds</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../attribution.html" title="Attribution">
+          <i class="none"></i>
+        Attribution</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak/docs/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>Privilege Management : The Default Implementation<a name="Privilege_Management_:_The_Default_Implementation"></a></h2>
+<div class="section">
+<h3>General Notes<a name="General_Notes"></a></h3>
+<p>As of Oak the built-in and custom privileges are stored in the repository underneath <tt>/jcr:system/rep:privileges</tt>. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type definition and cannot be modified using regular JCR write methods. In addition a specific <tt>Validator</tt> and <tt>CommitHook</tt> implementations assert the consistency of the privilege store. The built-in privileges are installed using a dedicated implementation of the <tt>RepositoryInitializer</tt>.</p></div>
+<div class="section">
+<h3>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h3>
+<p>A comprehensive list of changes compared to Jackrabbit 2.x can be found in the corresponding <a href="differences.html">documentation</a>.</p></div>
+<div class="section">
+<h3>Built-in Privileges<a name="Built-in_Privileges"></a></h3>
+
+<ul>
+  
+<li>
+<p>All Privileges as defined by JSR 283</p>
+  
+<div class="source">
+<pre>jcr:read (NOTE: Aggregate since Oak 1.0)
+jcr:modifyProperties (NOTE: Aggregate since Oak 1.0)
+jcr:addChildNodes
+jcr:removeNode
+jcr:removeChildNodes
+jcr:readAccessControl
+jcr:modifyAccessControl
+jcr:lockManagement
+jcr:versionManagement
+jcr:nodeTypeManagement
+jcr:retentionManagement (NOTE: retention management not implemented in Oak 1.0)
+jcr:lifecycleManagement (NOTE: lifecycle management not implemented in Oak 1.0)
+jcr:write
+jcr:all
+</pre></div></li>
+  
+<li>
+<p>All Privileges defined by JSR 333</p>
+  
+<div class="source">
+<pre>jcr:workspaceManagement (NOTE: wsp management not yet implemented)
+jcr:nodeTypeDefinitionManagement
+jcr:namespaceManagement
+</pre></div></li>
+  
+<li>
+<p>All Privileges defined by Jackrabbit 2.x</p>
+  
+<div class="source">
+<pre>rep:write
+rep:privilegeManagement
+</pre></div></li>
+  
+<li>
+<p>New Privileges defined by OAK 1.0:</p>
+  
+<div class="source">
+<pre>rep:userManagement
+rep:readNodes
+rep:readProperties
+rep:addProperties
+rep:alterProperties
+rep:removeProperties
+rep:indexDefinitionManagement
+</pre></div></li>
+</ul>
+<p>Please note the following differences with respect to Jackrabbit 2.x definitions:</p>
+
+<ul>
+  
+<li><tt>jcr:read</tt> is now an aggregation of <tt>rep:readNodes</tt> and <tt>rep:readProperties</tt></li>
+  
+<li><tt>jcr:modifyProperties</tt> is now an aggregation of <tt>rep:addProperties</tt>, <tt>rep:alterProperties</tt> and <tt>rep:removeProperties</tt></li>
+</ul>
+<div class="section">
+<h4>New Privileges<a name="New_Privileges"></a></h4>
+<p>The new Privileges introduced with Oak 1.0 have the following effect:</p>
+
+<ul>
+  
+<li><tt>rep:userManagement</tt>: Privilege required in order to write items that define user or group specific content.</li>
+  
+<li><tt>rep:readNodes</tt>: Privilege used to allow/deny read access to nodes (aggregate of <tt>jcr:read</tt>)</li>
+  
+<li><tt>rep:readProperties</tt>: Privilege used to allow/deny read access to properties (aggregate of <tt>jcr:read</tt>)</li>
+  
+<li><tt>rep:addProperties</tt>: Privilege required in order to create new properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
+  
+<li><tt>rep:alterProperties</tt>: Privilege required in order to change existing properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
+  
+<li><tt>rep:removeProperties</tt>: Privilege required in order to remove existing properties (aggreate of <tt>jcr:modifyProperties</tt>)</li>
+  
+<li><tt>rep:indexDefinitionManagement</tt>: Privilege required to create, modify or deleate index definitions.</li>
+</ul></div>
+<div class="section">
+<h4>Mapping Privileges to Items and API Calls<a name="Mapping_Privileges_to_Items_and_API_Calls"></a></h4>
+<p>An overview on how the built-in privileges map to API calls and individual items can be found in <a href="mappingtoitems.html">&#x2018;Mapping Privileges to Items&#x2019;</a> and <a href="mappingtoprivileges.html">&#x2018;Mapping API Calls to Privileges&#x2019;</a></p></div></div>
+<div class="section">
+<h3>Privilege Representation in the Repository<a name="Privilege_Representation_in_the_Repository"></a></h3>
+<p>As of Oak 1.0 all privilege definitions are stored in the repository itself underneath <tt>/jcr:system/rep:privileges</tt>. The following privilege related built-in node types have been added in OAK 1.0 in order to represent built-in and custom privilege definitions.</p>
+
+<div class="source">
+<pre>[rep:Privileges]
+  + * (rep:Privilege) = rep:Privilege protected ABORT
+  - rep:next (LONG) protected multiple mandatory
+
+[rep:Privilege]
+  - rep:isAbstract (BOOLEAN) protected
+  - rep:aggregates (NAME) protected multiple
+  - rep:bits (LONG) protected multiple mandatory
+</pre></div>
+<p>Note the protection status of all child items defined by these node type definitions as they prevent modification of the privilege definitions using regular JCR write operations.</p>
+<p><a name="validation"></a></p></div>
+<div class="section">
+<h3>Validation<a name="Validation"></a></h3>
+<p>The consistency of this content structure is asserted by a dedicated <tt>PrivilegeValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Code </th>
+      
+<th>Message </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td>0041 </td>
+      
+<td>Modification of existing privilege definition X </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0042 </td>
+      
+<td>Un-register privilege X </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0043 </td>
+      
+<td>Next bits not updated </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0044 </td>
+      
+<td>Privilege store not initialized </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0045 </td>
+      
+<td>Modification of existing privilege definition X </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0046 </td>
+      
+<td>Modification of existing privilege definition X </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0047 </td>
+      
+<td>Invalid declared aggregate name X </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0048 </td>
+      
+<td>PrivilegeBits are missing </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0049 </td>
+      
+<td>PrivilegeBits already in used </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0050 </td>
+      
+<td>Singular aggregation is equivalent to existing privilege.</td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0051 </td>
+      
+<td>Declared aggregate X is not a registered privilege </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0052 </td>
+      
+<td>Detected circular aggregation </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0053 </td>
+      
+<td>Custom aggregate privilege X is already covered. </td>
+    </tr>
+  </tbody>
+</table>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>There are implementation specific configuration options associated with the privilege management implementation.</p></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2016
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+                
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_thin_badge.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Propchange: jackrabbit/site/live/oak/docs/security/privilege/default.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/site/live/oak/docs/security/privilege/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/differences.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/differences.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Privilege Management : Differences wrt Jackrabbit 2.x</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/mappingtoitems.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Privilege Management : Mapping Privileges to Items</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -648,14 +648,14 @@
       
 <td>jcr:readAccessControl </td>
       
-<td>all items defining access control content (1) </td>
+<td>all items defining access control content [1] </td>
     </tr>
     
 <tr class="a">
       
 <td>jcr:modifyAccessControl </td>
       
-<td>all items defining access control content (1) </td>
+<td>all items defining access control content [1] </td>
     </tr>
     
 <tr class="b">
@@ -665,8 +665,7 @@
 <td>implementation specific; in Oak everything below <tt>/jcr:system/rep:privileges</tt> </td>
     </tr>
   </tbody>
-</table>
-<p>(1) in Oak reading/writing nodes with the following node types: <tt>rep:Policy</tt>, <tt>rep:ACL</tt>, <tt>rep:ACE</tt>, <tt>rep:GrantACE</tt>, <tt>rep:DenyACE</tt>, <tt>rep:Restrictions</tt>, <tt>rep:CugPolicy</tt> and all protected items defined therein</p></div>
+</table></div>
 <div class="section">
 <h4>Other Session and Workspace Operations<a name="Other_Session_and_Workspace_Operations"></a></h4>
 
@@ -686,7 +685,7 @@
       
 <td>jcr:versionManagement </td>
       
-<td>all items defining version content (2) </td>
+<td>all items defining version content [2] </td>
     </tr>
     
 <tr class="a">
@@ -714,7 +713,7 @@
       
 <td>rep:userManagement </td>
       
-<td>all items defining user/group content (3) </td>
+<td>all items defining user/group content [3] </td>
     </tr>
     
 <tr class="a">
@@ -724,8 +723,7 @@
 <td>implementation specific; in Oak trees starting with an <tt>oak:index</tt> node </td>
     </tr>
   </tbody>
-</table>
-<p>(2) granting jcr:versionManagement privilege at a given versionable node will allow writing items through JCR version management API which writes below <tt>/jcr:system/jcr:versionStorage</tt>, <tt>/jcr:system/jcr:activities</tt>, <tt>/jcr:system/jcr:configurations</tt> and the following properties both in the storage(s) and with the versionable node: <tt>jcr:activity</tt>, <tt>jcr:activityTitle</tt>, <tt>jcr:baseVersion</tt>, <tt>jcr:childVersionHistory</tt>, <tt>jcr:configuration</tt>, <tt>jcr:copiedFrom</tt>, <tt>jcr:frozenMixinTypes</tt>, <tt>jcr:frozenPrimaryType</tt>, <tt>jcr:frozenUuid</tt>, <tt>jcr:isCheckedOut</tt>, <tt>jcr:mergeFailed</tt>, <tt>jcr:predecessors</tt>,<tt>jcr:successors</tt>,<tt>jcr:root</tt>,<tt>jcr:versionableUuid</tt>, <tt>jcr:versionHistory</tt> (3) in Oak creating nodes with the following primary types: <tt>rep:User</tt>, <tt>rep:SystemUser</tt>, <tt>rep:Group</tt>, <tt>rep:Impersonatable</tt>, <tt>rep:Members</tt>, <tt>rep:MemberReferences</tt>, <tt>
 rep:MemberReferencesList</tt>, <tt>rep:Password</tt> and all protected properties defined therein</p></div>
+</table></div>
 <div class="section">
 <h4>Repository Operations<a name="Repository_Operations"></a></h4>
 
@@ -769,7 +767,12 @@
 <td>NA </td>
     </tr>
   </tbody>
-</table></div></div></div>
+</table></div>
+<div class="section">
+<h4>Annotations<a name="Annotations"></a></h4>
+<p>[1] In Oak reading/writing nodes with the following node types provided by the implementations present: <tt>rep:Policy</tt>, <tt>rep:ACL</tt>, <tt>rep:ACE</tt>, <tt>rep:GrantACE</tt>, <tt>rep:DenyACE</tt>, <tt>rep:Restrictions</tt> and <tt>rep:CugPolicy</tt> and all protected items defined therein.  See <a href="../accesscontrol/default.html">Default Access Control Management</a> and <a href="../authorization_cug/cug.html">Managing Access Control with CUG</a>, respectively.</p>
+<p>[2] Granting jcr:versionManagement privilege at a given versionable node will allow writing items through JCR version management API which writes below <tt>/jcr:system/jcr:versionStorage</tt>, <tt>/jcr:system/jcr:activities</tt>, <tt>/jcr:system/jcr:configurations</tt> and the following properties both in the storage(s) and with the versionable node: <tt>jcr:activity</tt>, <tt>jcr:activityTitle</tt>, <tt>jcr:baseVersion</tt>, <tt>jcr:childVersionHistory</tt>, <tt>jcr:configuration</tt>, <tt>jcr:copiedFrom</tt>, <tt>jcr:frozenMixinTypes</tt>, <tt>jcr:frozenPrimaryType</tt>, <tt>jcr:frozenUuid</tt>, <tt>jcr:isCheckedOut</tt>, <tt>jcr:mergeFailed</tt>, <tt>jcr:predecessors</tt>,<tt>jcr:successors</tt>,<tt>jcr:root</tt>,<tt>jcr:versionableUuid</tt>, <tt>jcr:versionHistory</tt></p>
+<p>[3] in Oak creating nodes with the following primary types: <tt>rep:User</tt>, <tt>rep:SystemUser</tt>, <tt>rep:Group</tt>, <tt>rep:Impersonatable</tt>, <tt>rep:Members</tt>, <tt>rep:MemberReferences</tt>, <tt>rep:MemberReferencesList</tt>, <tt>rep:Password</tt> and all protected properties defined therein</p></div></div></div>
                   </div>
             </div>
           </div>

Modified: jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html (original)
+++ jackrabbit/site/live/oak/docs/security/privilege/mappingtoprivileges.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Privilege Management : Mapping API Calls to Privileges</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/user.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user.html (original)
+++ jackrabbit/site/live/oak/docs/security/user.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - User Management</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -508,11 +508,13 @@
    See the License for the specific language governing permissions and
    limitations under the License. --><div class="section">
 <h2>User Management<a name="User_Management"></a></h2>
+<p><a href="jcr_api"></a></p>
 <div class="section">
-<h3>JCR User Management<a name="JCR_User_Management"></a></h3>
-<p>JCR itself doesn&#x2019;t come with a dedicated user management API. The only method related and ultimately used for user management tasks is <tt>Session.getUserID()</tt>. Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.</p></div>
+<h3>JCR API<a name="JCR_API"></a></h3>
+<p>JCR itself doesn&#x2019;t come with a dedicated user management API. The only method related and ultimately used for user management tasks is <tt>Session.getUserID()</tt>. Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.</p>
+<p><a name="jackrabbit_api"></a></p></div>
 <div class="section">
-<h3>Jackrabbit User Management API<a name="Jackrabbit_User_Management_API"></a></h3>
+<h3>Jackrabbit API<a name="Jackrabbit_API"></a></h3>
 <p>The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user&#x2019; package space:</p>
 
 <ul>
@@ -536,293 +538,32 @@
     
 <li><tt>Query</tt></li>
   </ul></li>
-</ul></div>
-<div class="section">
-<h3>Oak User Management Implementation<a name="Oak_User_Management_Implementation"></a></h3>
-<p>The default user management implementation stores user/group information in the content repository. In contrast to Jackrabbit 2.x, which by default used a single, dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace.</p>
-<p>Consequently the <tt>UserManager</tt> associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x <tt>UserPerWorkspaceUserManager</tt>).</p>
-<div class="section">
-<h4>General<a name="General"></a></h4>
-
-<ul>
-  
-<li>The Oak implementation is build on the Oak API. This allows for double usage as  extension to the JCR API as well as within the Oak layer (aka SPI).</li>
-  
-<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing  <tt>Session</tt> from which the class has been obtained.</li>
-  
-<li>Changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
-  
-<li>In case of any failure during user management related write operations the API  consumer is in charge of specifically revert pending or invalid transient modifications  or calling <tt>Session#refresh(false)</tt>.</li>
-</ul></div>
-<div class="section">
-<h4>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h4>
-<p>A summary of all changes with respect to the former implementation present with Jackrabbit 2.x is present in the corresponding <a href="user/differences.html">section</a>.</p></div>
-<div class="section">
-<h4>Built-in Users and Special Groups<a name="Built-in_Users_and_Special_Groups"></a></h4>
-<p>The setup of builtin user and group accounts is triggered by the configured <tt>WorkspaceInitializer</tt> associated with the user management configuration (see Configuration section below).</p>
-<p>The default user management implementation in OAK comes with an initializer that creates the following builtin user accounts:</p>
-<div class="section">
-<h5>Administrator<a name="Administrator"></a></h5>
-<p>The admin user is always being created. The ID of this user is retrieved from the user configuration parameter <tt>PARAM_ADMIN_ID</tt>, which defaults to <tt>admin</tt>.</p>
-<p>As of OAK 1.0 however the administrator user might be created without initial password forcing the application to set the password upon start (see <tt>PARAM_OMIT_ADMIN_PW</tt> configuration parameter).</p></div>
-<div class="section">
-<h5>Anonymous User<a name="Anonymous_User"></a></h5>
-<p>In contrast to Jackrabbit 2.x the anonymous (or guest) user is optional. Creation will be skipped if the value of the <tt>PARAM_ANONYMOUS_ID</tt> configuration parameter is <tt>null</tt> or empty.</p>
-<p>Note, that the anonymous user will always be created without specifying a password in order to prevent regular login with <tt>SimpleCredentials</tt>. The proper way to obtain a guest session is:</p>
-
-<div class="source">
-<pre>Repository#login(new GuestCredentials(), wspName);
-</pre></div>
-<p>See section <a href="authentication.html">Authentication</a> for further information about guest login.</p></div>
-<div class="section">
-<h5>Everyone Group<a name="Everyone_Group"></a></h5>
-<p>The default user management implementation in Oak contains special handling for the optional group that represents <i>everyone</i>, which is marked by the reserved name <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html#NAME">everyone</a> and corresponds to the <tt>EveryonePrincipal</tt>.</p>
-<p>This special group always contains all Authorizable as member and cannot be edited with user management API. As of OAK this fact is consistently reflected in all group membership related methods. See also <a href="principal.html">Principal Management</a>.</p></div></div>
-<div class="section">
-<h4>Reading Authorizables<a name="Reading_Authorizables"></a></h4>
-<div class="section">
-<h5>Handling of the Authorizable ID<a name="Handling_of_the_Authorizable_ID"></a></h5>
-
-<ul>
-  
-<li>As of Oak the node type definition of <tt>rep:Authorizable</tt> defines a new property <tt>rep:authorizableId</tt> which is intended to store the ID of a user or group.</li>
-  
-<li>The default implementation comes with a dedicated property index for <tt>rep:authorizableId</tt> which asserts the uniqueness of that ID.</li>
-  
-<li><tt>Authorizable#getID</tt> returns the string value contained in <tt>rep:authorizableID</tt> and for backwards compatibility falls back on the node name in case the ID property is missing.</li>
-  
-<li>The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface (see configuration section below). By default it uses the ID as name hint and includes a conversion to a valid JCR node name.</li>
-</ul></div>
-<div class="section">
-<h5>equals() and hashCode()<a name="equals_and_hashCode"></a></h5>
-<p>The implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for user and groups slightly differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</p></div></div>
-<div class="section">
-<h4>Creating Authorizables<a name="Creating_Authorizables"></a></h4>
-
-<ul>
-  
-<li>The <tt>rep:password</tt> property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that <tt>User#changePassword</tt> does not allow to remove the password property.</li>
-  
-<li><tt>UserManager#createGroup(Principal)</tt> will no longer generate a groupID in case the principal name collides with an existing user or group ID. This has been considered redundant as the Jackrabbit API in the mean time added <tt>UserManager#createGroup(String groupID)</tt>.</li>
-  
-<li>Since OAK is designed to scale with flat hierarchies the former configuration options <tt>autoExpandTree</tt> and <tt>autoExpandSize</tt> are no longer supported.</li>
-</ul></div>
-<div class="section">
-<h4>Query<a name="Query"></a></h4>
-<p>See section <a href="user/query.html">Searching Users and Groups</a> for details.</p></div>
-<div class="section">
-<h4>Group Membership<a name="Group_Membership"></a></h4>
-<p>See section <a href="user/membership.html">Group Membership</a> for details.</p></div>
-<div class="section">
-<h4>Autosave Behavior<a name="Autosave_Behavior"></a></h4>
-<p>Due to the nature of the UserManager (see above) we decided to drop the auto-save behavior in the default implementation present with OAK. Consequently,</p>
-
-<ul>
-  
-<li><tt>UserManager#autoSave(boolean)</tt> throws <tt>UnsupportedRepositoryOperationException</tt></li>
-  
-<li><tt>UserManager#isAutoSave()</tt> always returns <tt>false</tt></li>
 </ul>
-<p>See also <tt>PARAM_SUPPORT_AUTOSAVE</tt> below; while this should not be needed if application code has been written against the Jackrabbit API (and thus testing if auto-save mode is enabled or not) this configuration option can be used as last resort.</p></div>
-<div class="section">
-<h4>User/Group Representation in the Repository<a name="UserGroup_Representation_in_the_Repository"></a></h4>
-<p>The following block lists the built-in node types related to user management tasks:</p>
-
-<div class="source">
-<pre>[rep:Authorizable] &gt; mix:referenceable, nt:hierarchyNode
-  abstract
-  + * (nt:base) = nt:unstructured VERSION
-  - rep:principalName  (STRING) protected mandatory
-  - rep:authorizableId (STRING) protected /* @since oak 1.0 */
-  - * (UNDEFINED)
-  - * (UNDEFINED) multiple
-
-[rep:Group] &gt; rep:Authorizable, rep:MemberReferences
-  + rep:members (rep:Members) = rep:Members multiple protected VERSION /* @deprecated */
-  + rep:membersList (rep:MemberReferencesList) = rep:MemberReferencesList protected COPY
-
-/** @since oak 1.0 */
-[rep:MemberReferences]
-  - rep:members (WEAKREFERENCE) protected multiple &lt; 'rep:Authorizable'
-
-/** @since oak 1.0 */
-[rep:MemberReferencesList]
-  + * (rep:MemberReferences) = rep:MemberReferences protected COPY
-
-/** @deprecated since oak 1.0 */
-[rep:Members]
-  orderable
-  + * (rep:Members) = rep:Members protected multiple
-  - * (WEAKREFERENCE) protected &lt; 'rep:Authorizable'
-</pre></div>
-<p><a name="validation"></a></p>
-<div class="section">
-<h5>Validation<a name="Validation"></a></h5>
-<p>The consistency of this content structure is asserted by a dedicated <tt>UserValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
-
-<table border="0" class="table table-striped">
-  <thead>
-    
-<tr class="a">
-      
-<th>Code </th>
-      
-<th>Message </th>
-    </tr>
-  </thead>
-  <tbody>
-    
-<tr class="b">
-      
-<td>0020 </td>
-      
-<td>Admin user cannot be disabled </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0021 </td>
-      
-<td>Invalid jcr:uuid for authorizable (creation) </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0022 </td>
-      
-<td>Changing Id, principal name after creation </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0023 </td>
-      
-<td>Invalid jcr:uuid for authorizable (mod) </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0024 </td>
-      
-<td>Password may not be plain text </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0025 </td>
-      
-<td>Attempt to remove id, principalname or pw </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0026 </td>
-      
-<td>Mandatory property rep:principalName missing </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0027 </td>
-      
-<td>The admin user cannot be removed </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0028 </td>
-      
-<td>Attempt to create outside of configured scope </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0029 </td>
-      
-<td>Intermediate folders not rep:AuthorizableFolder </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0030 </td>
-      
-<td>Missing uuid for group (check for cyclic membership) </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0031 </td>
-      
-<td>Cyclic group membership </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0032 </td>
-      
-<td>Attempt to set password with system user </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0033 </td>
-      
-<td>Attempt to add rep:pwd node to a system user </td>
-    </tr>
-  </tbody>
-</table></div></div>
-<div class="section">
-<h4>XML Import<a name="XML_Import"></a></h4>
-<p>As of Oak 1.0 user and group nodes can be imported both with Session and Workspace import. Other differences compared to Jackrabbit 2.x:</p>
-
-<ul>
-  
-<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-&gt; see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
-  
-<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
-</ul></div></div>
+<p><a name="api_extensions"></a></p></div>
 <div class="section">
 <h3>API Extensions<a name="API_Extensions"></a></h3>
 <p>The Oak project introduces the following user management related public interfaces and classes:</p>
-<div class="section">
-<h4>Authorizable Actions<a name="Authorizable_Actions"></a></h4>
-<p>The former internal Jackrabbit interface <tt>AuthorizableAction</tt> has been slightly adjusted to match Oak requirements and is now part of the public Oak SPI interfaces. In contrast to Jackrabbit-core the AuthorizableAction(s) now operate directly on the Oak API, which eases the handling of implementation specific tasks such as writing protected items.</p>
-<p>See section <a href="user/authorizableaction.html">Authorizable Actions</a> for further details and examples.</p></div>
-<div class="section">
-<h4>Node Name Generation<a name="Node_Name_Generation"></a></h4>
-<p>The default user management implementation with Oak 1.0 allows to specify how the name of a new authorizable node is being generated.</p>
-<p>See section <a href="user/authorizablenodename.html">Authorizable Node Name</a> for further details and examples.</p></div>
-<div class="section">
-<h4>Password Expiry and Force Initial Password Change<a name="Password_Expiry_and_Force_Initial_Password_Change"></a></h4>
-<p>Since Oak 1.1.0 the default user management and authentication implementation provides password expiry and initial password change.</p>
-<p>By default these features are disabled. The corresponding configuration options are</p>
 
 <ul>
   
-<li><tt>PARAM_PASSWORD_MAX_AGE</tt>: number of days until the password expires.</li>
+<li><tt>AuthorizableType</tt>: ease handling with the different authorizable types.</li>
   
-<li><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt>: boolean flag to enable this feature.</li>
-</ul>
-<p>See section <a href="user/expiry.html">Password Expiry and Force Initial Password Change</a> for details.</p></div>
-<div class="section">
-<h4>Password History<a name="Password_History"></a></h4>
-<p>Since Oak 1.3.3 the default user management implementation provides password history support.</p>
-<p>By default this feature is disabled. The corresponding configuration option is</p>
-
-<ul>
+<li><tt>AuthorizableAction</tt> and <tt>AuthorizableActionProvider</tt>: see <a href="user/authorizableaction.html">Authorizable Actions</a> for details.</li>
+  
+<li><tt>AuthorizableNodeName</tt>: see section <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
   
-<li><tt>PARAM_PASSWORD_HISTORY_SIZE</tt>: number of changed passwords to remember.</li>
+<li><tt>UserAuthenticationFactory</tt>: see sections <a href="user/default.html#pluggability">pluggability</a> and <a href="authentication/default.html#user_authentication">user authentication</a> for additional details.</li>
 </ul>
-<p>See section <a href="user/history.html">Password History</a> for details.</p></div>
+<p><a href="utilities"></a></p></div>
 <div class="section">
-<h4>Utilities<a name="Utilities"></a></h4>
+<h3>Utilities<a name="Utilities"></a></h3>
 <p><tt>org.apache.jackrabbit.oak.spi.security.user.*</tt></p>
 
 <ul>
   
-<li><tt>AuthorizableType</tt> : Ease handling with the different authorizable types.</li>
-  
 <li><tt>UserConstants</tt> : Constants (NOTE: OAK names/paths)</li>
+  
+<li><tt>UserIdCredentials</tt> : Simple credentials implementation that might be used for `User.getCredentials&#x2019; without exposing pw information.</li>
 </ul>
 <p><tt>org.apache.jackrabbit.oak.spi.security.user.util.*</tt></p>
 
@@ -831,225 +572,30 @@
 <li><tt>PasswordUtil</tt> : Utilities for password generation. This utility corresponds  to the internal jackrabbit utility.  As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2)  function for password generation.</li>
   
 <li><tt>UserUtil</tt> : Utilities related to general user management tasks.</li>
-</ul></div></div>
+</ul></div>
 <div class="section">
-<h3>Configuration<a name="Configuration"></a></h3>
-<p>The following user management specific methods are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a> as of OAK 1.0:</p>
-
-<ul>
-  
-<li>getUserManager: Obtain a new user manager instance</li>
-</ul>
+<h3>Oak User Management Implementation<a name="Oak_User_Management_Implementation"></a></h3>
+<p>The behavior of the default user management implementation is described in section <a href="user/default.html">User Management: The Default Implementation</a>.</p>
+<p><a name="configuration"></a></p></div>
 <div class="section">
-<h4>Configuration Parameters supported by the default implementation<a name="Configuration_Parameters_supported_by_the_default_implementation"></a></h4>
-
-<table border="0" class="table table-striped">
-  <thead>
-    
-<tr class="a">
-      
-<th>Parameter </th>
-      
-<th>Type </th>
-      
-<th>Default </th>
-    </tr>
-  </thead>
-  <tbody>
-    
-<tr class="b">
-      
-<td><tt>PARAM_ADMIN_ID</tt> </td>
-      
-<td>String </td>
-      
-<td>&#x201c;admin&#x201d; </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_OMIT_ADMIN_PW</tt> </td>
-      
-<td>boolean </td>
-      
-<td>false </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_ANONYMOUS_ID</tt> </td>
-      
-<td>String </td>
-      
-<td>&#x201c;anonymous&#x201d; (nullable) </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_USER_PATH</tt> </td>
-      
-<td>String </td>
-      
-<td>&#x201c;/rep:security/rep:authorizables/rep:users&#x201d; </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_GROUP_PATH</tt> </td>
-      
-<td>String </td>
-      
-<td>&#x201c;/rep:security/rep:authorizables/rep:groups&#x201d; </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_DEFAULT_DEPTH</tt> </td>
-      
-<td>int </td>
-      
-<td>2 </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
-      
-<td>String </td>
-      
-<td>&#x201c;SHA-256&#x201d; </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
-      
-<td>int </td>
-      
-<td>1000 </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
-      
-<td>int </td>
-      
-<td>8 </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
-      
-<td>AuthorizableNodeName </td>
-      
-<td>AuthorizableNodeName#DEFAULT </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
-      
-<td>AuthorizableActionProvider </td>
-      
-<td>DefaultAuthorizableActionProvider </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
-      
-<td>boolean </td>
-      
-<td>false </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-      
-<td>String (&#x201c;abort&#x201d;, &#x201c;ignore&#x201d;, &#x201c;besteffort&#x201d;) </td>
-      
-<td>&#x201c;ignore&#x201d; </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
-      
-<td>int </td>
-      
-<td>0 </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
-      
-<td>boolean </td>
-      
-<td>false </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
-      
-<td>int (upper limit: 1000) </td>
-      
-<td>0 </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_CACHE_EXPIRATION</tt> </td>
-      
-<td>long </td>
-      
-<td>0 </td>
-    </tr>
-    
-<tr class="a">
-      
-<td> </td>
-      
-<td> </td>
-      
-<td> </td>
-    </tr>
-  </tbody>
-</table>
-<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The Oak user management comes with a dedicated entry point called <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a>. This class is responsible for passing configuration options to the implementation and provides the following two methods:</p>
 
 <ul>
   
-<li><tt>compatibleJR16</tt></li>
-  
-<li><tt>autoExpandTree</tt></li>
-  
-<li><tt>autoExpandSize</tt></li>
+<li><tt>getUserManager(Root, NamePathMapper)</tt>: get a new <tt>UserManager</tt> instance</li>
   
-<li><tt>groupMembershipSplitSize</tt></li>
+<li><tt>getUserPrincipalProvider(Root, NamePathMapper)</tt>: optional method that allows for optimization of the principal look-up associated with user/group accounts (since Oak 1.3.4).</li>
 </ul>
-<p>The optional <tt>cacheExpiration</tt> configuration option listed above is discussed in detail in section <a href="principal/cache.html">Caching Results of Principal Resolution</a>. It is not related to user management s.str. but affects the implementation specific <tt>PrincipalProvider</tt> implementation exposed by <tt>UserConfiguration.getUserPrincipalProvider</tt>.</p></div></div>
+<div class="section">
+<h4>Configuration Parameters<a name="Configuration_Parameters"></a></h4>
+<p>The supported configuration options of the default implementation are described in the corresponding <a href="user/default.html#configuration">section</a>.</p>
+<p><a name="pluggability"></a></p></div></div>
 <div class="section">
 <h3>Pluggability<a name="Pluggability"></a></h3>
-<p>The default security setup as present with Oak 1.0 is able to provide custom implementation on various levels:</p>
-
-<ol style="list-style-type: decimal">
-  
-<li>The complete user management implementation can be changed by plugging a different  <tt>UserConfiguration</tt> implementations. In OSGi-base setup this is achieved by making  the configuration a service. In a non-OSGi-base setup the custom configuration  must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
-  
-<li>Within the default user management implementation the following parts can be  change/extended at runtime by providing corresponding OSGi services or passing  appropriate configuration parameters exposing the custom implementations:
-  
-<ul>
-    
-<li><tt>AuthorizableActionProvider</tt>: Defines the authorizable actions, see <a href="user/authorizableaction.html">Authorizable Actions</a>.</li>
-    
-<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names  in case the user management implementation stores user information in the repository.  See <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
-  </ul></li>
-</ol></div>
+<p>The default security setup as present with Oak 1.0 is able to have the default user management implementation replaced as follows:</p>
+<p>The complete user management implementation can be changed by plugging a different <tt>UserConfiguration</tt> implementations. In OSGi-base setup this is achieved by making the configuration a service which must take precedence over the default. In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</p>
+<p>Alternatively the default user management implementation can be extended and adjusted using various means. See the corresponding <a href="user/default.html#pluggability">section</a> for further details.</p></div>
 <div class="section">
 <h3>Further Reading<a name="Further_Reading"></a></h3>
 
@@ -1057,17 +603,22 @@
   
 <li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
   
-<li><a href="user/membership.html">Group Membership</a></li>
+<li><a href="user/default.html">User Management : The Default Implementation</a>
   
+<ul>
+    
+<li><a href="user/membership.html">Group Membership</a></li>
+    
 <li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
-  
+    
 <li><a href="user/authorizablenodename.html">Authorizable Node Name</a></li>
-  
+    
 <li><a href="user/query.html">Searching Users and Groups</a></li>
-  
+    
 <li><a href="user/expiry.html">Password Expiry and Force Initial Password Change</a></li>
-  
+    
 <li><a href="user/history.html">Password History</a></li>
+  </ul></li>
 </ul>
 <!-- hidden references --></div></div>
                   </div>

Modified: jackrabbit/site/live/oak/docs/security/user/authorizableaction.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizableaction.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizableaction.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizableaction.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-12
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160212" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Authorizable Actions</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-12</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -531,7 +531,8 @@
   
 <li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableActionProvider.html">AuthorizableActionProvider</a></li>
 </ul>
-<p>The <tt>AuthorizableAction</tt> interface itself allows to perform validations or write addition application specific content while executing user management related write operations. Note that the actions are consequently executed as part of the transient modifications and contrast to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s that are triggered upon persisting content modifications.</p></div>
+<p>The <tt>AuthorizableAction</tt> interface itself allows to perform validations or write additional application specific content while executing user management related write operations. Therefore these actions are executed as part of the transient user management modifications. This contrasts to <tt>org.apache.jackrabbit.oak.spi.commit.CommitHook</tt>s which in turn are only triggered once modifications are persisted.</p>
+<p>Consequently, implementations of the <tt>AuthorizableAction</tt> interface are expected to adhere to this rule and perform transient repository operation or validation. They must not force changes to be persisted by calling <tt>org.apache.jackrabbit.oak.api.Root.commit()</tt>.</p></div>
 <div class="section">
 <h3>Default Implementations<a name="Default_Implementations"></a></h3>
 <p>Oak 1.0 provides the following base implementations:</p>
@@ -561,7 +562,7 @@
   
 <li><tt>AccessControlAction</tt>: set up permission for new authorizables</li>
   
-<li><tt>PasswordAction</tt>: simplistic password verification upon user creation and password modification</li>
+<li><tt>PasswordValidationAction</tt>: simplistic password verification upon user creation and password modification</li>
   
 <li><tt>PasswordChangeAction</tt>: verifies that the new password is different from the old one</li>
   
@@ -571,7 +572,7 @@
 <div class="section">
 <h3>Pluggability<a name="Pluggability"></a></h3>
 <p>The default security setup as present with Oak 1.0 is able to provide custom <tt>AuthorizableActionProvider</tt> implementations and will automatically combine the different implementations using the <tt>CompositeActionProvider</tt>.</p>
-<p>In an OSGi setup the following steps are required in order to add a action provider implementation:</p>
+<p>In an OSGi setup the following steps are required in order to add an action provider implementation:</p>
 
 <ul>
   

Modified: jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/authorizablenodename.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Authorizable Node Name Generation</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 



Mime
View raw message