jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1400020 - in /jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak: security/user/ security/user/query/ spi/security/user/ spi/security/user/action/
Date Fri, 19 Oct 2012 10:05:28 GMT
Author: angela
Date: Fri Oct 19 10:05:28 2012
New Revision: 1400020

URL: http://svn.apache.org/viewvc?rev=1400020&view=rev
Log:
OAK-50 : Implement User Management (WIP)

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserQueryManager.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableProperties.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/OakAuthorizableProperties.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathQueryEvaluator.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/AuthorizableType.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AbstractAuthorizableAction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/ClearMembershipAction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java Fri Oct 19 10:05:28 2012
@@ -68,33 +68,21 @@ abstract class AuthorizableImpl implemen
     }
 
     //-------------------------------------------------------< Authorizable >---
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#getID()
-     */
     @Override
     public String getID() {
         return id;
     }
 
-    /**
-     * @see Authorizable#declaredMemberOf()
-     */
     @Override
     public Iterator<Group> declaredMemberOf() throws RepositoryException {
         return getMembership(false);
     }
 
-    /**
-     * @see Authorizable#memberOf()
-     */
     @Override
     public Iterator<Group> memberOf() throws RepositoryException {
         return getMembership(true);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#remove()
-     */
     @Override
     public void remove() throws RepositoryException {
         // don't allow for removal of the administrator even if the executing
@@ -106,65 +94,41 @@ abstract class AuthorizableImpl implemen
         getTree().remove();
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#getPropertyNames()
-     */
     @Override
     public Iterator<String> getPropertyNames() throws RepositoryException {
         return getPropertyNames(".");
     }
 
-    /**
-     * @see Authorizable#getPropertyNames(String)
-     */
     @Override
     public Iterator<String> getPropertyNames(String relPath) throws RepositoryException {
         return getAuthorizableProperties().getNames(relPath);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#hasProperty(String)
-     */
     @Override
     public boolean hasProperty(String relPath) throws RepositoryException {
         return getAuthorizableProperties().hasProperty(relPath);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#getProperty(String)
-     */
     @Override
     public Value[] getProperty(String relPath) throws RepositoryException {
         return getAuthorizableProperties().getProperty(relPath);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#setProperty(String, javax.jcr.Value)
-     */
     @Override
     public void setProperty(String relPath, Value value) throws RepositoryException {
         getAuthorizableProperties().setProperty(relPath, value);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#setProperty(String, javax.jcr.Value[])
-     */
     @Override
     public void setProperty(String relPath, Value[] values) throws RepositoryException {
         getAuthorizableProperties().setProperty(relPath, values);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#removeProperty(String)
-     */
     @Override
     public boolean removeProperty(String relPath) throws RepositoryException {
         return getAuthorizableProperties().removeProperty(relPath);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#getPath()
-     */
     @Override
     public String getPath() throws RepositoryException {
         Node n = getNode();
@@ -176,9 +140,6 @@ abstract class AuthorizableImpl implemen
     }
 
     //-------------------------------------------------------------< Object >---
-    /**
-     * @see Object#hashCode()
-     */
     @Override
     public int hashCode() {
         if (hashCode == 0) {
@@ -198,9 +159,6 @@ abstract class AuthorizableImpl implemen
         return hashCode;
     }
 
-    /**
-     * @see Object#equals(Object)
-     */
     @Override
     public boolean equals(Object obj) {
         if (obj == this) {
@@ -214,9 +172,6 @@ abstract class AuthorizableImpl implemen
         return false;
     }
 
-    /**
-     * @see Object#toString()
-     */
     @Override
     public String toString() {
         String typeStr = (isGroup()) ? "Group '" : "User '";
@@ -226,15 +181,11 @@ abstract class AuthorizableImpl implemen
     //--------------------------------------------------------------------------
     @Nonnull
     Tree getTree() {
-        Tree tree = getUserProvider().getAuthorizable(id);
-        if (tree == null) {
-            throw new IllegalStateException("Authorizable not associated with an existing tree");
-        }
-        return tree;
+        return userManager.getAuthorizableTree(id);
     }
 
+    @Nonnull
     String getPrincipalName(Tree thisTree) throws RepositoryException {
-        String principalName;
         if (thisTree.hasProperty(REP_PRINCIPAL_NAME)) {
             return thisTree.getProperty(REP_PRINCIPAL_NAME).getValue(STRING);
         } else {
@@ -244,6 +195,7 @@ abstract class AuthorizableImpl implemen
         }
     }
 
+    @CheckForNull
     String getJcrName(String oakName) {
         return userManager.getNamePathMapper().getJcrName(oakName);
     }
@@ -257,14 +209,6 @@ abstract class AuthorizableImpl implemen
     }
 
     /**
-     * @return The user provider associated with this authorizable
-     */
-    @Nonnull
-    UserProvider getUserProvider() {
-        return userManager.getUserProvider();
-    }
-
-    /**
      * @return The membership provider associated with this authorizable
      */
     @Nonnull

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableIterator.java Fri Oct 19 10:05:28 2012
@@ -57,7 +57,7 @@ class AuthorizableIterator implements It
         return new AuthorizableIterator(Iterators.filter(it, Predicates.<Object>notNull()), size);
     }
 
-    AuthorizableIterator(Iterator<Authorizable> authorizables, long size) {
+    private AuthorizableIterator(Iterator<Authorizable> authorizables, long size) {
         this.authorizables = authorizables;
         this.size = size;
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableProperties.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableProperties.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableProperties.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableProperties.java Fri Oct 19 10:05:28 2012
@@ -23,7 +23,7 @@ import javax.jcr.Value;
 /**
  * AuthorizableProperty... TODO
  */
-public interface AuthorizableProperties {
+interface AuthorizableProperties {
 
     Iterator<String> getNames(String relPath) throws RepositoryException;
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/GroupImpl.java Fri Oct 19 10:05:28 2012
@@ -50,6 +50,7 @@ class GroupImpl extends AuthorizableImpl
         super(id, tree, userManager);
     }
 
+    //---------------------------------------------------< AuthorizableImpl >---
     @Override
     void checkValidTree(Tree tree) throws RepositoryException {
         if (tree == null || !UserUtility.isType(tree, AuthorizableType.GROUP)) {
@@ -58,17 +59,11 @@ class GroupImpl extends AuthorizableImpl
     }
 
     //-------------------------------------------------------< Authorizable >---
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#isGroup()
-     */
     @Override
     public boolean isGroup() {
         return true;
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#getPrincipal()
-     */
     @Override
     public Principal getPrincipal() throws RepositoryException {
         Tree groupTree = getTree();
@@ -76,41 +71,26 @@ class GroupImpl extends AuthorizableImpl
     }
 
     //--------------------------------------------------------------< Group >---
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Group#getDeclaredMembers()
-     */
     @Override
     public Iterator<Authorizable> getDeclaredMembers() throws RepositoryException {
         return getMembers(false);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Group#getMembers()
-     */
     @Override
     public Iterator<Authorizable> getMembers() throws RepositoryException {
         return getMembers(true);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Group#isDeclaredMember(org.apache.jackrabbit.api.security.user.Authorizable)
-     */
     @Override
     public boolean isDeclaredMember(Authorizable authorizable) throws RepositoryException {
         return isMember(authorizable, false);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Group#isMember(org.apache.jackrabbit.api.security.user.Authorizable)
-     */
     @Override
     public boolean isMember(Authorizable authorizable) throws RepositoryException {
         return isMember(authorizable, true);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Group#addMember(org.apache.jackrabbit.api.security.user.Authorizable)
-     */
     @Override
     public boolean addMember(Authorizable authorizable) throws RepositoryException {
         if (!isValidAuthorizableImpl(authorizable)) {
@@ -144,9 +124,6 @@ class GroupImpl extends AuthorizableImpl
         return getMembershipProvider().addMember(getTree(), authorizableImpl.getTree());
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Group#removeMember(org.apache.jackrabbit.api.security.user.Authorizable)
-     */
     @Override
     public boolean removeMember(Authorizable authorizable) throws RepositoryException {
         if (!isValidAuthorizableImpl(authorizable)) {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/OakAuthorizableProperties.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/OakAuthorizableProperties.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/OakAuthorizableProperties.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/OakAuthorizableProperties.java Fri Oct 19 10:05:28 2012
@@ -28,6 +28,7 @@ import org.apache.jackrabbit.oak.api.Pro
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.api.TreeLocation;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
+import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
 import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
 import org.apache.jackrabbit.oak.util.NodeUtil;
 import org.apache.jackrabbit.util.Text;
@@ -37,7 +38,7 @@ import org.slf4j.LoggerFactory;
 /**
  * OakAuthorizableProperty... TODO
  */
-public class OakAuthorizableProperties implements AuthorizableProperties {
+class OakAuthorizableProperties implements AuthorizableProperties {
 
     /**
      * logger instance
@@ -198,20 +199,10 @@ public class OakAuthorizableProperties i
     }
 
     private boolean isAuthorizableProperty(Tree authorizableTree, PropertyState property) throws RepositoryException {
-
-        // TODO: check protection and declaring nt of the property
-        return true;
-//        PropertyDefinition def = prop.getDefinition();
-//        if (def.isProtected()) {
-//            return false;
-//        } else if (node.isSame(prop.getParent())) {
-//            NodeType declaringNt = prop.getDefinition().getDeclaringNodeType();
-//            return declaringNt.isNodeType(getJcrName(NT_REP_AUTHORIZABLE));
-//        } else {
-//            // another non-protected property somewhere in the subtree of this
-//            // authorizable node -> is a property that can be set using #setProperty.
-//            return true;
-//        }
+        // FIXME: add proper check for protection and declaring nt of the
+        // FIXME: property using nt functionality provided by nt-plugins
+        String prefix = Text.getNamespacePrefix(property.getName());
+        return NamespaceConstants.RESERVED_PREFIXES.contains(prefix);
     }
 
     /**

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserImpl.java Fri Oct 19 10:05:28 2012
@@ -32,8 +32,6 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtility;
 import org.apache.jackrabbit.oak.spi.security.user.util.UserUtility;
 import org.apache.jackrabbit.oak.util.NodeUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import static org.apache.jackrabbit.oak.api.Type.STRING;
 
@@ -42,11 +40,6 @@ import static org.apache.jackrabbit.oak.
  */
 class UserImpl extends AuthorizableImpl implements User {
 
-    /**
-     * logger instance
-     */
-    private static final Logger log = LoggerFactory.getLogger(UserImpl.class);
-
     private final boolean isAdmin;
 
     UserImpl(String id, Tree tree, UserManagerImpl userManager) throws RepositoryException {
@@ -55,6 +48,8 @@ class UserImpl extends AuthorizableImpl 
         isAdmin = UserUtility.getAdminId(userManager.getConfig()).equals(id);
     }
 
+    //---------------------------------------------------< AuthorizableImpl >---
+    @Override
     void checkValidTree(Tree tree) throws RepositoryException {
         if (tree == null || !UserUtility.isType(tree, AuthorizableType.USER)) {
             throw new IllegalArgumentException("Invalid user node: node type rep:User expected.");
@@ -62,17 +57,11 @@ class UserImpl extends AuthorizableImpl 
     }
 
     //-------------------------------------------------------< Authorizable >---
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#isGroup()
-     */
     @Override
     public boolean isGroup() {
         return false;
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.Authorizable#getPrincipal()
-     */
     @Override
     public Principal getPrincipal() throws RepositoryException {
         Tree userTree = getTree();
@@ -85,35 +74,21 @@ class UserImpl extends AuthorizableImpl 
     }
 
     //---------------------------------------------------------------< User >---
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#isAdmin()
-     */
     @Override
     public boolean isAdmin() {
         return isAdmin;
     }
 
-    /**
-     * Always throws {@code UnsupportedRepositoryOperationException}
-     *
-     * @see org.apache.jackrabbit.api.security.user.User#getCredentials()
-     */
     @Override
     public Credentials getCredentials() {
         return new CredentialsImpl(getID(), getPasswordHash());
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#getImpersonation()
-     */
     @Override
     public Impersonation getImpersonation() throws RepositoryException {
         return new ImpersonationImpl(this);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#changePassword(String)
-     */
     @Override
     public void changePassword(String password) throws RepositoryException {
         if (password == null) {
@@ -124,9 +99,6 @@ class UserImpl extends AuthorizableImpl 
         userManager.setPassword(getTree(), password, true);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#changePassword(String, String)
-     */
     @Override
     public void changePassword(String password, String oldPassword) throws RepositoryException {
         // make sure the old password matches.
@@ -137,9 +109,6 @@ class UserImpl extends AuthorizableImpl 
         changePassword(password);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#disable(String)
-     */
     @Override
     public void disable(String reason) throws RepositoryException {
         if (isAdmin) {
@@ -156,17 +125,11 @@ class UserImpl extends AuthorizableImpl 
         }
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#isDisabled()
-     */
     @Override
     public boolean isDisabled() throws RepositoryException {
         return getTree().hasProperty(REP_DISABLED);
     }
 
-    /**
-     * @see org.apache.jackrabbit.api.security.user.User#getDisabledReason()
-     */
     @Override
     public String getDisabledReason() throws RepositoryException {
         PropertyState disabled = getTree().getProperty(REP_DISABLED);
@@ -177,7 +140,7 @@ class UserImpl extends AuthorizableImpl 
         }
     }
 
-    //--------------------------------------------------------------------------
+    //------------------------------------------------------------< private >---
     @CheckForNull
     private String getPasswordHash() {
         NodeUtil n = new NodeUtil(getTree());

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserManagerImpl.java Fri Oct 19 10:05:28 2012
@@ -21,6 +21,7 @@ import java.security.NoSuchAlgorithmExce
 import java.security.Principal;
 import java.util.Iterator;
 import javax.annotation.CheckForNull;
+import javax.annotation.Nonnull;
 import javax.jcr.Node;
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
@@ -35,8 +36,6 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.api.Tree;
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
-import org.apache.jackrabbit.oak.security.user.query.XPathQueryBuilder;
-import org.apache.jackrabbit.oak.security.user.query.XPathQueryEvaluator;
 import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
@@ -69,6 +68,8 @@ public class UserManagerImpl implements 
     private final ConfigurationParameters config;
     private final AuthorizableAction[] authorizableActions;
 
+    private UserQueryManager queryManager;
+
     public UserManagerImpl(Session session, Root root, NamePathMapper namePathMapper,
                            SecurityProvider securityProvider) {
         this.session = session;
@@ -84,32 +85,23 @@ public class UserManagerImpl implements 
     }
 
     //--------------------------------------------------------< UserManager >---
-    /**
-     * @see UserManager#getAuthorizable(String)
-     */
     @Override
     public Authorizable getAuthorizable(String id) throws RepositoryException {
         checkIsLive();
         Authorizable authorizable = null;
-        Tree tree = getUserProvider().getAuthorizable(id);
+        Tree tree = userProvider.getAuthorizable(id);
         if (tree != null) {
             authorizable = getAuthorizable(id, tree);
         }
         return authorizable;
     }
 
-    /**
-     * @see UserManager#getAuthorizable(Principal)
-     */
     @Override
     public Authorizable getAuthorizable(Principal principal) throws RepositoryException {
         checkIsLive();
-        return getAuthorizable(getUserProvider().getAuthorizableByPrincipal(principal));
+        return getAuthorizable(userProvider.getAuthorizableByPrincipal(principal));
     }
 
-    /**
-     * @see UserManager#getAuthorizableByPath(String)
-     */
     @Override
     public Authorizable getAuthorizableByPath(String path) throws RepositoryException {
         checkIsLive();
@@ -117,7 +109,7 @@ public class UserManagerImpl implements 
         if (oakPath == null) {
             throw new RepositoryException("Invalid path " + path);
         }
-        return getAuthorizable(getUserProvider().getAuthorizableByPath(oakPath));
+        return getAuthorizable(userProvider.getAuthorizableByPath(oakPath));
     }
 
     @Override
@@ -128,24 +120,13 @@ public class UserManagerImpl implements 
     @Override
     public Iterator<Authorizable> findAuthorizables(String relPath, String value, int searchType) throws RepositoryException {
         checkIsLive();
-        String[] oakPaths =  new String[] {namePathMapper.getOakPath(relPath)};
-        AuthorizableType authorizableType = getAuthorizableType(searchType);
-        Iterator<Tree> result = userProvider.findAuthorizables(oakPaths, value, null, true, Long.MAX_VALUE, authorizableType);
-
-        return AuthorizableIterator.create(result, this);
+        return getQueryManager().findAuthorizables(relPath, value, AuthorizableType.getType(searchType));
     }
 
     @Override
     public Iterator<Authorizable> findAuthorizables(Query query) throws RepositoryException {
         checkIsLive();
-        if (session != null) {
-            XPathQueryBuilder builder = new XPathQueryBuilder();
-            query.build(builder);
-            return new XPathQueryEvaluator(builder, this, session.getWorkspace().getQueryManager(), namePathMapper).eval();
-        } else {
-            // TODO: implement
-            throw new UnsupportedOperationException("not implemented");
-        }
+        return getQueryManager().find(query);
     }
 
     @Override
@@ -211,7 +192,7 @@ public class UserManagerImpl implements 
         if (intermediatePath != null) {
             intermediatePath = namePathMapper.getOakPath(intermediatePath);
         }
-        Tree groupTree = getUserProvider().createGroup(groupID, intermediatePath);
+        Tree groupTree = userProvider.createGroup(groupID, intermediatePath);
         setPrincipal(groupTree, principal);
 
         Group group = new GroupImpl(groupID, groupTree, this);
@@ -256,9 +237,12 @@ public class UserManagerImpl implements 
      * @throws RepositoryException If an exception occurs.
      */
     void onCreate(User user, String password) throws RepositoryException {
-        // TODO
         for (AuthorizableAction action : authorizableActions) {
-            action.onCreate(user, password, session);
+            if (session != null) {
+                action.onCreate(user, password, session);
+            } else {
+                action.onCreate(user, password, root);
+            }
         }
     }
 
@@ -271,9 +255,12 @@ public class UserManagerImpl implements 
      * @throws RepositoryException If an exception occurs.
      */
     void onCreate(Group group) throws RepositoryException {
-        // TODO
         for (AuthorizableAction action : authorizableActions) {
-            action.onCreate(group, session);
+            if (session != null) {
+                action.onCreate(group, session);
+            } else {
+                action.onCreate(group, root);
+            }
         }
     }
 
@@ -286,9 +273,12 @@ public class UserManagerImpl implements 
      * @throws RepositoryException If an exception occurs.
      */
     void onRemove(Authorizable authorizable) throws RepositoryException {
-        // TODO
         for (AuthorizableAction action : authorizableActions) {
-            action.onRemove(authorizable, session);
+            if (session != null) {
+                action.onRemove(authorizable, session);
+            } else {
+                action.onRemove(authorizable, root);
+            }
         }
     }
 
@@ -302,9 +292,12 @@ public class UserManagerImpl implements 
      * @throws RepositoryException If an exception occurs.
      */
     void onPasswordChange(User user, String password) throws RepositoryException {
-        // TODO
         for (AuthorizableAction action : authorizableActions) {
-            action.onPasswordChange(user, password, session);
+            if (session != null) {
+                action.onPasswordChange(user, password, session);
+            } else {
+                action.onPasswordChange(user, password, root);
+            }
         }
     }
 
@@ -323,6 +316,24 @@ public class UserManagerImpl implements 
         return session.getNode(jcrPath);
     }
 
+    @CheckForNull
+    Tree getAuthorizableTree(String id) {
+        Tree tree = userProvider.getAuthorizable(id);
+        if (tree == null) {
+            throw new IllegalStateException("Authorizable not associated with an existing tree");
+        }
+        return tree;
+    }
+
+    @CheckForNull
+    Authorizable getAuthorizable(Tree tree) throws RepositoryException {
+        if (tree == null) {
+            return null;
+        }
+        return getAuthorizable(userProvider.getAuthorizableId(tree), tree);
+    }
+
+    @Nonnull
     AuthorizableProperties getAuthorizableProperties(String id) throws RepositoryException {
         if (session != null) {
             return new JcrAuthorizableProperties(getAuthorizableNode(id), namePathMapper);
@@ -331,35 +342,27 @@ public class UserManagerImpl implements 
         }
     }
 
+    @Nonnull
     NamePathMapper getNamePathMapper() {
         return namePathMapper;
     }
 
-    UserProvider getUserProvider() {
-        return userProvider;
-    }
-
+    @Nonnull
     MembershipProvider getMembershipProvider() {
         return membershipProvider;
     }
 
+    @Nonnull
     PrincipalProvider getPrincipalProvider() throws RepositoryException {
         return securityProvider.getPrincipalConfiguration().getPrincipalProvider(root, namePathMapper);
     }
 
+    @Nonnull
     ConfigurationParameters getConfig() {
         return config;
     }
 
     @CheckForNull
-    Authorizable getAuthorizable(Tree tree) throws RepositoryException {
-        if (tree == null) {
-            return null;
-        }
-        return getAuthorizable(userProvider.getAuthorizableId(tree), tree);
-    }
-
-    @CheckForNull
     private Authorizable getAuthorizable(String id, Tree tree) throws RepositoryException {
         if (id == null || tree == null) {
             return null;
@@ -390,6 +393,11 @@ public class UserManagerImpl implements 
         }
     }
 
+    private void setPrincipal(Tree authorizableTree, Principal principal) {
+        checkNotNull(principal);
+        authorizableTree.setProperty(UserConstants.REP_PRINCIPAL_NAME, principal.getName());
+    }
+
     void setPassword(Tree userTree, String password, boolean forceHash) throws RepositoryException {
         String pwHash;
         if (forceHash || PasswordUtility.isPlainTextPassword(password)) {
@@ -406,27 +414,16 @@ public class UserManagerImpl implements 
         userTree.setProperty(UserConstants.REP_PASSWORD, pwHash);
     }
 
-    private void setPrincipal(Tree authorizableTree, Principal principal) {
-        checkNotNull(principal);
-        authorizableTree.setProperty(UserConstants.REP_PRINCIPAL_NAME, principal.getName());
-    }
-
     private void checkIsLive() throws RepositoryException {
         if (session != null && !session.isLive()) {
             throw new RepositoryException("UserManager has been closed.");
         }
     }
 
-    private static AuthorizableType getAuthorizableType(int searchType) {
-        switch (searchType) {
-            case UserManager.SEARCH_TYPE_USER:
-                return AuthorizableType.USER;
-            case UserManager.SEARCH_TYPE_GROUP:
-                return AuthorizableType.GROUP;
-            case UserManager.SEARCH_TYPE_AUTHORIZABLE:
-                return AuthorizableType.AUTHORIZABLE;
-            default:
-                throw new IllegalArgumentException("Invalid search type " + searchType);
+    private UserQueryManager getQueryManager() throws RepositoryException {
+        if (queryManager == null) {
+            queryManager = new UserQueryManager(this, session, root);
         }
+        return queryManager;
     }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserProvider.java Fri Oct 19 10:05:28 2012
@@ -136,10 +136,6 @@ import static org.apache.jackrabbit.oak.
  * TODO
  * <h3>By Principal Name</h3>
  * TODO
- *
- * <h3>Search for authorizables</h3>
- *
- * TODO
  */
 class UserProvider extends AuthorizableBaseProvider {
 
@@ -230,37 +226,6 @@ class UserProvider extends AuthorizableB
         return null;
     }
 
-    /**
-     * Find the authorizable trees matching the following search parameters within
-     * the sub-tree defined by an authorizable tree:
-     *
-     * @param propertyRelPaths An array of property names or relative paths
-     * pointing to properties within the tree defined by a given authorizable node.
-     * @param value The property value to look for.
-     * @param ntNames An array of node type names to restrict the search within
-     * the authorizable tree to a subset of nodes that match any of the node
-     * type names; {@code null} indicates that no filtering by node type is
-     * desired. Specifying a node type name that defines an authorizable node
-     * )e.g. {@link UserConstants#NT_REP_USER rep:User} will limit the search to
-     * properties defined with the authorizable node itself instead of searching
-     * the complete sub-tree.
-     * @param exact A boolean flag indicating if the value must match exactly or not.s
-     * @param maxSize The maximal number of search results to look for.
-     * @param authorizableType Filter the search results to only return authorizable
-     * trees of a given type. Passing {@link AuthorizableType#AUTHORIZABLE} indicates that
-     * no filtering for a specific authorizable type is desired. However, properties
-     * might still be search in the complete sub-tree of authorizables depending
-     * on the other query parameters.
-     * @return An iterator of authorizable trees that match the specified
-     * search parameters and filters or an empty iterator if no result can be
-     * found.
-     */
-    @Nonnull
-    public Iterator<Tree> findAuthorizables(String[] propertyRelPaths, String value, String[] ntNames, boolean exact, long maxSize, AuthorizableType authorizableType) {
-        // TODO
-        throw new UnsupportedOperationException("not yet implemented");
-    }
-
     //------------------------------------------------------------< private >---
 
     private Tree createAuthorizableNode(String authorizableId, boolean isGroup, String intermediatePath) throws RepositoryException {

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserQueryManager.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserQueryManager.java?rev=1400020&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserQueryManager.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserQueryManager.java Fri Oct 19 10:05:28 2012
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.security.user;
+
+import java.util.Iterator;
+import javax.annotation.Nonnull;
+import javax.jcr.RepositoryException;
+import javax.jcr.Session;
+import javax.jcr.query.QueryManager;
+
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.Query;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.security.user.query.XPathQueryBuilder;
+import org.apache.jackrabbit.oak.security.user.query.XPathQueryEvaluator;
+import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * UserQueryManager... TODO
+ */
+class UserQueryManager {
+
+    /**
+     * logger instance
+     */
+    private static final Logger log = LoggerFactory.getLogger(UserQueryManager.class);
+
+    private final UserManagerImpl userManager;
+    private final Root root;
+    private final QueryManager queryManager;
+
+    // TODO: replace usage of jcr-query-manager by oak query manager and drop session from constructor.
+    UserQueryManager(UserManagerImpl userManager, Session session, Root root) throws RepositoryException {
+        this.userManager = userManager;
+        this.root = root;
+        this.queryManager = (session != null) ? session.getWorkspace().getQueryManager() : null;
+    }
+
+    Iterator<Authorizable> find(Query query) throws RepositoryException {
+        // TODO: create query builder depending query-language configured with user-mgt configuration.
+        if (queryManager != null) {
+            XPathQueryBuilder builder = new XPathQueryBuilder();
+            query.build(builder);
+            return new XPathQueryEvaluator(builder, userManager, queryManager, userManager.getNamePathMapper()).eval();
+        } else {
+            // TODO: implement
+            throw new UnsupportedOperationException("not implemented");
+        }
+    }
+
+    @Nonnull
+    Iterator<Authorizable> findAuthorizables(String relativePath, String value, AuthorizableType authorizableType) {
+        String[] oakPaths =  new String[] {userManager.getNamePathMapper().getOakPath(relativePath)};
+        return findAuthorizables(oakPaths, value, null, true, Long.MAX_VALUE, authorizableType);
+    }
+
+    /**
+     * Find the authorizable trees matching the following search parameters within
+     * the sub-tree defined by an authorizable tree:
+     *
+     * @param propertyRelPaths An array of property names or relative paths
+     * pointing to properties within the tree defined by a given authorizable node.
+     * @param value The property value to look for.
+     * @param ntNames An array of node type names to restrict the search within
+     * the authorizable tree to a subset of nodes that match any of the node
+     * type names; {@code null} indicates that no filtering by node type is
+     * desired. Specifying a node type name that defines an authorizable node
+     * )e.g. {@link org.apache.jackrabbit.oak.spi.security.user.UserConstants#NT_REP_USER rep:User} will limit the search to
+     * properties defined with the authorizable node itself instead of searching
+     * the complete sub-tree.
+     * @param exact A boolean flag indicating if the value must match exactly or not.s
+     * @param maxSize The maximal number of search results to look for.
+     * @param authorizableType Filter the search results to only return authorizable
+     * trees of a given type. Passing {@link org.apache.jackrabbit.oak.spi.security.user.AuthorizableType#AUTHORIZABLE} indicates that
+     * no filtering for a specific authorizable type is desired. However, properties
+     * might still be search in the complete sub-tree of authorizables depending
+     * on the other query parameters.
+     * @return An iterator of authorizable trees that match the specified
+     * search parameters and filters or an empty iterator if no result can be
+     * found.
+     */
+    @Nonnull
+    Iterator<Authorizable> findAuthorizables(String[] propertyRelPaths, String value, String[] ntNames, boolean exact, long maxSize, AuthorizableType authorizableType) {
+        // TODO
+        throw new UnsupportedOperationException("not yet implemented");
+
+        //return AuthorizableIterator.create(result, this);
+
+    }
+}
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathQueryEvaluator.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathQueryEvaluator.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathQueryEvaluator.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/query/XPathQueryEvaluator.java Fri Oct 19 10:05:28 2012
@@ -44,6 +44,8 @@ import org.slf4j.LoggerFactory;
 /**
  * This evaluator for {@link org.apache.jackrabbit.api.security.user.Query}s use XPath
  * and some minimal client side filtering.
+ *
+ * FIXME: replace usage of jcr-query manager by oak-api SessionQueryEngine.
  */
 public class XPathQueryEvaluator implements ConditionVisitor {
     static final Logger log = LoggerFactory.getLogger(XPathQueryEvaluator.class);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/AuthorizableType.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/AuthorizableType.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/AuthorizableType.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/AuthorizableType.java Fri Oct 19 10:05:28 2012
@@ -32,8 +32,21 @@ public enum AuthorizableType {
 
     private final int userType;
 
-    private AuthorizableType(int userType) {
-        this.userType = userType;
+    private AuthorizableType(int jcrUserType) {
+        this.userType = jcrUserType;
+    }
+
+    public static AuthorizableType getType(int jcrUserType) {
+        switch (jcrUserType) {
+            case UserManager.SEARCH_TYPE_AUTHORIZABLE:
+                return AUTHORIZABLE;
+            case UserManager.SEARCH_TYPE_GROUP:
+                return GROUP;
+            case UserManager.SEARCH_TYPE_USER:
+                return USER;
+            default:
+                throw new IllegalArgumentException("Invalid authorizable type "+jcrUserType);
+        }
     }
 
     public boolean isType(Authorizable authorizable) {

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AbstractAuthorizableAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AbstractAuthorizableAction.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AbstractAuthorizableAction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AbstractAuthorizableAction.java Fri Oct 19 10:05:28 2012
@@ -22,6 +22,7 @@ import javax.jcr.Session;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.oak.api.Root;
 
 /**
  * Abstract implementation of the {@code AuthorizableAction} interface that
@@ -35,6 +36,7 @@ public abstract class AbstractAuthorizab
      *
      * @see AuthorizableAction#onCreate(org.apache.jackrabbit.api.security.user.Group, javax.jcr.Session)
      */
+    @Override
     public void onCreate(Group group, Session session) throws RepositoryException {
         // nothing to do
 
@@ -43,8 +45,19 @@ public abstract class AbstractAuthorizab
     /**
      * Doesn't perform any action.
      *
+     * @see AuthorizableAction#onCreate(org.apache.jackrabbit.api.security.user.Group, Root)
+     */
+    @Override
+    public void onCreate(Group group, Root root) throws RepositoryException {
+        // nothing to do
+    }
+
+    /**
+     * Doesn't perform any action.
+     *
      * @see AuthorizableAction#onCreate(org.apache.jackrabbit.api.security.user.User, String, javax.jcr.Session)
      */
+    @Override
     public void onCreate(User user, String password, Session session) throws RepositoryException {
         // nothing to do
     }
@@ -52,8 +65,19 @@ public abstract class AbstractAuthorizab
     /**
      * Doesn't perform any action.
      *
+     * @see AuthorizableAction#onCreate(org.apache.jackrabbit.api.security.user.User, String, Root)
+     */
+    @Override
+    public void onCreate(User user, String password, Root root) throws RepositoryException {
+        // nothing to do
+    }
+
+    /**
+     * Doesn't perform any action.
+     *
      * @see AuthorizableAction#onRemove(org.apache.jackrabbit.api.security.user.Authorizable, javax.jcr.Session)
      */
+    @Override
     public void onRemove(Authorizable authorizable, Session session) throws RepositoryException {
         // nothing to do
     }
@@ -61,9 +85,30 @@ public abstract class AbstractAuthorizab
     /**
      * Doesn't perform any action.
      *
+     * @see AuthorizableAction#onRemove(org.apache.jackrabbit.api.security.user.Authorizable, Root)
+     */
+    @Override
+    public void onRemove(Authorizable authorizable, Root root) throws RepositoryException {
+        // nothing to do
+    }
+
+    /**
+     * Doesn't perform any action.
+     *
      * @see AuthorizableAction#onPasswordChange(org.apache.jackrabbit.api.security.user.User, String, javax.jcr.Session)
      */
+    @Override
     public void onPasswordChange(User user, String newPassword, Session session) throws RepositoryException {
         // nothing to do
     }
+
+    /**
+     * Doesn't perform any action.
+     *
+     * @see AuthorizableAction#onPasswordChange(org.apache.jackrabbit.api.security.user.User, String, Root)
+     */
+    @Override
+    public void onPasswordChange(User user, String newPassword, Root root) throws RepositoryException {
+        // nothing to do
+    }
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.java Fri Oct 19 10:05:28 2012
@@ -31,6 +31,7 @@ import org.apache.jackrabbit.api.securit
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.util.Text;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -118,6 +119,16 @@ public class AccessControlAction extends
         setAC(user, session);
     }
 
+    @Override
+    public void onCreate(Group group, Root root) throws RepositoryException {
+        setAC(group, root);
+    }
+
+    @Override
+    public void onCreate(User user, String password, Root root) throws RepositoryException {
+        setAC(user, root);
+    }
+
     //------------------------------------------------------< Configuration >---
     /**
      * Sets the privileges a new group will be granted on the group's home directory.
@@ -180,6 +191,11 @@ public class AccessControlAction extends
         }
     }
 
+    private void setAC(Authorizable authorizable, Root root) throws RepositoryException {
+        // TODO: add implementation
+        log.error("Not yet implemented");
+    }
+
     /**
      * Retrieve privileges for the specified privilege names.
      *

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/AuthorizableAction.java Fri Oct 19 10:05:28 2012
@@ -22,22 +22,24 @@ import javax.jcr.Session;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.oak.api.Root;
 
 /**
  * The {@code AuthorizableAction} interface provide an implementation
  * specific way to execute additional validation or write tasks upon
  *
  * <ul>
- * <li>{@link #onCreate(org.apache.jackrabbit.api.security.user.User, String, javax.jcr.Session) User creation},</li>
- * <li>{@link #onCreate(org.apache.jackrabbit.api.security.user.Group, javax.jcr.Session) Group creation},</li>
- * <li>{@link #onRemove(org.apache.jackrabbit.api.security.user.Authorizable, javax.jcr.Session) Authorizable removal} and</li>
- * <li>{@link #onPasswordChange(org.apache.jackrabbit.api.security.user.User, String, javax.jcr.Session) User password modification}.</li>
+ * <li>{@link #onCreate User creation},</li>
+ * <li>{@link #onCreate Group creation},</li>
+ * <li>{@link #onRemove Authorizable removal} and</li>
+ * <li>{@link #onPasswordChange User password modification}.</li>
  * </ul>
  *
  * @see org.apache.jackrabbit.oak.spi.security.ConfigurationParameters
  */
 public interface AuthorizableAction {
 
+    // TODO: review (rather split into OAK and JCR level interface?)
     /**
      * Allows to add application specific modifications or validation associated
      * with the creation of a new group. Note, that this method is called
@@ -52,6 +54,18 @@ public interface AuthorizableAction {
 
     /**
      * Allows to add application specific modifications or validation associated
+     * with the creation of a new group. Note, that this method is called
+     * <strong>before</strong> any {@code Session.save} call.
+     *
+     * @param group The new group that has not yet been persisted;
+     * e.g. the associated node is still 'NEW'.
+     * @param root The root associated with the user manager.
+     * @throws javax.jcr.RepositoryException If an error occurs.
+     */
+    void onCreate(Group group, Root root) throws RepositoryException;
+
+    /**
+     * Allows to add application specific modifications or validation associated
      * with the creation of a new user. Note, that this method is called
      * <strong>before</strong> any {@code Session.save} call.
      *
@@ -64,6 +78,19 @@ public interface AuthorizableAction {
     void onCreate(User user, String password, Session session) throws RepositoryException;
 
     /**
+     * Allows to add application specific modifications or validation associated
+     * with the creation of a new user. Note, that this method is called
+     * <strong>before</strong> any {@code Session.save} call.
+     *
+     * @param user The new user that has not yet been persisted;
+     * e.g. the associated node is still 'NEW'.
+     * @param password The password that was specified upon user creation.
+     * @param root The root associated with the user manager.
+     * @throws RepositoryException If an error occurs.
+     */
+    void onCreate(User user, String password, Root root) throws RepositoryException;
+
+    /**
      * Allows to add application specific behavior associated with the removal
      * of an authorizable. Note, that this method is called <strong>before</strong>
      * {@link org.apache.jackrabbit.api.security.user.Authorizable#remove} is executed (and persisted); thus the
@@ -76,6 +103,18 @@ public interface AuthorizableAction {
     void onRemove(Authorizable authorizable, Session session) throws RepositoryException;
 
     /**
+     * Allows to add application specific behavior associated with the removal
+     * of an authorizable. Note, that this method is called <strong>before</strong>
+     * {@link org.apache.jackrabbit.api.security.user.Authorizable#remove} is executed (and persisted); thus the
+     * target authorizable still exists.
+     *
+     * @param authorizable The authorizable to be removed.
+     * @param root The root associated with the user manager.
+     * @throws RepositoryException If an error occurs.
+     */
+    void onRemove(Authorizable authorizable, Root root) throws RepositoryException;
+
+    /**
      * Allows to add application specific action or validation associated with
      * changing a user password. Note, that this method is called <strong>before</strong>
      * the password property is being modified in the content.
@@ -86,4 +125,16 @@ public interface AuthorizableAction {
      * @throws RepositoryException If an exception or error occurs.
      */
     void onPasswordChange(User user, String newPassword, Session session) throws RepositoryException;
+
+    /**
+     * Allows to add application specific action or validation associated with
+     * changing a user password. Note, that this method is called <strong>before</strong>
+     * the password property is being modified in the content.
+     *
+     * @param user The user that whose password is going to change.
+     * @param newPassword The new password as specified in {@link User#changePassword}
+     * @param root The root associated with the user manager.
+     * @throws RepositoryException If an exception or error occurs.
+     */
+    void onPasswordChange(User user, String newPassword, Root root) throws RepositoryException;
 }
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/ClearMembershipAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/ClearMembershipAction.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/ClearMembershipAction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/ClearMembershipAction.java Fri Oct 19 10:05:28 2012
@@ -22,6 +22,7 @@ import javax.jcr.Session;
 
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.oak.api.Root;
 
 /**
  * Authorizable action attempting to clear all group membership before removing
@@ -37,6 +38,16 @@ public class ClearMembershipAction exten
      */
     @Override
     public void onRemove(Authorizable authorizable, Session session) throws RepositoryException {
+        clearMembership(authorizable);
+    }
+
+    @Override
+    public void onRemove(Authorizable authorizable, Root root) throws RepositoryException {
+        clearMembership(authorizable);
+    }
+
+    //--------------------------------------------------------------------------
+    private static void clearMembership(Authorizable authorizable) throws RepositoryException {
         Iterator<Group> membership = authorizable.declaredMemberOf();
         while (membership.hasNext()) {
             membership.next().removeMember(authorizable);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java?rev=1400020&r1=1400019&r2=1400020&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/user/action/PasswordValidationAction.java Fri Oct 19 10:05:28 2012
@@ -23,6 +23,7 @@ import javax.jcr.Session;
 import javax.jcr.nodetype.ConstraintViolationException;
 
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.oak.api.Root;
 import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtility;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -60,10 +61,20 @@ public class PasswordValidationAction ex
     }
 
     @Override
+    public void onCreate(User user, String password, Root root) throws RepositoryException {
+        validatePassword(password);
+    }
+
+    @Override
     public void onPasswordChange(User user, String newPassword, Session session) throws RepositoryException {
         validatePassword(newPassword);
     }
 
+    @Override
+    public void onPasswordChange(User user, String newPassword, Root root) throws RepositoryException {
+        validatePassword(newPassword);
+    }
+
     //------------------------------------------------------< Configuration >---
     /**
      * Set the password constraint.



Mime
View raw message