jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1592742 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown: ./ security/ security/authentication/
Date Tue, 06 May 2014 13:29:21 GMT
Author: angela
Date: Tue May  6 13:29:20 2014
New Revision: 1592742

URL: http://svn.apache.org/r1592742
Log:
OAK-301 : oak docu

Added:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md
      - copied, changed from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences_authentication.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
Removed:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences_authentication.md
Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences.md Tue May  6 13:29:20 2014
@@ -279,7 +279,7 @@ baselines (`OPTION_BASELINES_SUPPORTED`)
 Security
 --------
 
-* [Authentication](differences_authentication.html)
+* [Authentication](security/authentication/differences.html)
 * [AccessControl Management](differences_accesscontrol.html)
 * [Permission Evaluation](differences_permission.html)
 * [Privilege Management](differences_privileges.html)

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Tue May  6 13:29:20 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Access Control
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Tue May  6 13:29:20 2014
@@ -14,46 +14,46 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
-Authentication and Login Modules
-------------------------------------------------------------------------------------------------------------------------
+Authentication
+--------------------------------------------------------------------------------
 
-### General Concepts
+### JAAS Authentication and Login Modules
+
+#### General Concepts
 
 In order to understand how login modules work and how Oak can help providing extension points we need to look at how
 JAAS authentication works in general and discuss where the actual credential-verification is performed.
 
-#### Brief recap of the JAAS authentication
-The following section is copied and adapted from the javadoc of [javax.security.auth.spi.LoginModule]:
-
-The authentication process within the `LoginModule` proceeds in two distinct phases. 
-
-1. Login Phase
-
-   1. In the first phase, the `LoginModule`'s `login` method gets invoked by the `LoginContext`'s `login` method.
-   2. The `login` method for the `LoginModule` then performs the actual authentication (prompt for and verify a 
-      password for example) and saves its authentication status as private state information. 
-   3. Once finished, the `LoginModule`'s login method either returns `true` (if it succeeded) or `false` (if it should 
-      be ignored), or throws a `LoginException` to specify a failure. In the failure case, the `LoginModule` must not 
-      retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. 
-      If the application attempts to retry the authentication, the `LoginModule`'s `login` method will be called again.
-
-2. Commit Phase
-
-   1. In the second phase, if the `LoginContext`'s overall authentication succeeded (the relevant REQUIRED, REQUISITE, 
-      SUFFICIENT and OPTIONAL LoginModules succeeded), then the `commit` method for the `LoginModule` gets invoked. 
-   2. The `commit` method for a `LoginModule` checks its privately saved state to see if its own authentication 
-      succeeded. 
-   3. If the overall `LoginContext` authentication succeeded and the `LoginModule`'s own authentication succeeded, then
-      the `commit` method associates the relevant Principals (authenticated identities) and Credentials (authentication 
-      data such as cryptographic keys) with the Subject located within the `LoginModule`.
-   4. If the `LoginContext`'s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL 
-      LoginModules did not succeed), then the `abort` method for each `LoginModule` gets invoked. In this case, the 
-      `LoginModule` removes/destroys any authentication state originally saved.
+##### Brief recap of the JAAS authentication
+The following section is copied and adapted from the javadoc of [javax.security.auth.spi.LoginModule].
+The authentication process within the `LoginModule` proceeds in two distinct phases,
+login and commit phase:
+
+__A. Login Phase__
+
+1. In the first phase, the `LoginModule`'s `login` method gets invoked by the `LoginContext`'s `login` method.
+2. The `login` method for the `LoginModule` then performs the actual authentication (prompt for and verify a
+   password for example) and saves its authentication status as private state information.
+3. Once finished, the `LoginModule`'s login method either returns `true` (if it succeeded) or `false` (if it should
+   be ignored), or throws a `LoginException` to specify a failure. In the failure case, the `LoginModule` must not
+   retry the authentication or introduce delays. The responsibility of such tasks belongs to the application.
+   If the application attempts to retry the authentication, the `LoginModule`'s `login` method will be called again.
+
+__B. Commit Phase__
+
+1. In the second phase, if the `LoginContext`'s overall authentication succeeded (the relevant REQUIRED, REQUISITE,
+   SUFFICIENT and OPTIONAL LoginModules succeeded), then the `commit` method for the `LoginModule` gets invoked.
+2. The `commit` method for a `LoginModule` checks its privately saved state to see if its own authentication
+   succeeded.
+3. If the overall `LoginContext` authentication succeeded and the `LoginModule`'s own authentication succeeded, then
+   the `commit` method associates the relevant Principals (authenticated identities) and Credentials (authentication
+   data such as cryptographic keys) with the Subject located within the `LoginModule`.
+4. If the `LoginContext`'s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL
+   LoginModules did not succeed), then the `abort` method for each `LoginModule` gets invoked. In this case, the
+   `LoginModule` removes/destroys any authentication state originally saved.
       
-#### Login module execution order
+##### Login module execution order
 Very simply put, all the login modules that participate in JAAS authentication are configured in a list and can have
 flags indicating how to treat their behaviors on the `login()` calls.
 
@@ -85,138 +85,49 @@ LoginModule is configured and succeeds, 
 LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules 
 are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.
 
-JCR and Oak Authentication
-------------------------------------------------------------------------------------------------------------------------
+### JCR and Oak Authentication
 
 Within the scope of JCR `Repository.login` is used to authenticate a given user.
 This method either takes a `Credentials` argument if the validation is performed
 by the repository itself or `null` in case the user has be pre-authenticated by
 an external system.
 
-### Differences wrt Jackrabbit 2.x
+#### Differences wrt Jackrabbit 2.x
 
-see the corresponding [documentation](../differences_authentication.html).
+see the corresponding [documentation](authentication/differences.html).
 
-### Logins with Credentials
+#### Guest Login
 
 _todo_
 
-### Pre Authenticated Logins
+#### Logins with Credentials
+
+_todo_
+
+#### Impersonation
+
+_todo_
+
+#### Pre Authenticated Logins
 
 Oak provides two different mechanisms to create pre-authentication that doesn't
 involve the repositories internal authentication mechanism for credentials
 validation.
 
-#### Pre-Authentication combined with Login Module Chain
+- Pre-Authentication combined with Login Module Chain
+- Pre-Authentication without Repository Involvement
+
+See section [Pre-Authentication Login](authentication/preauthentication.html) for
+further details and examples.
 
-This first variant allows to support 3rd party login modules that wish to provide
-the login context with pre authenticated login names, but still want to rely on
-the rest of the oak's login module chain. For example an external SSO login module
-can extract the userid from a servlet request and use it to authenticate against
-the repository. But instead of re-implementing the user lookup and subject
-population (and possible external user synchronization) it just sets a respective
-[org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin] on the
-shared state.
-
-This setup is particularly recommended in a OSGi setup that includes Apache Sling
-on top of the Oak repository but still requires user information to be synchronized
-into the repository.
-
-The key to understand this mechanism is `org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin`
-a simple marker, which is pushed to the shared state of the login context and which indicates
-to any subsequent LoginModule that the credentials present in the state already
-have been verified and thus can be trusted.
-
-The basic steps of this pre-authentication are outlined as follows:
-
-1. verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling Authentication Handler)
-2. pass a custom, non-public Credentials implementation to the repository login
-3. create a custom login module that only supports these dedicated credentials and
-   pushes both a new instance of `PreAuthenticatedLogin` and other information
-   required and processed by subsequent login modules (e.g. credentials and
-   user name).
-4. make sure the subsequent login modules in the JAAS configuration are capable
-   to deal with the `PreAuthenticatedLogin` and the additional information and
-   will properly populate the subject and optionally synchronize user information
-   or create login tokens.
-
-Example implementation of `LoginModule#login` of this kind of custom login module:
-
-    public class PreAuthLoginModule extends AbstractLoginModule {
-
-    [...]
-
-        @Overwrite
-        public boolean login() throws LoginException {
-            Credentials credentials = getCredentials();
-            if (credentials instanceof MyPreAuthCredentials) {
-                userId = ((MyPreAuthCredentials) credentials).getUserId();
-                if (userId == null) {
-                    log.debug("Could not extract userId/credentials");
-                } else {
-                    sharedState.put(SHARED_KEY_PRE_AUTH_LOGIN, new PreAuthenticatedLogin(userId));
-                    sharedState.put(SHARED_KEY_CREDENTIALS, new SimpleCredentials(userId, new char[0]));
-                    sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
-                    log.debug("login succeeded with trusted user: {}", userId);
-                }
-            }
-
-            [...]
-        }
-    }
-
-#### Pre-Authentication without Repository Involvement
-
-Like in Jackrabbit-core the repository internal authentication verification can
-be skipped by calling `Repository#login()` or `Repository#login(null, wspName)`.
-In this case the repository implementation expects the verification to be performed
-prior to the login call.
-
-This behavior is provided by the default implementation of the `LoginContextProvider` [1]
-which expects a `Subject` to be available with the current `java.security.AccessControlContext`.
-However, in contrast to Jackrabbit-core the current implementation does not try
-to extend the pre-authenticated subject but skips the internal verification step altogether.
-
-Since the `LoginContextProvider` is a configurable with the authentication setup
-OAK users also have the following options by providing a custom `LoginContextProvider`:
-
-- Disable pre-authentication by not trying to retrieve a pre-authenticated `Subject`.
-- Add support for extending the pre-authenticated subject by always passing writable subjects to the `JaasLoginContext`
-- Dropping JAAS altogether by providing a custom implementation of the
-  `org.apache.jackrabbit.oak.spi.security.authentication.LoginContext` [2] interface.
-
-Example how to use this type of pre-authentication:
-
-    String userId = "test";
-    /**
-     Retrive valid principals e.g. by calling jackrabbit API
-     - PrincipalManager#getPrincipal and/or #getGroupMembership
-     or from Oak SPI
-     - PrincipalProvider#getPrincipals(String userId)
-     */
-    Set<? extends Principal> principals = getPrincipals(userId);
-    AuthInfo authInfo = new AuthInfoImpl(userId, Collections.<String, Object>emptyMap(), principals);
-    Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.<Object>emptySet());
-    Session session;
-    try {
-        session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {
-            @Override
-            public Session run() throws Exception {
-                return login(null, null);
-            }
-        }, null);
-    } catch (PrivilegedActionException e) {
-        throw new RepositoryException("failed to retrieve session.", e);
-    }
 
-Oak Login Module Implementations
-------------------------------------------------------------------------------------------------------------------------
+### Oak Login Module Implementations
 
-### Abstract Login Module
+#### Abstract Login Module
 
 _todo_
 
-### Default Login Module
+#### Default Login Module
 
 The behavior of the default login module is relatively simple, so it is explained first:
 
@@ -236,7 +147,7 @@ upon commit():
 * if the private state contains the credentials and principals, it adds them (both) to the subject and **returns `true`**
 * if the private state does not contain credentials and principals, it clears the state and **returns `false`**
 
-### Token Login Module
+#### Token Login Module
 
 _todo_
 
@@ -244,150 +155,36 @@ _todo_
 
 _todo_
 
-### External Login Module
-
-#### Overview
-The purpose of the external login module is to provide a base implementation that allows easy integration of 3rd party 
-authentication and identity systems, such as LDAP. The general mode of the external login module is to use the external
-system as authentication source and as a provider for users and groups.
-
-what it does:
-
-* facilitate the use of a 3rd party system for authentication
-* simplify populating the oak user manager with identities from a 3rd party system
-
-what it does not:
-
-* provide a transparent oak user manager
-* provide a transparent oak principal provider.
-* offer services for background synchronization of users and groups
-
-#### Structure
-The external identity and login handling is split into 3 parts:
-
-1. An external identity provider (IDP). This is a service implementing the `ExternalIdentityProvider` interface and is responsible to retrieve and authenticate identities towards an external system (e.g. LDAP).
-2. An synchronization handler. This is a service implementing the `SyncHandler` interface and is responsible to actually managing the external identities within the Oak user management. A very trivial implementation might just create users and groups for external ones on demand.
-3. The external login module (ExtLM). This is the connection between JAAS login mechanism, the external identity provider and the synchronization handler.
-
-This modularization allows to reuse the same external login module for different combinations of IDPs and synchronization handlers. Although in practice, systems usually have 1 of each. 
-
-An example where multiple such entities come into play would be the case to use several LDAP servers for authentication. Here we would configure 2 LDAP IDPs, 1 Sync handler and 2 ExtLMs.
-
-##### Authentication and subject population
-The goal of the external login module is to provide a very simple way of using 
-_"the users stored in an external system for authentication and authorization in the Oak content repository"_. So the
-easiest way of doing this is to import the users on-demand when they log in. 
+#### External Login Module
 
-#### Behavior of the External Login Module
+The external login module is a base implementation that allows easy integration
+of 3rd party authentication and identity systems, such as [LDAP](ldap.html). The
+general mode of the external login module is to use the external system as authentication
+source and as a provider for users and groups that may also be synchronized into
+the repository.
 
-##### General
-The external login module has 2 main tasks. one is to authenticate credentials against a 3rd party system, the other is
-to coordinate syncing of the respective users and groups with the JCR repository (via the UserManager).
+This login module implementation requires an valid `SyncHandler` and `IdentityProvider`
+to be present.
 
-If a user needs re-authentication (for example, if the cache validity expired or if the user is not yet present in the
-local system at all), the login module must check the credentials with the external system during the `login()` method. 
+Further reading:
+- [External LoginModule and User Synchronization](authentication/externalloginmodule.html): Details regarding the login module and the associated interfaces as well as configuration of the default implementations present with Oak.
+- [LDAP Integration](authentication/ldap.html): How to make use of the `ExternalLoginModule` to authenticate against LDAP.
 
-**ExternalLoginModule**
 
-Note:
+### Authentication related Interfaces and Extension Points in Oak
 
-* users (and groups) that are synced from the 3rd party system contain a `rep:externalId` property. This allows to identify the external users and distinguish them from others.
-* to reduce expensive syncing, the synced users and groups have sync timestamp `rep:lastSynced` and are considered valid for a configurable time. if they expire, they need to be validated against the 3rd party system again.
-
-upon login():
-
-* if the user exists in the repository and is not an externally synced, **return `false`**
-* if the user exists in the 3rd party system but the credentials don't match it **throws `LoginException`**
-* if the user exists in the 3rd party system and the credentials match
-    * put the credentials in the shared and private state 
-    * possibly sync the user 
-    * and **returns `true`**
-* if the user does not exist in the 3rd party system, checks if it needs to remove the user and then it **returns `false`**
-
-upon commit():
-
-* if there is no credentials in the private state, it **returns `false`**
-* if there are credentials in the private state propagate the subject and **return `true`**
-
-#### User and Group Synchronization
-
-The synchronization of users and groups is triggered by the external login module, after a user is successfully
-authenticated against the IDP or if it's no longer present on the IDP.
-
-##### Configuration of the DefaultSyncHandler
-Oak provides a default synchronization handler that is configured via [org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfig]. The handler is configured either via OSGi or during manual [Repository Construction](../construct.html).
-
-| Name                          | Property                      | Description                              |
-|-------------------------------|-------------------------------|------------------------------------------|
-| Sync Handler Name             | `handler.name`                | Name of this sync configuration. This is used to reference this handler by the login modules. |
-| User auto membership          | `user.autoMembership`         | List of groups that a synced user is added to automatically |
-| User Expiration Time          | `user.expirationTime`         | Duration until a synced user gets expired (eg. '1h 30m' or '1d'). |
-| User Membership Expiration    | `user.membershipExpTime`      | Time after which membership expires (eg. '1h 30m' or '1d'). |
-| User membership nesting depth | `user.membershipNestingDepth` | Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. |
-| User Path Prefix              | `user.pathPrefix`             | The path prefix used when creating new users. |
-| User property mapping         | `user.propertyMapping`        | List mapping definition of local properties from external ones. eg: 'profile/email=mail'.Use double quotes for fixed values. eg: 'profile/nt:primaryType="nt:unstructured" |
-| Group auto membership         | `group.autoMembership`        | List of groups that a synced group is added to automatically |
-| Group Expiration Time         | `group.expirationTime`        | Duration until a synced group expires (eg. '1h 30m' or '1d'). |
-| Group Path Prefix             | `group.pathPrefix`            | The path prefix used when creating new groups. |
-| Group property mapping        | `group.propertyMapping`       | List mapping definition of local properties from external ones. |
-| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | | |
-
-#### External Identity Provider
+#### LoginContextProvider
 
 _todo_
 
+#### Token Management
 
-Authentication related Interfaces and Extension Points in Oak
-------------------------------------------------------------------------------------------------------------------------
+See section [token management](authentication/tokenmanagement.html) for details.
 
-### Token Management
-
-_todo_
-
-#### TokenProvider
-#### TokenInfo
-
-### External Identity Management
-
-_todo_
-
-##### LDAP Identity Provider
-Oak comes with a default implementation of an LDAP identity provider.
-
-###### Configuration
-The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
-which is populated either via OSGi or during manual [Repository Construction](../construct.html).
-
-| Name                         | Property                | Description                              |
-|------------------------------|-------------------------|------------------------------------------|
-| LDAP Provider Name           | `provider.name`         | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
-| Bind DN                      | `bind.dn`               | DN of the user for authentication. Leave empty for anonymous bind. |
-| Bind Password                | `bind.password`         | Password of the user for authentication. |
-| LDAP Server Hostname         | `host.name`             | Hostname of the LDAP server              |
-| Disable certificate checking | `host.noCertCheck`      | Indicates if server certificate validation should be disabled. |
-| LDAP Server Port             | `host.port`             | Port of the LDAP server                  |
-| Use SSL                      | `host.ssl`              | Indicates if an SSL (LDAPs) connection should be used. |
-| Use TLS                      | `host.tls`              | Indicates if TLS should be started on connections. |
-| Search Timeout               | `searchTimeout`         | Time in until a search times out (eg: '1s' or '1m 30s'). |
-| User base DN                 | `user.baseDN`           | The base DN for user searches.           |
-| User extra filter            | `user.extraFilter`      | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
-| User id attribute            | `user.idAttribute`      | Name of the attribute that contains the user id. |
-| User DN paths                | `user.makeDnPath`       | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| User object classes          | `user.objectclass`      | The list of object classes an user entry must contain. |
-| Group base DN                | `group.baseDN`          | The base DN for group searches.          |
-| Group extra filter           | `group.extraFilter`     | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
-| Group DN paths               | `group.makeDnPath`      | Controls if the DN should be used for calculating a portion of the intermediate path. |
-| Group member attribute       | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
-| Group name attribute         | `group.nameAttribute`   | Name of the attribute that contains the group name. |
-| Group object classes         | `group.objectclass`     | The list of object classes a group entry must contain. |
-| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | | |
+#### External Identity Management
 
+See section [identity management](authentication/identitymanagement.html) for details.
 
 <!-- references -->
 [javax.security.auth.spi.LoginModule]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html
-[javax.security.auth.login.Configuration]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html
-[org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html
-[org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html
-[org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.html
-
-
+[javax.security.auth.login.Configuration]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html
\ No newline at end of file

Copied: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md (from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences_authentication.md)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md?p2=jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md&p1=jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences_authentication.md&r1=1591293&r2=1592742&rev=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/differences_authentication.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/differences.md Tue May  6 13:29:20 2014
@@ -63,25 +63,12 @@ which doesn't have a password set.
 
 Oak provides two different mechanisms to create pre-authentication that doesn't
 involve the repositories internal authentication mechanism for credentials
-validation.
+validation. See the corresponding section [Pre-Authentication](security/authentication/preauthentication.html)
+for details and examples.
 
-see [Authentication](security/authentication.html) for details and examples.
-
-###### Pre-Authentication combined with Login Module Chain
-
-The first variant allows to combine pre-authenticated login with the JAAS login
-module chain.
-
-###### Pre-Authentication without Repository Involvement
-
-Like in Jackrabbit-core the repository internal authentication verification can
-be skipped by calling `Repository#login()` or `Repository#login(null, wspName)`.
-
-In the default implementation the `LoginContextProvider` [1] expects a `Subject`
-to be available with the current `java.security.AccessControlContext`.
-However, in contrast to Jackrabbit-core the current implementation does not
-try to extend the pre-authenticated subject but skips the internal verification
-step altogether.
+- Pre-Authentication combined with Login Module Chain
+- Pre-Authentication without Repository Involvement: the `Subject` must be available
+  with the current `java.security.AccessControlContext`.
 
 #### 2. Impersonation
 
@@ -128,6 +115,7 @@ The default implementation differs from 
 attributes and falls back to the same configuration parameter.
 
 The definition of the new built-in node type "rep:Token":
+
     [rep:Token] > mix:referenceable
     - rep:token.key (STRING) protected mandatory
     - rep:token.exp (DATE) protected mandatory

Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1592742&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md Tue May  6 13:29:20 2014
@@ -0,0 +1,131 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+External Login Module and User Synchronization
+--------------------------------------------------------------------------------
+
+### Overview
+The purpose of the external login module is to provide a base implementation that
+allows easy integration of 3rd party authentication and identity systems, such as
+[LDAP](ldap.html). The general mode of the external login module is to use the
+external system as authentication source and as a provider for users and groups
+that may also be synchronized into the repository.
+
+what it does:
+
+* facilitate the use of a 3rd party system for authentication
+* simplify populating the oak user manager with identities from a 3rd party system
+
+what it does not:
+
+* provide a transparent oak user manager
+* provide a transparent oak principal provider.
+* offer services for background synchronization of users and groups
+
+### Structure
+The external identity and login handling is split into 3 parts:
+
+- **External Login Module**: LoginModule implementation that represents the connection between JAAS login mechanism, the external identity provider and the synchronization handler.
+- **External Identity Provider** (IDP): This is a service implementing the `ExternalIdentityProvider` interface and is responsible to retrieve and authenticate identities towards an external system (e.g. LDAP).
+- **User and Group Synchronization**: This is a service implementing the `SyncHandler` interface and is responsible to actually managing the external identities within the Oak user management. A very trivial implementation might just create users and groups for external ones on demand.
+
+This modularization allows to reuse the same external login module for different
+combinations of IDPs and synchronization handlers. Although in practice, systems
+usually have 1 of each.
+
+An example where multiple such entities come into play would be the case to use
+several LDAP servers for authentication. Here we would configure 2 LDAP IDPs,
+1 Sync handler and 2 ExtLMs.
+
+#### External Login Module
+
+##### General
+The external login module has 2 main tasks. One is to authenticate credentials
+against a 3rd party system, the other is to coordinate syncing of the respective
+users and groups with the JCR repository (via the UserManager).
+
+If a user needs re-authentication (for example, if the cache validity expired or
+if the user is not yet present in the local system at all), the login module must
+check the credentials with the external system during the `login()` method.
+
+Note:
+
+* users (and groups) that are synced from the 3rd party system contain a `rep:externalId` property. This allows to identify the external users and distinguish them from others.
+* to reduce expensive syncing, the synced users and groups have sync timestamp `rep:lastSynced` and are considered valid for a configurable time. if they expire, they need to be validated against the 3rd party system again.
+
+##### Phase 1: Login
+
+* if the user exists in the repository and is not an externally synced, **return `false`**
+* if the user exists in the 3rd party system but the credentials don't match it **throws `LoginException`**
+* if the user exists in the 3rd party system and the credentials match
+    * put the credentials in the shared and private state
+    * possibly sync the user
+    * and **returns `true`**
+* if the user does not exist in the 3rd party system, checks if it needs to remove the user and then it **returns `false`**
+
+##### Phase 2: Commit
+
+* if there is no credentials in the private state, it **returns `false`**
+* if there are credentials in the private state propagate the subject and **return `true`**
+
+
+#### External Identity Provider
+
+_todo_
+
+
+See [LDAP](ldap.html) for further information about the `LDAPIdentityProvider`
+implementation shipped with Oak.
+
+
+#### User and Group Synchronization
+
+The synchronization of users and groups is triggered by the external login module,
+after a user is successfully authenticated against the IDP or if it's no longer
+present on the IDP.
+
+Oak comes with a default implementation of the `SyncHandler` interface:
+[org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler].
+
+##### Configuration of the DefaultSyncHandler
+Oak provides a default synchronization handler that is configured via [DefaultSyncConfig]. The handler is configured either via OSGi or during manual [Repository Construction](../../construct.html).
+
+| Name                          | Property                      | Description                              |
+|-------------------------------|-------------------------------|------------------------------------------|
+| Sync Handler Name             | `handler.name`                | Name of this sync configuration. This is used to reference this handler by the login modules. |
+| User auto membership          | `user.autoMembership`         | List of groups that a synced user is added to automatically |
+| User Expiration Time          | `user.expirationTime`         | Duration until a synced user gets expired (eg. '1h 30m' or '1d'). |
+| User Membership Expiration    | `user.membershipExpTime`      | Time after which membership expires (eg. '1h 30m' or '1d'). |
+| User membership nesting depth | `user.membershipNestingDepth` | Returns the maximum depth of group nesting when membership relations are synced. A value of 0 effectively disables group membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect when syncing individual groups only when syncing a users membership ancestry. |
+| User Path Prefix              | `user.pathPrefix`             | The path prefix used when creating new users. |
+| User property mapping         | `user.propertyMapping`        | List mapping definition of local properties from external ones. eg: 'profile/email=mail'.Use double quotes for fixed values. eg: 'profile/nt:primaryType="nt:unstructured" |
+| Group auto membership         | `group.autoMembership`        | List of groups that a synced group is added to automatically |
+| Group Expiration Time         | `group.expirationTime`        | Duration until a synced group expires (eg. '1h 30m' or '1d'). |
+| Group Path Prefix             | `group.pathPrefix`            | The path prefix used when creating new groups. |
+| Group property mapping        | `group.propertyMapping`       | List mapping definition of local properties from external ones. |
+| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | | |
+
+
+### Example JAAS Configuration
+
+The following JAAS configuration shows how the `ExternalLoginModule` could be
+used in a setup that not solely uses third party login:
+
+    _todo_
+
+<!-- references -->
+[DefaultSyncConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html

Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md?rev=1592742&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md Tue May  6 13:29:20 2014
@@ -0,0 +1,26 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+Identity Management
+--------------------------------------------------------------------------------
+
+_todo_
+
+- ExternalIdentityProvider
+- ExternalIdentity
+- ExternalUser
+- ExternalGroup
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1592742&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md Tue May  6 13:29:20 2014
@@ -0,0 +1,82 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+LDAP Integration
+--------------------------------------------------------------------------------
+
+Oak comes with a default implementation of an LDAP identity provider that allows
+perform external authentication against an existing LDAP in combination
+with user synchronization.
+
+See section [External Login Module and User Synchronization](externalloginmodule.html)
+for a general overview of the `ExternalLoginModule` and how it can be used
+in combination with custom identity providers and synchronization handlers.
+
+### Default Setup
+
+Out of the box Oak comes with the following LDAP integration setup:
+
+- `LdapIdentityProvider`: LDAP specific implementation of the [ExternalIdentityProvider] interface.
+- `DefaultSyncHandler`: Default implementation of the [SyncHandler] interface.
+- `ExternalLoginModule`: Login module implementation that allows for third party authentication as specified by the configured identity provider(s).
+
+#### LDAP Identity Provider
+
+The [LdapIdentityProvider] is a service implementing the [ExternalIdentityProvider] interface.
+
+_todo combining multiple ldap sources todo_
+
+##### Configuration
+
+The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
+which is populated either via OSGi or during manual [Repository Construction](../construct.html).
+
+| Name                         | Property                | Description                              |
+|------------------------------|-------------------------|------------------------------------------|
+| LDAP Provider Name           | `provider.name`         | Name of this LDAP provider configuration. This is used to reference this provider by the login modules. |
+| Bind DN                      | `bind.dn`               | DN of the user for authentication. Leave empty for anonymous bind. |
+| Bind Password                | `bind.password`         | Password of the user for authentication. |
+| LDAP Server Hostname         | `host.name`             | Hostname of the LDAP server              |
+| Disable certificate checking | `host.noCertCheck`      | Indicates if server certificate validation should be disabled. |
+| LDAP Server Port             | `host.port`             | Port of the LDAP server                  |
+| Use SSL                      | `host.ssl`              | Indicates if an SSL (LDAPs) connection should be used. |
+| Use TLS                      | `host.tls`              | Indicates if TLS should be started on connections. |
+| Search Timeout               | `searchTimeout`         | Time in until a search times out (eg: '1s' or '1m 30s'). |
+| User base DN                 | `user.baseDN`           | The base DN for user searches.           |
+| User extra filter            | `user.extraFilter`      | Extra LDAP filter to use when searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)` |
+| User id attribute            | `user.idAttribute`      | Name of the attribute that contains the user id. |
+| User DN paths                | `user.makeDnPath`       | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| User object classes          | `user.objectclass`      | The list of object classes an user entry must contain. |
+| Group base DN                | `group.baseDN`          | The base DN for group searches.          |
+| Group extra filter           | `group.extraFilter`     | Extra LDAP filter to use when searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)` |
+| Group DN paths               | `group.makeDnPath`      | Controls if the DN should be used for calculating a portion of the intermediate path. |
+| Group member attribute       | `group.memberAttribute` | Group attribute that contains the member(s) of a group. |
+| Group name attribute         | `group.nameAttribute`   | Name of the attribute that contains the group name. |
+| Group object classes         | `group.objectclass`     | The list of object classes a group entry must contain. |
+| | | |
+
+#### SyncHandler and External Login Module
+
+See [External Login Module and User Synchronization](externalloginmodule.html) for
+details about the external login module and configuration options for the [DefaultSyncHandler].
+
+<!-- references -->
+[ExternalIdentityProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProvider.html
+[SyncHandler]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/SyncHandler.html
+[DefaultSyncHandler]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncHandler.html
+[org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.html
+[org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.html

Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md?rev=1592742&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md Tue May  6 13:29:20 2014
@@ -0,0 +1,141 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+Pre-Authenticated Login
+--------------------------------------------------------------------------------
+
+Oak provides two different mechanisms to create pre-authentication that doesn't
+involve the repositories internal authentication mechanism for credentials
+validation.
+
+- Pre-Authentication combined with Login Module Chain
+- Pre-Authentication without Repository Involvement
+
+
+### Pre-Authentication combined with Login Module Chain
+
+This first variant allows to support 3rd party login modules that wish to provide
+the login context with pre authenticated login names, but still want to rely on
+the rest of the Oak's login module chain. For example an external SSO login module
+can extract the userid from a servlet request and use it to authenticate against
+the repository. But instead of re-implementing the user lookup and subject
+population (and possible external user synchronization) it just informs any
+subsequent login modules that the credential validation was already successful.
+
+The key to understand this mechanism is the [PreAuthenticatedLogin] marker class,
+which is pushed to the shared state of the login context and which indicates
+to any subsequent LoginModule that the credentials present in the state already
+have been verified and thus can be trusted.
+
+This setup is particularly recommended in a OSGi setup that includes Apache Sling
+on top of the Oak repository but still requires user information to be synchronized
+into the repository.
+
+#### How it works
+
+The basic steps of the pre-authentication in combination with regular JAAS login
+module chain are outlined as follows:
+
+1. verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling Authentication Handler)
+2. pass a custom, non-public Credentials implementation to the repository login
+3. create a custom login module that only supports these dedicated credentials and
+   pushes both a new instance of `PreAuthenticatedLogin` and other information
+   required and processed by subsequent login modules (e.g. credentials and
+   user name).
+4. make sure the subsequent login modules in the JAAS configuration are capable
+   to deal with the `PreAuthenticatedLogin` and the additional information and
+   will properly populate the subject and optionally synchronize user information
+   or create login tokens.
+
+#### Example
+
+Example implementation of `LoginModule#login` that pushes the `PreAuthenticatedLogin`
+marker to the shared state:
+
+    public class PreAuthLoginModule extends AbstractLoginModule {
+
+    [...]
+
+        @Overwrite
+        public boolean login() throws LoginException {
+            Credentials credentials = getCredentials();
+            if (credentials instanceof MyPreAuthCredentials) {
+                userId = ((MyPreAuthCredentials) credentials).getUserId();
+                if (userId == null) {
+                    log.debug("Could not extract userId/credentials");
+                } else {
+                    sharedState.put(SHARED_KEY_PRE_AUTH_LOGIN, new PreAuthenticatedLogin(userId));
+                    sharedState.put(SHARED_KEY_CREDENTIALS, new SimpleCredentials(userId, new char[0]));
+                    sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
+                    log.debug("login succeeded with trusted user: {}", userId);
+                }
+            }
+
+            [...]
+        }
+    }
+
+### Pre-Authentication without Repository Involvement
+
+Like in Jackrabbit-core the repository internal authentication verification can
+be skipped by calling `Repository#login()` or `Repository#login(null, wspName)`.
+In this case the repository implementation expects the verification to be performed
+prior to the login call.
+
+This behavior is provided by the default implementation of the `LoginContextProvider` [1]
+which expects a `Subject` to be available with the current `java.security.AccessControlContext`.
+However, in contrast to Jackrabbit-core the current implementation does not try
+to extend the pre-authenticated subject but skips the internal verification step altogether.
+
+#### Options to modify the default behavior
+
+Since the `LoginContextProvider` is a configurable with the authentication setup
+OAK users also have the following options by providing a custom `LoginContextProvider`:
+
+- Disable pre-authentication by not trying to retrieve a pre-authenticated `Subject`.
+- Add support for extending the pre-authenticated subject by always passing writable subjects to the `JaasLoginContext`
+- Dropping JAAS altogether by providing a custom implementation of the
+  `org.apache.jackrabbit.oak.spi.security.authentication.LoginContext` [2] interface.
+
+#### Example
+
+Example how to use this type of pre-authentication:
+
+    String userId = "test";
+    /**
+     Retrive valid principals e.g. by calling jackrabbit API
+     - PrincipalManager#getPrincipal and/or #getGroupMembership
+     or from Oak SPI
+     - PrincipalProvider#getPrincipals(String userId)
+     */
+    Set<? extends Principal> principals = getPrincipals(userId);
+    AuthInfo authInfo = new AuthInfoImpl(userId, Collections.<String, Object>emptyMap(), principals);
+    Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.<Object>emptySet());
+    Session session;
+    try {
+        session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {
+            @Override
+            public Session run() throws Exception {
+                return login(null, null);
+            }
+        }, null);
+    } catch (PrivilegedActionException e) {
+        throw new RepositoryException("failed to retrieve session.", e);
+    }
+
+<!-- references -->
+[PreAuthenticatedLogin]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html

Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1592742&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Tue May  6 13:29:20 2014
@@ -0,0 +1,25 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+Token Management
+--------------------------------------------------------------------------------
+
+_todo_
+
+
+- TokenProvider
+- TokenInfo
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/overview.md Tue May  6 13:29:20 2014
@@ -15,10 +15,16 @@
    limitations under the License.
   -->
 
-The Oak Security Layer - Overview
-=================================
+The Oak Security Layer
+======================
 
 * [Authentication](authentication.html)
+     * [Differences wrt Jackrabbit 2.x](authentication/differences.html)
+     * [External Login Module and User Synchronization](authentication/externalloginmodule.html)
+     * [Identity Management](authentication/identitymanagement.html)
+     * [LDAP Integration](authentication/ldap.html)
+     * [Pre-Authentication](authentication/preauthentication.html)
+     * [Token Management](authentication/tokenmanagement.html)
 * [Access Control](accesscontrol.html)
 * [Permission Evaluation](permission.html)
 * [Privilege Management](privilege.html)

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Tue May  6 13:29:20 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Permission Evaluation
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md Tue May  6 13:29:20 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Principal Management
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Tue May  6 13:29:20 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Privilege Management
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1592742&r1=1592741&r2=1592742&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Tue May  6 13:29:20 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 User Management
 --------------------------------------------------------------------------------



Mime
View raw message