jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mdue...@apache.org
Subject svn commit: r1593054 - in /jackrabbit/oak/branches/1.0: ./ oak-doc/ oak-doc/src/site/markdown/ oak-doc/src/site/markdown/security/
Date Wed, 07 May 2014 16:25:24 GMT
Author: mduerig
Date: Wed May  7 16:25:23 2014
New Revision: 1593054

URL: http://svn.apache.org/r1593054
Log:
OAK-301: Document Oak
Merged r1591293

Added:
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/accesscontrol.md
      - copied unchanged from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication.md
      - copied unchanged from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/permission.md
      - copied unchanged from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/principal.md
      - copied unchanged from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/privilege.md
      - copied unchanged from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/user.md
      - copied unchanged from r1591293, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
Removed:
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/external_login_module.md
Modified:
    jackrabbit/oak/branches/1.0/   (props changed)
    jackrabbit/oak/branches/1.0/oak-doc/   (props changed)
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences_authentication.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md

Propchange: jackrabbit/oak/branches/1.0/
------------------------------------------------------------------------------
  Merged /jackrabbit/oak/trunk:r1591293

Propchange: jackrabbit/oak/branches/1.0/oak-doc/
------------------------------------------------------------------------------
  Merged /jackrabbit/oak/trunk/oak-doc:r1591293

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md?rev=1593054&r1=1593053&r2=1593054&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md Wed May  7 16:25:23
2014
@@ -257,9 +257,9 @@ Because of the different identifier impl
 Security
 --------
 
-* [AccessControl Management](differences_accesscontrol.html)
 * [Authentication](differences_authentication.html)
+* [AccessControl Management](differences_accesscontrol.html)
 * [Permission Evaluation](differences_permission.html)
-* [Principal Management](differences_principal.html)
 * [Privilege Management](differences_privileges.html)
+* [Principal Management](differences_principal.html)
 * [User Management](differences_user.html)

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences_authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences_authentication.md?rev=1593054&r1=1593053&r2=1593054&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences_authentication.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences_authentication.md Wed
May  7 16:25:23 2014
@@ -59,42 +59,29 @@ This behavior is now consistent with the
 which doesn't have a password set.
 
 
-##### Pre-Authentication in the LoginContextProvider
+##### Pre-Authentication
 
-Like in Jackrabbit-core the repository internal authentication verification can be skipped
by calling `Repository#login()` or `Repository#login(null, wspName)`. In this case the repository
implementation expects the verification to be performed prior to the login call.
+Oak provides two different mechanisms to create pre-authentication that doesn't
+involve the repositories internal authentication mechanism for credentials
+validation.
 
-This behavior is provided by the default implementation of the `LoginContextProvider` [1]
which expects a `Subject` to be available with the current `java.security.AccessControlContext`.
However, in contrast to Jackrabbit-core the current implementation does not try to extend
the pre-authenticated subject but skips the internal verification step altogether.
+see [Authentication](security/authentication.html) for details and examples.
 
-Since the `LoginContextProvider` is a configurable with the authentication setup OAK users
also have the following options by providing a custom `LoginContextProvider`:
+###### Pre-Authentication combined with Login Module Chain
 
-- Disable pre-authentication by not trying to retrieve a pre-authenticated `Subject`.
-- Add support for extending the pre-authenticated subject by always passing writable subjects
to the `JaasLoginContext`
-- Dropping JAAS altogether by providing a custom implementation of the
-  `org.apache.jackrabbit.oak.spi.security.authentication.LoginContext` [2] interface.
-
-Example how to use the pre-auth:
-
-    String userId = "test";
-    /**
-     Retrive valid principals e.g. by calling jackrabbit API
-     - PrincipalManager#getPrincipal and/or #getGroupMembership
-     or from Oak SPI
-     - PrincipalProvider#getPrincipals(String userId)
-     */
-    Set<? extends Principal> principals = getPrincipals(userId);
-    AuthInfo authInfo = new AuthInfoImpl(userId, Collections.<String, Object>emptyMap(),
principals);
-    Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.<Object>emptySet());
-    Session session;
-    try {
-        session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>()
{
-            @Override
-            public Session run() throws Exception {
-                return login(null, null);
-            }
-        }, null);
-    } catch (PrivilegedActionException e) {
-        throw new RepositoryException("failed to retrieve session.", e);
-    }
+The first variant allows to combine pre-authenticated login with the JAAS login
+module chain.
+
+###### Pre-Authentication without Repository Involvement
+
+Like in Jackrabbit-core the repository internal authentication verification can
+be skipped by calling `Repository#login()` or `Repository#login(null, wspName)`.
+
+In the default implementation the `LoginContextProvider` [1] expects a `Subject`
+to be available with the current `java.security.AccessControlContext`.
+However, in contrast to Jackrabbit-core the current implementation does not
+try to extend the pre-authenticated subject but skips the internal verification
+step altogether.
 
 #### 2. Impersonation
 

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md?rev=1593054&r1=1593053&r2=1593054&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md Wed May  7
16:25:23 2014
@@ -15,6 +15,12 @@
    limitations under the License.
   -->
 
-# Overview
+The Oak Security Layer - Overview
+=================================
 
-* [Authentication / Login Modules](external_login_module.html)
+* [Authentication](authentication.html)
+* [Access Control](accesscontrol.html)
+* [Permission Evaluation](permission.html)
+* [Privilege Management](privilege.html)
+* [Principal Management](principal.html)
+* [User Management](user.html)



Mime
View raw message