jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mdue...@apache.org
Subject svn commit: r1593058 - in /jackrabbit/oak/branches/1.0: ./ oak-doc/ oak-doc/src/site/markdown/ oak-doc/src/site/markdown/security/ oak-doc/src/site/markdown/security/authentication/
Date Wed, 07 May 2014 16:28:10 GMT
Author: mduerig
Date: Wed May  7 16:28:09 2014
New Revision: 1593058

URL: http://svn.apache.org/r1593058
Log:
OAK-301: Document Oak
Merged r1592742

Added:
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication/
      - copied from r1592742, jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/
Removed:
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences_authentication.md
Modified:
    jackrabbit/oak/branches/1.0/   (props changed)
    jackrabbit/oak/branches/1.0/oak-doc/   (props changed)
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/permission.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/principal.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/privilege.md
    jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/user.md

Propchange: jackrabbit/oak/branches/1.0/
------------------------------------------------------------------------------
  Merged /jackrabbit/oak/trunk:r1592742

Propchange: jackrabbit/oak/branches/1.0/oak-doc/
------------------------------------------------------------------------------
  Merged /jackrabbit/oak/trunk/oak-doc:r1592742

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/differences.md Wed May  7 16:28:09
2014
@@ -279,7 +279,7 @@ baselines (`OPTION_BASELINES_SUPPORTED`)
 Security
 --------
 
-* [Authentication](differences_authentication.html)
+* [Authentication](security/authentication/differences.html)
 * [AccessControl Management](differences_accesscontrol.html)
 * [Permission Evaluation](differences_permission.html)
 * [Privilege Management](differences_privileges.html)

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/accesscontrol.md Wed May
 7 16:28:09 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Access Control
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/authentication.md Wed May
 7 16:28:09 2014
@@ -14,46 +14,46 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
-Authentication and Login Modules
-------------------------------------------------------------------------------------------------------------------------
+Authentication
+--------------------------------------------------------------------------------
 
-### General Concepts
+### JAAS Authentication and Login Modules
+
+#### General Concepts
 
 In order to understand how login modules work and how Oak can help providing extension points
we need to look at how
 JAAS authentication works in general and discuss where the actual credential-verification
is performed.
 
-#### Brief recap of the JAAS authentication
-The following section is copied and adapted from the javadoc of [javax.security.auth.spi.LoginModule]:
-
-The authentication process within the `LoginModule` proceeds in two distinct phases. 
-
-1. Login Phase
-
-   1. In the first phase, the `LoginModule`'s `login` method gets invoked by the `LoginContext`'s
`login` method.
-   2. The `login` method for the `LoginModule` then performs the actual authentication (prompt
for and verify a 
-      password for example) and saves its authentication status as private state information.

-   3. Once finished, the `LoginModule`'s login method either returns `true` (if it succeeded)
or `false` (if it should 
-      be ignored), or throws a `LoginException` to specify a failure. In the failure case,
the `LoginModule` must not 
-      retry the authentication or introduce delays. The responsibility of such tasks belongs
to the application. 
-      If the application attempts to retry the authentication, the `LoginModule`'s `login`
method will be called again.
-
-2. Commit Phase
-
-   1. In the second phase, if the `LoginContext`'s overall authentication succeeded (the
relevant REQUIRED, REQUISITE, 
-      SUFFICIENT and OPTIONAL LoginModules succeeded), then the `commit` method for the `LoginModule`
gets invoked. 
-   2. The `commit` method for a `LoginModule` checks its privately saved state to see if
its own authentication 
-      succeeded. 
-   3. If the overall `LoginContext` authentication succeeded and the `LoginModule`'s own
authentication succeeded, then
-      the `commit` method associates the relevant Principals (authenticated identities) and
Credentials (authentication 
-      data such as cryptographic keys) with the Subject located within the `LoginModule`.
-   4. If the `LoginContext`'s overall authentication failed (the relevant REQUIRED, REQUISITE,
SUFFICIENT and OPTIONAL 
-      LoginModules did not succeed), then the `abort` method for each `LoginModule` gets
invoked. In this case, the 
-      `LoginModule` removes/destroys any authentication state originally saved.
+##### Brief recap of the JAAS authentication
+The following section is copied and adapted from the javadoc of [javax.security.auth.spi.LoginModule].
+The authentication process within the `LoginModule` proceeds in two distinct phases,
+login and commit phase:
+
+__A. Login Phase__
+
+1. In the first phase, the `LoginModule`'s `login` method gets invoked by the `LoginContext`'s
`login` method.
+2. The `login` method for the `LoginModule` then performs the actual authentication (prompt
for and verify a
+   password for example) and saves its authentication status as private state information.
+3. Once finished, the `LoginModule`'s login method either returns `true` (if it succeeded)
or `false` (if it should
+   be ignored), or throws a `LoginException` to specify a failure. In the failure case, the
`LoginModule` must not
+   retry the authentication or introduce delays. The responsibility of such tasks belongs
to the application.
+   If the application attempts to retry the authentication, the `LoginModule`'s `login` method
will be called again.
+
+__B. Commit Phase__
+
+1. In the second phase, if the `LoginContext`'s overall authentication succeeded (the relevant
REQUIRED, REQUISITE,
+   SUFFICIENT and OPTIONAL LoginModules succeeded), then the `commit` method for the `LoginModule`
gets invoked.
+2. The `commit` method for a `LoginModule` checks its privately saved state to see if its
own authentication
+   succeeded.
+3. If the overall `LoginContext` authentication succeeded and the `LoginModule`'s own authentication
succeeded, then
+   the `commit` method associates the relevant Principals (authenticated identities) and
Credentials (authentication
+   data such as cryptographic keys) with the Subject located within the `LoginModule`.
+4. If the `LoginContext`'s overall authentication failed (the relevant REQUIRED, REQUISITE,
SUFFICIENT and OPTIONAL
+   LoginModules did not succeed), then the `abort` method for each `LoginModule` gets invoked.
In this case, the
+   `LoginModule` removes/destroys any authentication state originally saved.
       
-#### Login module execution order
+##### Login module execution order
 Very simply put, all the login modules that participate in JAAS authentication are configured
in a list and can have
 flags indicating how to treat their behaviors on the `login()` calls.
 
@@ -85,138 +85,49 @@ LoginModule is configured and succeeds, 
 LoginModule need to have succeeded for the overall authentication to succeed. If no Required
or Requisite LoginModules 
 are configured for an application, then at least one Sufficient or Optional LoginModule must
succeed.
 
-JCR and Oak Authentication
-------------------------------------------------------------------------------------------------------------------------
+### JCR and Oak Authentication
 
 Within the scope of JCR `Repository.login` is used to authenticate a given user.
 This method either takes a `Credentials` argument if the validation is performed
 by the repository itself or `null` in case the user has be pre-authenticated by
 an external system.
 
-### Differences wrt Jackrabbit 2.x
+#### Differences wrt Jackrabbit 2.x
 
-see the corresponding [documentation](../differences_authentication.html).
+see the corresponding [documentation](authentication/differences.html).
 
-### Logins with Credentials
+#### Guest Login
 
 _todo_
 
-### Pre Authenticated Logins
+#### Logins with Credentials
+
+_todo_
+
+#### Impersonation
+
+_todo_
+
+#### Pre Authenticated Logins
 
 Oak provides two different mechanisms to create pre-authentication that doesn't
 involve the repositories internal authentication mechanism for credentials
 validation.
 
-#### Pre-Authentication combined with Login Module Chain
+- Pre-Authentication combined with Login Module Chain
+- Pre-Authentication without Repository Involvement
+
+See section [Pre-Authentication Login](authentication/preauthentication.html) for
+further details and examples.
 
-This first variant allows to support 3rd party login modules that wish to provide
-the login context with pre authenticated login names, but still want to rely on
-the rest of the oak's login module chain. For example an external SSO login module
-can extract the userid from a servlet request and use it to authenticate against
-the repository. But instead of re-implementing the user lookup and subject
-population (and possible external user synchronization) it just sets a respective
-[org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin] on the
-shared state.
-
-This setup is particularly recommended in a OSGi setup that includes Apache Sling
-on top of the Oak repository but still requires user information to be synchronized
-into the repository.
-
-The key to understand this mechanism is `org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin`
-a simple marker, which is pushed to the shared state of the login context and which indicates
-to any subsequent LoginModule that the credentials present in the state already
-have been verified and thus can be trusted.
-
-The basic steps of this pre-authentication are outlined as follows:
-
-1. verify the identity in the layer on top of the JCR repository (e.g. in a custom Sling
Authentication Handler)
-2. pass a custom, non-public Credentials implementation to the repository login
-3. create a custom login module that only supports these dedicated credentials and
-   pushes both a new instance of `PreAuthenticatedLogin` and other information
-   required and processed by subsequent login modules (e.g. credentials and
-   user name).
-4. make sure the subsequent login modules in the JAAS configuration are capable
-   to deal with the `PreAuthenticatedLogin` and the additional information and
-   will properly populate the subject and optionally synchronize user information
-   or create login tokens.
-
-Example implementation of `LoginModule#login` of this kind of custom login module:
-
-    public class PreAuthLoginModule extends AbstractLoginModule {
-
-    [...]
-
-        @Overwrite
-        public boolean login() throws LoginException {
-            Credentials credentials = getCredentials();
-            if (credentials instanceof MyPreAuthCredentials) {
-                userId = ((MyPreAuthCredentials) credentials).getUserId();
-                if (userId == null) {
-                    log.debug("Could not extract userId/credentials");
-                } else {
-                    sharedState.put(SHARED_KEY_PRE_AUTH_LOGIN, new PreAuthenticatedLogin(userId));
-                    sharedState.put(SHARED_KEY_CREDENTIALS, new SimpleCredentials(userId,
new char[0]));
-                    sharedState.put(SHARED_KEY_LOGIN_NAME, userId);
-                    log.debug("login succeeded with trusted user: {}", userId);
-                }
-            }
-
-            [...]
-        }
-    }
-
-#### Pre-Authentication without Repository Involvement
-
-Like in Jackrabbit-core the repository internal authentication verification can
-be skipped by calling `Repository#login()` or `Repository#login(null, wspName)`.
-In this case the repository implementation expects the verification to be performed
-prior to the login call.
-
-This behavior is provided by the default implementation of the `LoginContextProvider` [1]
-which expects a `Subject` to be available with the current `java.security.AccessControlContext`.
-However, in contrast to Jackrabbit-core the current implementation does not try
-to extend the pre-authenticated subject but skips the internal verification step altogether.
-
-Since the `LoginContextProvider` is a configurable with the authentication setup
-OAK users also have the following options by providing a custom `LoginContextProvider`:
-
-- Disable pre-authentication by not trying to retrieve a pre-authenticated `Subject`.
-- Add support for extending the pre-authenticated subject by always passing writable subjects
to the `JaasLoginContext`
-- Dropping JAAS altogether by providing a custom implementation of the
-  `org.apache.jackrabbit.oak.spi.security.authentication.LoginContext` [2] interface.
-
-Example how to use this type of pre-authentication:
-
-    String userId = "test";
-    /**
-     Retrive valid principals e.g. by calling jackrabbit API
-     - PrincipalManager#getPrincipal and/or #getGroupMembership
-     or from Oak SPI
-     - PrincipalProvider#getPrincipals(String userId)
-     */
-    Set<? extends Principal> principals = getPrincipals(userId);
-    AuthInfo authInfo = new AuthInfoImpl(userId, Collections.<String, Object>emptyMap(),
principals);
-    Subject subject = new Subject(true, principals, Collections.singleton(authInfo), Collections.<Object>emptySet());
-    Session session;
-    try {
-        session = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>()
{
-            @Override
-            public Session run() throws Exception {
-                return login(null, null);
-            }
-        }, null);
-    } catch (PrivilegedActionException e) {
-        throw new RepositoryException("failed to retrieve session.", e);
-    }
 
-Oak Login Module Implementations
-------------------------------------------------------------------------------------------------------------------------
+### Oak Login Module Implementations
 
-### Abstract Login Module
+#### Abstract Login Module
 
 _todo_
 
-### Default Login Module
+#### Default Login Module
 
 The behavior of the default login module is relatively simple, so it is explained first:
 
@@ -236,7 +147,7 @@ upon commit():
 * if the private state contains the credentials and principals, it adds them (both) to the
subject and **returns `true`**
 * if the private state does not contain credentials and principals, it clears the state and
**returns `false`**
 
-### Token Login Module
+#### Token Login Module
 
 _todo_
 
@@ -244,150 +155,36 @@ _todo_
 
 _todo_
 
-### External Login Module
-
-#### Overview
-The purpose of the external login module is to provide a base implementation that allows
easy integration of 3rd party 
-authentication and identity systems, such as LDAP. The general mode of the external login
module is to use the external
-system as authentication source and as a provider for users and groups.
-
-what it does:
-
-* facilitate the use of a 3rd party system for authentication
-* simplify populating the oak user manager with identities from a 3rd party system
-
-what it does not:
-
-* provide a transparent oak user manager
-* provide a transparent oak principal provider.
-* offer services for background synchronization of users and groups
-
-#### Structure
-The external identity and login handling is split into 3 parts:
-
-1. An external identity provider (IDP). This is a service implementing the `ExternalIdentityProvider`
interface and is responsible to retrieve and authenticate identities towards an external system
(e.g. LDAP).
-2. An synchronization handler. This is a service implementing the `SyncHandler` interface
and is responsible to actually managing the external identities within the Oak user management.
A very trivial implementation might just create users and groups for external ones on demand.
-3. The external login module (ExtLM). This is the connection between JAAS login mechanism,
the external identity provider and the synchronization handler.
-
-This modularization allows to reuse the same external login module for different combinations
of IDPs and synchronization handlers. Although in practice, systems usually have 1 of each.

-
-An example where multiple such entities come into play would be the case to use several LDAP
servers for authentication. Here we would configure 2 LDAP IDPs, 1 Sync handler and 2 ExtLMs.
-
-##### Authentication and subject population
-The goal of the external login module is to provide a very simple way of using 
-_"the users stored in an external system for authentication and authorization in the Oak
content repository"_. So the
-easiest way of doing this is to import the users on-demand when they log in. 
+#### External Login Module
 
-#### Behavior of the External Login Module
+The external login module is a base implementation that allows easy integration
+of 3rd party authentication and identity systems, such as [LDAP](ldap.html). The
+general mode of the external login module is to use the external system as authentication
+source and as a provider for users and groups that may also be synchronized into
+the repository.
 
-##### General
-The external login module has 2 main tasks. one is to authenticate credentials against a
3rd party system, the other is
-to coordinate syncing of the respective users and groups with the JCR repository (via the
UserManager).
+This login module implementation requires an valid `SyncHandler` and `IdentityProvider`
+to be present.
 
-If a user needs re-authentication (for example, if the cache validity expired or if the user
is not yet present in the
-local system at all), the login module must check the credentials with the external system
during the `login()` method. 
+Further reading:
+- [External LoginModule and User Synchronization](authentication/externalloginmodule.html):
Details regarding the login module and the associated interfaces as well as configuration
of the default implementations present with Oak.
+- [LDAP Integration](authentication/ldap.html): How to make use of the `ExternalLoginModule`
to authenticate against LDAP.
 
-**ExternalLoginModule**
 
-Note:
+### Authentication related Interfaces and Extension Points in Oak
 
-* users (and groups) that are synced from the 3rd party system contain a `rep:externalId`
property. This allows to identify the external users and distinguish them from others.
-* to reduce expensive syncing, the synced users and groups have sync timestamp `rep:lastSynced`
and are considered valid for a configurable time. if they expire, they need to be validated
against the 3rd party system again.
-
-upon login():
-
-* if the user exists in the repository and is not an externally synced, **return `false`**
-* if the user exists in the 3rd party system but the credentials don't match it **throws
`LoginException`**
-* if the user exists in the 3rd party system and the credentials match
-    * put the credentials in the shared and private state 
-    * possibly sync the user 
-    * and **returns `true`**
-* if the user does not exist in the 3rd party system, checks if it needs to remove the user
and then it **returns `false`**
-
-upon commit():
-
-* if there is no credentials in the private state, it **returns `false`**
-* if there are credentials in the private state propagate the subject and **return `true`**
-
-#### User and Group Synchronization
-
-The synchronization of users and groups is triggered by the external login module, after
a user is successfully
-authenticated against the IDP or if it's no longer present on the IDP.
-
-##### Configuration of the DefaultSyncHandler
-Oak provides a default synchronization handler that is configured via [org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfig].
The handler is configured either via OSGi or during manual [Repository Construction](../construct.html).
-
-| Name                          | Property                      | Description           
                  |
-|-------------------------------|-------------------------------|------------------------------------------|
-| Sync Handler Name             | `handler.name`                | Name of this sync configuration.
This is used to reference this handler by the login modules. |
-| User auto membership          | `user.autoMembership`         | List of groups that a synced
user is added to automatically |
-| User Expiration Time          | `user.expirationTime`         | Duration until a synced
user gets expired (eg. '1h 30m' or '1d'). |
-| User Membership Expiration    | `user.membershipExpTime`      | Time after which membership
expires (eg. '1h 30m' or '1d'). |
-| User membership nesting depth | `user.membershipNestingDepth` | Returns the maximum depth
of group nesting when membership relations are synced. A value of 0 effectively disables group
membership lookup. A value of 1 only adds the direct groups of a user. This value has no effect
when syncing individual groups only when syncing a users membership ancestry. |
-| User Path Prefix              | `user.pathPrefix`             | The path prefix used when
creating new users. |
-| User property mapping         | `user.propertyMapping`        | List mapping definition
of local properties from external ones. eg: 'profile/email=mail'.Use double quotes for fixed
values. eg: 'profile/nt:primaryType="nt:unstructured" |
-| Group auto membership         | `group.autoMembership`        | List of groups that a synced
group is added to automatically |
-| Group Expiration Time         | `group.expirationTime`        | Duration until a synced
group expires (eg. '1h 30m' or '1d'). |
-| Group Path Prefix             | `group.pathPrefix`            | The path prefix used when
creating new groups. |
-| Group property mapping        | `group.propertyMapping`       | List mapping definition
of local properties from external ones. |
-| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
| | |
-
-#### External Identity Provider
+#### LoginContextProvider
 
 _todo_
 
+#### Token Management
 
-Authentication related Interfaces and Extension Points in Oak
-------------------------------------------------------------------------------------------------------------------------
+See section [token management](authentication/tokenmanagement.html) for details.
 
-### Token Management
-
-_todo_
-
-#### TokenProvider
-#### TokenInfo
-
-### External Identity Management
-
-_todo_
-
-##### LDAP Identity Provider
-Oak comes with a default implementation of an LDAP identity provider.
-
-###### Configuration
-The LDAP IPDs are configured through the [org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]
-which is populated either via OSGi or during manual [Repository Construction](../construct.html).
-
-| Name                         | Property                | Description                  
           |
-|------------------------------|-------------------------|------------------------------------------|
-| LDAP Provider Name           | `provider.name`         | Name of this LDAP provider configuration.
This is used to reference this provider by the login modules. |
-| Bind DN                      | `bind.dn`               | DN of the user for authentication.
Leave empty for anonymous bind. |
-| Bind Password                | `bind.password`         | Password of the user for authentication.
|
-| LDAP Server Hostname         | `host.name`             | Hostname of the LDAP server  
           |
-| Disable certificate checking | `host.noCertCheck`      | Indicates if server certificate
validation should be disabled. |
-| LDAP Server Port             | `host.port`             | Port of the LDAP server      
           |
-| Use SSL                      | `host.ssl`              | Indicates if an SSL (LDAPs) connection
should be used. |
-| Use TLS                      | `host.tls`              | Indicates if TLS should be started
on connections. |
-| Search Timeout               | `searchTimeout`         | Time in until a search times out
(eg: '1s' or '1m 30s'). |
-| User base DN                 | `user.baseDN`           | The base DN for user searches.
          |
-| User extra filter            | `user.extraFilter`      | Extra LDAP filter to use when
searching for users. The final filter is formatted like: `(&(<idAttr>=<userId>)(objectclass=<objectclass>)<extraFilter>)`
|
-| User id attribute            | `user.idAttribute`      | Name of the attribute that contains
the user id. |
-| User DN paths                | `user.makeDnPath`       | Controls if the DN should be used
for calculating a portion of the intermediate path. |
-| User object classes          | `user.objectclass`      | The list of object classes an
user entry must contain. |
-| Group base DN                | `group.baseDN`          | The base DN for group searches.
         |
-| Group extra filter           | `group.extraFilter`     | Extra LDAP filter to use when
searching for groups. The final filter is formatted like: `(&(<nameAttr>=<groupName>)(objectclass=<objectclass>)<extraFilter>)`
|
-| Group DN paths               | `group.makeDnPath`      | Controls if the DN should be used
for calculating a portion of the intermediate path. |
-| Group member attribute       | `group.memberAttribute` | Group attribute that contains
the member(s) of a group. |
-| Group name attribute         | `group.nameAttribute`   | Name of the attribute that contains
the group name. |
-| Group object classes         | `group.objectclass`     | The list of object classes a group
entry must contain. |
-| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
| | |
+#### External Identity Management
 
+See section [identity management](authentication/identitymanagement.html) for details.
 
 <!-- references -->
 [javax.security.auth.spi.LoginModule]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html
-[javax.security.auth.login.Configuration]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html
-[org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthenticatedLogin.html
-[org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfig]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DefaultSyncConfig.html
-[org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig]: /oak/docs/apidocs/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.html
-
-
+[javax.security.auth.login.Configuration]: http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html
\ No newline at end of file

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/overview.md Wed May  7
16:28:09 2014
@@ -15,10 +15,16 @@
    limitations under the License.
   -->
 
-The Oak Security Layer - Overview
-=================================
+The Oak Security Layer
+======================
 
 * [Authentication](authentication.html)
+     * [Differences wrt Jackrabbit 2.x](authentication/differences.html)
+     * [External Login Module and User Synchronization](authentication/externalloginmodule.html)
+     * [Identity Management](authentication/identitymanagement.html)
+     * [LDAP Integration](authentication/ldap.html)
+     * [Pre-Authentication](authentication/preauthentication.html)
+     * [Token Management](authentication/tokenmanagement.html)
 * [Access Control](accesscontrol.html)
 * [Permission Evaluation](permission.html)
 * [Privilege Management](privilege.html)

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/permission.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/permission.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/permission.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/permission.md Wed May 
7 16:28:09 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Permission Evaluation
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/principal.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/principal.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/principal.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/principal.md Wed May  7
16:28:09 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Principal Management
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/privilege.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/privilege.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/privilege.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/privilege.md Wed May  7
16:28:09 2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 Privilege Management
 --------------------------------------------------------------------------------

Modified: jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/user.md?rev=1593058&r1=1593057&r2=1593058&view=diff
==============================================================================
--- jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/branches/1.0/oak-doc/src/site/markdown/security/user.md Wed May  7 16:28:09
2014
@@ -14,8 +14,6 @@
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
-The Oak Security Layer
-======================
 
 User Management
 --------------------------------------------------------------------------------



Mime
View raw message