Author: angela Date: Thu Nov 1 09:07:01 2018 New Revision: 1845417 URL: http://svn.apache.org/viewvc?rev=1845417&view=rev Log: OAK-7871 : Broken headers in security documentation
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Thu Nov 1 09:07:01 2018 @@ -28,7 +28,7 @@ read [Using the Access Control Managemen a comprehensive list of method calls as well as examples that may be used to edit the access control content of the repository. -<a name="jcr_api"/> +<a name="jcr_api"></a> ### JCR API Access Control Management is an optional feature defined by [JSR 283] consisting of @@ -58,7 +58,7 @@ The JCR access control management has th - *effect*: policies bound to a given node only take effect upon `Session.save()`. Access to properties is defined by the their parent node. - *scope*: a given policy may not only affect the node it is bound to but may have an effect on accessibility of items elsewhere in the workspace. -<a name="jackrabbit_api"/> +<a name="jackrabbit_api"></a> ### Jackrabbit API The Jackrabbit API defines various access control related extensions to the @@ -80,7 +80,7 @@ The following interfaces and extensions - `JackrabbitAccessControlList` - `JackrabbitAccessControlEntry` -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions Oak defines the following interfaces extending the access control management API: @@ -102,7 +102,7 @@ Oak 1.0 defines a dedicated restriction [Restriction Management](authorization/restriction.html) for details and further information regarding extensibility and pluggability. -<a name="utilities"/> +<a name="utilities"></a> ### Utilities The jcr-commons module present with Jackrabbit provide some access control related @@ -124,14 +124,14 @@ the complete list of methods. acMgr.setPolicy(path, acl); session.save(); -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Characteristics of the Default Implementation The behavior of the default access control implementation is described in sections [Access Control Management: The Default Implementation](accesscontrol/default.html) and [Restriction Management](authorization/restriction.html). -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The configuration of the access control management implementation is handled @@ -146,7 +146,7 @@ methods: The supported configuration options of the default implementation are described in the corresponding [section](accesscontrol/default.html#configuration). -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Differences wrt Jackrabbit 2.x](accesscontrol/differences.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/default.md Thu Nov 1 09:07:01 2018 @@ -115,7 +115,7 @@ restrictions as mentioned by JSR 283. De in Oak 1.0 as well as a list of built-in restrictions and extensibility can be found in section [Restriction Management](../authorization/restriction.html). -<a name="representation"/> +<a name="representation"></a> ### Representation in the Repository All access control policies defined with an Oak repository are stores child of @@ -199,6 +199,7 @@ the node they are bound to. The node typ } } +<a name="xml_import"></a> ### XML Import As of OAK 1.0 access control content can be imported both with Session and @@ -225,7 +226,7 @@ the following entry: See also ([OAK-1350](https://issues.apache.org/jira/browse/OAK-1350))) -<a name="validation"/> +<a name="validation"></a> ### Validation The consistency of this content structure is asserted by a dedicated `AccessControlValidator`. @@ -248,7 +249,7 @@ The corresponding errors are all of type | 0013 | Duplicate ACE found in policy | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration #### Configuration Parameters Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/editing.md Thu Nov 1 09:07:01 2018 @@ -18,6 +18,7 @@ Using the Access Control Management API -------------------------------------------------------------------------------- +<a name="read"></a> ### Reading #### Privilege Discovery @@ -98,6 +99,7 @@ and privileges on `AccessControlManager` - `JackrabbitAccessControlManager` - `getEffectivePolicies(Set<Principal>)` +<a name="write"></a> ### Writing #### Adding Policies @@ -266,6 +268,7 @@ or alternatively use `AccessControlUtils } } +<a name="repository_level"></a> ### Access Control on Repository Level ##### Examples Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication.md Thu Nov 1 09:07:01 2018 @@ -76,7 +76,7 @@ LoginModule is configured and succeeds, LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed. -<a name="jcr_api"/> +<a name="jcr_api"></a> ### JCR API Within the scope of JCR `Repository.login` is used to authenticate a given user. @@ -104,7 +104,7 @@ for further details. In addition JCR defines `Session.impersonate(Credentials)` to impersonate another user or - as of JSR 333 - clone an existing session. -<a name="oak_api"/> +<a name="oak_api"></a> ### Oak API The Oak API contains the following authentication related methods and interfaces @@ -113,7 +113,7 @@ The Oak API contains the following authe - `ContentRepository.login(Credentials, String)`: The Oak counterpart of the JCR login. - `ContentSession.getAuthInfo()`: exposes the `AuthInfo` associated with the `ContentSession`. -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extension #### Oak Authentication @@ -185,7 +185,7 @@ Subclasses are required to implement the } } -<a name="supported_credentials"/> +<a name="supported_credentials"></a> #### Supported Credentials Since Oak 1.5.1 the extensions additionally contain a dedicated interface that @@ -195,7 +195,7 @@ eases the support for different `Credent - [CredentialsSupport]: Interface definition exposing the set of supported `Credentials` classes and some common utility methods. - [SimpleCredentialsSupport]: Default implementation for the widely used `SimpleCredentials` -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Oak Authentication Implementation A description of the various requirements covered by Oak by default as well @@ -205,7 +205,7 @@ section [Authentication: Implementation See section [differences](authentication/differences.html) for comprehensive list of differences wrt authentication between Jackrabbit 2.x and Oak. -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The configuration of the authentication setup is defined by the [AuthenticationConfiguration]. @@ -223,7 +223,7 @@ There also exists a utility class that a - `TokenLoginModule`: covers token based authentication - `LoginModuleImpl`: covering regular uid/pw login -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The default security setup as present with Oak 1.0 is able to provide custom @@ -238,7 +238,7 @@ implementation on various levels: by making the modules accessible to the framework and setting their execution order accordingly. In a Non-OSGi setup this is specified in the [JAAS config]. -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Authentication: Implementation Details](authentication/default.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/default.md Thu Nov 1 09:07:01 2018 @@ -39,7 +39,7 @@ dedicated `LoginModule` implementation(s - [Pre-Authenticated Login](#pre_authenticated) - [External Login](#external) -<a name="guest"/> +<a name="guest"></a> #### Guest Login The proper way to obtain an guest session as of Oak is as specified by JSR 283: @@ -89,7 +89,7 @@ The behavior of the `GuestLoginModule` i `EveryonePrincipal` the `Subject` in phase 2 of the login process and **returns** `true` - otherwise it **returns** `false` -<a name="uid_pw"/> +<a name="uid_pw"></a> #### UserId/Password Login Oak 1.0 comes with 2 different login module implementations that can handle @@ -126,7 +126,7 @@ This login module implementations behave * if the private state contains the credentials and principals, it adds them (both) to the subject and **returns `true`** * if the private state does not contain credentials and principals, it clears the state and **returns `false`** -<a name="user_authentication"/> +<a name="user_authentication"></a> ###### User Authentication The `LoginModuleImpl` uses a configured `Authentication`-implementation for @@ -142,7 +142,7 @@ will take precedence. See also section [user management](../user/default.html#pluggability). -<a name="impersonation"/> +<a name="impersonation"></a> #### Impersonation Login Another flavor of the Oak authentication implementation is covered by @@ -201,7 +201,7 @@ following steps in order to get JCR impe with the editing session can be identified by the [AuthInfo] obtained from from `ImpersonationCredentials.getImpersonatorInfo()`. -<a name="token"/> +<a name="token"></a> #### Token Login See section [Token Authentication](tokenmanagement.html) for details @@ -213,7 +213,7 @@ The `TokenLoginModule` is in charge of c repository logins with `TokenCredentials`. The exact behavior of this login module is described in section [Token Authentication](tokenmanagement.html). -<a name="pre_authenticated"/> +<a name="pre_authenticated"></a> #### Pre-Authenticated Login Oak provides two different mechanisms to create pre-authentication that doesn't @@ -226,7 +226,7 @@ validation. See section [Pre-Authentication Login](preauthentication.html) for further details and examples. -<a name="external"/> +<a name="external"></a> #### External Login While the default setup in Oak is solely relying on repository functionality to Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/defaultusersync.md Thu Nov 1 09:07:01 2018 @@ -84,7 +84,7 @@ maps the ID of a synchronized user/group represented by [ExternalIdentityRef]. -<a name="dynamic_membership"/> +<a name="dynamic_membership"></a> ### Dynamic Group Membership As of Oak 1.5.3 the default sync handler comes with an addition configuration @@ -95,7 +95,7 @@ groups are synchronized (see also [OAK-4 The details and effects on other security related modules are described in section [Dynamic Membership](dynamic.html). -<a name="xml_import"/> +<a name="xml_import"></a> #### XML Import The protected nature of the `rep:externalPrincipalNames` is also reflected during @@ -109,7 +109,7 @@ the JMX console. Depending on the _User the target system the sync will then result in a full sync of group membership or will re-create the `rep:externalPrincipalNames` property. -<a name="validation"/> +<a name="validation"></a> #### Validation ##### rep:externalPrincipalNames @@ -143,7 +143,7 @@ validator performs the following checks: | 0075 | Property 'rep:externalId' may only have a single value of type STRING. | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration #### Configuration of the DefaultSyncHandler Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/external/externallogin_examples.md Thu Nov 1 09:07:01 2018 @@ -21,7 +21,7 @@ Authentication with External Login Modul - [Integration with Standard Oak Authentication](#standard) - [Integration with Pre-Authentication and Login Module Chain](#preauth) -<a name="standard"/> +<a name="standard"></a> ### Integration with Standard Oak Authentication #### Example JAAS Configuration @@ -143,7 +143,7 @@ Authentication with External Login Modul `CredentialsSupport` that ensures that authentication against the external IDP is successful. -<a name="preauth"/> +<a name="preauth"></a> ### Integration with Pre-Authentication and Login Module Chain #### Example JAAS Configuration Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md Thu Nov 1 09:07:01 2018 @@ -36,7 +36,7 @@ What it does not: * provide a transparent oak principal provider. * offer services for background synchronization of users and groups -<a name="details"/> +<a name="details"></a> ### Implementation Details The external identity and login handling is split into 3 parts: @@ -121,7 +121,7 @@ present on the IDP. See section [User Synchronization](usersync.html) for further details and a description of the default implementation. -<a name="configuration"/> +<a name="configuration"></a> ### Configuration @@ -157,7 +157,7 @@ are omitted): org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl sufficient; }; -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/preauthentication.md Thu Nov 1 09:07:01 2018 @@ -25,7 +25,7 @@ validation. - [Pre-Authentication combined with Login Module Chain](#withloginchain) - [Pre-Authentication without Repository Involvement](#withoutrepository) -<a name="withloginchain"/> +<a name="withloginchain"></a> ### Pre-Authentication combined with Login Module Chain This first variant allows to support 3rd party login modules that wish to provide @@ -99,7 +99,7 @@ marker to the shared state: } } -<a name="withoutrepository"/> +<a name="withoutrepository"></a> ### Pre-Authentication without Repository Involvement Like in Jackrabbit-core the repository internal authentication verification can Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/token/default.md Thu Nov 1 09:07:01 2018 @@ -106,7 +106,7 @@ throttling method was introduced to only This is available with Oak 1.7.12 on, see also [OAK-6818]for additional information. -<a name="representation"/> +<a name="representation"></a> ### Representation in the Repository #### Content Structure @@ -181,7 +181,7 @@ definition: } } -<a name="validation"/> +<a name="validation"></a> ### Validation The consistency of this content structure both on creation and modification is @@ -201,7 +201,7 @@ all of type `Constraint` with the follow | 0068 | Invalid location of .tokens node | | 0069 | Change type of .tokens parent node | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The default Oak `TokenConfiguration` allows to define the following configuration @@ -221,7 +221,7 @@ options for the `TokenProvider`: | | | | -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability In an OSGi-based setup the default `TokenConfiguration` you can bind a Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Thu Nov 1 09:07:01 2018 @@ -68,7 +68,7 @@ authentication phases behave as follows: }; -<a name="api_extensions"/> +<a name="api_extensions"></a> ### Token Management API Oak 1.0 defines the following interfaces used to manage login tokens: @@ -85,20 +85,20 @@ that is able to aggregate multiple `Toke See section [Pluggability](#pluggability) for an example. -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Characteristics of the Default Implementation The characteristics of the default token management implementation is described in section [Token Management : The Default Implementation](token/default.html). -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The configuration options of the default implementation are described in the [Configuration](token/default.html#configuration) section. -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The default security setup as present with Oak 1.0 is able to deal with Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization.md Thu Nov 1 09:07:01 2018 @@ -41,7 +41,7 @@ handle both in a consistent manner. Cons authorization related operations is a single `AuthorizationConfiguration` (see section [configuration](#configuration) below). -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions The API extensions provided by Oak are covered in the following sections: @@ -50,7 +50,7 @@ The API extensions provided by Oak are c - [Permissions](permission.html#api_extensions) - [Restriction Management](authorization/restriction.html#api_extensions) -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The configuration of the authorization related parts is handled by the [AuthorizationConfiguration]. @@ -66,7 +66,7 @@ The supported configuration options of t separately for [access control management](accesscontrol/default.html#configuration) and [permission evalution](permission/default.html#configuration) . -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability There are multiple options for plugging authorization related custom implementations: @@ -99,7 +99,7 @@ restriction management that allows to na items matching a given, defined behavior. Details can be found in section [RestrictionManagement](authorization/restriction.html#pluggability). -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Access Control Management](accesscontrol.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md Thu Nov 1 09:07:01 2018 @@ -34,7 +34,7 @@ models, this extension is only recommend knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so might otherwise result in severe security issues and heavily impact overall performance. -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions There are two interfaces required to make a given authorization model deployable @@ -70,7 +70,7 @@ this fact by just returning the subset o will consequently not consult this implementation for the evaluation of write permissions and move on to other providers in the aggregate. -<a name="details"/> +<a name="details"></a> ### Implementation Details As soon as multiple authorization models are configured with the security setup, @@ -145,13 +145,13 @@ extensions and the permission evaluation provide no support for restrictions. Examples include modules that deal with different types of `AccessControlPolicy` where restriction management doesn't apply (see for example [oak-authorization-cug](cug.html#details)). -<a name="configuration"/> +<a name="configuration"></a> ### Configuration By default the `CompositeAuthorizationConfiguration` aggregates results by applying an `AND` operation to the current set of providers. This can be changed via configuration to an `OR`. See section [Introduction to Oak Security](../../introduction.html#configuration) for further details. -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The following steps are required to plug an additional authorization model into Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/cug.md Thu Nov 1 09:07:01 2018 @@ -49,7 +49,7 @@ be applied to the repository without tak effect upon being persisted, i.e. access to items located in a restricted are will be subject to the permission evaluation associated with the authorization model. -<a name="jackrabbit_api"/> +<a name="jackrabbit_api"></a> ### Jackrabbit API The Jackrabbit API defines an extension of the JCR [AccessControlPolicy] interface @@ -61,7 +61,7 @@ intended to grant the ability to perform See [Jackrabbit API](http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/authorization/PrincipalSetPolicy.java) for details and the methods exposed by the interface. -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions The module comes with the following extension in the @@ -100,7 +100,7 @@ allows to excluded principals by their n See also section [Pluggability](#pluggability) below. -<a name="details"/> +<a name="details"></a> ### Implementation Details #### Access Control Management @@ -183,7 +183,7 @@ _Note:_ the multivalued `rep:principalNa that CUGs are intended to be used for small principal sets, preferably `java.security.acl.Group` principals. -<a name="validation"/> +<a name="validation"></a> ### Validation The consistency of this content structure both on creation and modification is @@ -197,7 +197,7 @@ all of type `AccessControl` with the fol | 0022 | Access controlled not not of mixin 'rep:CugMixin' | | 0023 | Wrong name of node with primary type 'rep:CugPolicy' | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The CUG authorization extension is an optional feature that requires mandatory @@ -237,7 +237,7 @@ _Note:_ This implementation extends the exclusion list. Alternatively, it is possible to plug a custom `CugExclude` implementation matching specific needs (see [below](#pluggability)). -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The following section describes how to deploy the CUG authorization model into Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/restriction.md Thu Nov 1 09:07:01 2018 @@ -51,7 +51,7 @@ facing usage of restrictions i.e. access In addition Oak provides it's own restriction API that adds support for internal validation and permission evaluation. -<a name="jackrabbit_api"/> +<a name="jackrabbit_api"></a> ### Jackrabbit API The Jackrabbit API add the following extensions to JCR access control management @@ -69,7 +69,7 @@ to read and create entries with restrict - `getRestriction(String restrictionName)`: returns the restriction as JCR value. - `getRestrictions(String restrictionName)`: returns the restriction as array of JCR values (since Oak 1.0, Jackrabbit API 2.8). -<a name="api_extensions"/> +<a name="api_extensions"></a> ### Oak Restriction API The following public interfaces are provided by Oak in the package @@ -82,7 +82,7 @@ repository internal permission evaluatio - [RestrictionDefinition]: the static definition of a supported restriction - [RestrictionPattern]: the processed restriction ready for permission evaluation -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Default Implementation Oak 1.0 provides the following base implementations: @@ -158,7 +158,7 @@ Examples without wildcard char: See also [GlobPattern] for implementation details. -<a name="representation"/> +<a name="representation"></a> ### Representation in the Repository All restrictions defined by default in a Oak repository are stored as properties @@ -182,7 +182,7 @@ The node type definition used to represe - * (UNDEFINED) protected multiple -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The default security setup as present with Oak 1.0 is able to provide custom Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/introduction.md Thu Nov 1 09:07:01 2018 @@ -42,7 +42,7 @@ by a dedicated sub-interfaces of [Securi - [Principal Management](principal.html) - [User Management](user.html) -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions The package `org.apache.jackrabbit.oak.spi.security` defines the following interfaces @@ -180,7 +180,7 @@ of view. Please note the following depen 6. **User Management** is optional and _MAY_ be used for credentials validation during the authentication step. If present it is _usually_ used as a source for principals exposed by Principal Management. -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The configuration parameters of individual security modules are described in @@ -232,7 +232,7 @@ implementations. If the ranking paramete will try to use the [SERVICE_RANKING] to define the order. If neither is available (or set to `NO_RANKING`) the new entry will be appended to the list. -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability In a default setup Oak allows to plug custom or additional implementations of Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Thu Nov 1 09:07:01 2018 @@ -18,7 +18,7 @@ Permissions -------------------------------------------------------------------------------- -<a name="jcr_api"/> +<a name="jcr_api"></a> ### JCR and Jackrabbit API While access control management is a optional feature, a JCR implementation is @@ -88,7 +88,7 @@ Important: `absPath` refers to the node session.save(); } -<a name="oak_permissions"/> +<a name="oak_permissions"></a> ### Oak Permissions #### General Notes @@ -310,7 +310,7 @@ to be reported to the `EventListener` wi or excluded according to the modified permissions. See [OAK-4196] for an example. -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions Due to the separation of access control management from permission evaluation, @@ -328,7 +328,7 @@ defines the following interfaces and cla - [Permissions]: The permissions defined, respected and evaluated by the repository. - [PermissionConstants]: Constants used throughout the permission evaluation. -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Characteristics of the Permission Evaluation As explained above permission evaluation is completely separated from the access @@ -350,7 +350,7 @@ The behavior of the default permission i [Permissions: The Default Implementation](permission/default.html) and [Permission Evaluation in Detail: The Default Implementation](permission/evaluation.html). -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The configuration of the permission evaluation implementation is handled @@ -364,7 +364,7 @@ methods: The supported configuration options of the default implementation are described in the corresponding [section](permission/default.html#configuration). -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Permissions vs Privileges](permission/permissionsandprivileges.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/default.md Thu Nov 1 09:07:01 2018 @@ -24,7 +24,7 @@ The default implementation of the `Permi based on the information stored in a dedicated part of the repository content call the [permission store](#permissionStore). -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Characteristics of the Permission Evaluation #### Regular Permission Evaluation @@ -65,10 +65,10 @@ that deal with the administrator (i.e. ` See section [Multiplexing support in the PermissionStore](multiplexing.html). -<a name="representation"/> +<a name="representation"></a> ### Representation in the Repository -<a name="permissionStore"/> +<a name="permissionStore"></a> #### Permission Store The permission evaluation present with Oak 1.0 keeps a dedicated location where @@ -155,7 +155,7 @@ implementation (`VersionablePathHook`). mixin - * (PATH) protected ABORT -<a name="validation"/> +<a name="validation"></a> ### Validation The consistency of this content structure is asserted by a dedicated `PermissionValidator`. @@ -167,7 +167,7 @@ The corresponding errors are all of type | 0021 | Version storage: Node creation without version history | | 0022 | Version storage: Removal of intermediate node | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration #### Configuration Parameters Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/evaluation.md Thu Nov 1 09:07:01 2018 @@ -18,7 +18,7 @@ Permission Evaluation in Detail -------------------------------------------------------------------------------- -<a name="permissionentries"/> +<a name="permissionentries"></a> ### Order and Evaluation of Permission Entries In order to evaluate the permissions for a given item, the `PermissionProvider` Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md Thu Nov 1 09:07:01 2018 @@ -90,7 +90,7 @@ requires the ability to read access cont - Restrictions may or may not be respected - Default implementation close to real permission evaluation (not exactly following the specification) -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Mapping Privileges to Items](../privilege/mappingtoitems.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal.md Thu Nov 1 09:07:01 2018 @@ -18,7 +18,7 @@ Principal Management -------------------------------------------------------------------------------- -<a href="jcr_api"/> +<a href="jcr_api"></a> ### JCR API JCR itself doesn't come with a dedicated principal management API. Nevertheless @@ -29,7 +29,7 @@ control management but leaves the discov Therefore an API for principal management has been defined as part of the extensions present with Jackrabbit API. -<a name="jackrabbit_api"/> +<a name="jackrabbit_api"></a> ### Jackrabbit API The Jackrabbit API provides support for principal management (i.e. discovery) that @@ -45,7 +45,7 @@ are missing in JCR. The relevant interfa See the corresponding [documentation](principal/differences.html). -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions - [PrincipalProvider]: SPI level access to principals known to the repository @@ -63,7 +63,7 @@ from different source providers. - [SystemPrincipal]: built-in principal implementation to mark system internal subjects. - [SystemUserPrincipal]: Marker interface to identify principals associated with special system users. -<a href="default_implementation"/> +<a href="default_implementation"></a> ### Oak Principal Management Implementation The default implementation of the principal management API basically corresponds @@ -77,7 +77,7 @@ in Jackrabbit 2.x). See the configuratio See section [Implementations of the PrincipalProvider Interface](principal/principalprovider.html) for details. -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The [PrincipalConfiguration] is the Oak level entry point to obtain a new @@ -90,7 +90,7 @@ provider implementation configured. In o sources a implementation that properly handles the different sources is required; the [CompositePrincipalProvider] is an example that combines multiple implementations. -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The default security setup as present with Oak 1.0 is able to provide custom @@ -159,7 +159,7 @@ provider implementation: ... } -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Differences wrt Jackrabbit 2.x](principal/differences.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/principal/cache.md Thu Nov 1 09:07:01 2018 @@ -81,7 +81,7 @@ as must any subsequent call never expose be accessible in the non-cache scenario where access to principals is protected by regular permission evalution. -<a name="validation"/> +<a name="validation"></a> ##### Validation The cache is system maintained, protected repository content that can only Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Thu Nov 1 09:07:01 2018 @@ -18,7 +18,7 @@ Privilege Management -------------------------------------------------------------------------------- -<a name="jcr_api"/> +<a name="jcr_api"></a> ### JCR API As of JSR 283 the API contains the following privilege related interfaces and methods: @@ -27,7 +27,7 @@ As of JSR 283 the API contains the follo - `AccessControlManager.getSupportedPrivileges(String)` (see also `PrivilegeManager.getRegisteredPrivileges()`) - `AccessControlManager.privilegeFromName(String)` equivalent to `PrivilegeManager.getPrivilege(String)` -<a name="jackrabbit_api"/> +<a name="jackrabbit_api"></a> ### Jackrabbit API Privilege management is outside of the scope provided by JCR and therefore provided @@ -59,7 +59,7 @@ by the extensions defined by the Jackrab // NOTE: workspace operation that doesn't require Session#save() privilegeManager.registerPrivilege(privilegeName, isAbstract, declaredAggregateNames); -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions - [PrivilegeConfiguration] : Oak level entry point to retrieve `PrivilegeManager` and privilege related configuration options. @@ -67,7 +67,7 @@ by the extensions defined by the Jackrab - [PrivilegeBitsProvider] : Internal provider to read `PrivilegeBits` from the repository content and map names to internal representation (and vice versa). - [PrivilegeBits]: Internal representation of JCR privileges. -<a name="utilities"/> +<a name="utilities"></a> ### Utilities The jcr-commons module present with Jackrabbit provide some privilege related @@ -77,13 +77,13 @@ utility methods: - `privilegesFromNames(Session session, String... privilegeNames)` - `privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)` -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Oak Privilege Management Implementation The behavior of the default privilege management implementation is described in section [Privilege Management: The Default Implementation](privilege/default.html). -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The [PrivilegeConfiguration] is the Oak level entry point to obtain a new @@ -91,7 +91,7 @@ The [PrivilegeConfiguration] is the Oak implementation of the `PrivilegeManager` interface is based on Oak API and can equally be used for privilege related tasks in the Oak layer. -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability _Please note:_ While it's in theory possible to replace the default privilege @@ -100,7 +100,7 @@ knowledge and understanding of Jackrabbi the security risk associated with it. Doing so, will most likely require a re-write of the default access control and permission evaluation. -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Differences wrt Jackrabbit 2.x](privilege/differences.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md Thu Nov 1 09:07:01 2018 @@ -94,7 +94,7 @@ An overview on how the built-in privileg can be found in ['Mapping Privileges to Items'](mappingtoitems.html) and ['Mapping API Calls to Privileges'](mappingtoprivileges.html) -<a name="representation"/> +<a name="representation"></a> ### Representation in the Repository As of Oak 1.0 all privilege definitions are stored in the repository itself @@ -115,7 +115,7 @@ Note the protection status of all child as they prevent modification of the privilege definitions using regular JCR write operations. -<a name="validation"/> +<a name="validation"></a> ### Validation The consistency of this content structure is asserted by a dedicated `PrivilegeValidator`. @@ -137,7 +137,7 @@ The corresponding errors are all of type | 0052 | Detected circular aggregation | | 0053 | Custom aggregate privilege X is already covered. | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration There are no implementation specific configuration options associated with the Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Thu Nov 1 09:07:01 2018 @@ -18,7 +18,7 @@ User Management -------------------------------------------------------------------------------- -<a name="jcr_api"/> +<a name="jcr_api"></a> ### JCR API JCR itself doesn't come with a dedicated user management API. The only method @@ -26,7 +26,7 @@ related and ultimately used for user man Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API. -<a name="jackrabbit_api"/> +<a name="jackrabbit_api"></a> ### Jackrabbit API The Jackrabbit API provides the user management related extensions that are @@ -41,7 +41,7 @@ missing in JCR. The relevant interfaces - `QueryBuilder` - `Query` -<a name="api_extensions"/> +<a name="api_extensions"></a> ### API Extensions The Oak project introduces the following user management related public @@ -54,7 +54,7 @@ interfaces and classes: - `UserAuthenticationFactory`: see sections [pluggability](user/default.html#pluggability) and [user authentication](authentication/default.html#user_authentication) for additional details. -<a name="utilities"/> +<a name="utilities"></a> ### Utilities `org.apache.jackrabbit.oak.spi.security.user.*` @@ -70,13 +70,13 @@ and [user authentication](authentication function for password generation. - `UserUtil` : Utilities related to general user management tasks. -<a name="default_implementation"/> +<a name="default_implementation"></a> ### Oak User Management Implementation The behavior of the default user management implementation is described in section [User Management: The Default Implementation](user/default.html). -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The Oak user management comes with a dedicated entry point called [UserConfiguration]. @@ -90,7 +90,7 @@ and provides the following two methods: The supported configuration options of the default implementation are described in the corresponding [section](user/default.html#configuration). -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability The default security setup as present with Oak 1.0 is able to have the default @@ -106,7 +106,7 @@ Alternatively the default user managemen adjusted using various means. See the corresponding [section](user/default.html#pluggability) for further details. -<a name="further_reading"/> +<a name="further_reading"></a> ### Further Reading - [Differences wrt Jackrabbit 2.x](user/differences.html) Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/default.md Thu Nov 1 09:07:01 2018 @@ -104,7 +104,7 @@ of the underlaying JCR node but only com * The `rep:password` property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that `User#changePassword` does not allow to remove the password property. * Since version 1.1.0 Oak supports the new API to create dedicated system users [JCR-3802](https://issues.apache.org/jira/browse/JCR-3802). -<a name="query"/> +<a name="query"></a> #### Searching #### XPathQueryBuilder @@ -149,7 +149,7 @@ history support. By default this feature See section [Password History](history.html) for details. -<a name="representation"/> +<a name="representation"></a> ### Representation in the Repository The following block lists the built-in node types related to user management tasks: @@ -201,7 +201,7 @@ The following block lists the built-in n + * (rep:Members) = rep:Members protected multiple - * (WEAKREFERENCE) protected < 'rep:Authorizable' -<a name="validation"/> +<a name="validation"></a> ### Validation The consistency of this content structure is asserted by a dedicated `UserValidator`. @@ -224,7 +224,7 @@ The corresponding errors are all of type | 0032 | Attempt to set password with system user | | 0033 | Attempt to add rep:pwd node to a system user | -<a name="configuration"/> +<a name="configuration"></a> ### Configuration The following user management specific methods are present with the [UserConfiguration] @@ -268,7 +268,7 @@ detail in section [Caching Results of Pr It is not related to user management s.str. but affects the implementation specific `PrincipalProvider` implementation exposed by `UserConfiguration.getUserPrincipalProvider`. -<a name="pluggability"/> +<a name="pluggability"></a> ### Pluggability Within the default user management implementation the following parts can be Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/differences.md Thu Nov 1 09:07:01 2018 @@ -61,7 +61,7 @@ invalid transient modifications. * Group Members: The way many group members are stored with a given Group has been redesigned in Oak 1.0. See section [Group Membership](membership.html) for a detailed description. -<a name="query"/> +<a name="query"></a> ##### QueryBuilder The user query is expected to work as in Jackrabbit 2.x with the following notable Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/expiry.md Thu Nov 1 09:07:01 2018 @@ -39,6 +39,7 @@ to obtain a session/login and the passwo to a next attempt. For specifying the new password, the initial password has to be provided. +<a href="configuration"></a> ### Configuration An administrator may enable password expiry and initial password change @@ -58,6 +59,7 @@ Note: - Maximum Password Age (`maxPasswordAge`) will only be enabled when a value greater 0 is set (expiration time in days). - Change Password On First Login (`initialPasswordChange`): When enabled, forces users to change their password upon first login. +<a href="how"></a> ### How it works #### Definition of Expired Password Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/groupaction.md Thu Nov 1 09:07:01 2018 @@ -29,6 +29,7 @@ such as - add a set of member ids as members of a group - remove a set of member ids from a group +<a name="api_extensions"></a> ### GroupAction API The following public interface is provided by Oak in the package `org.apache.jackrabbit.oak.spi.security.user.action`: @@ -49,23 +50,26 @@ Any group actions are executed with the target operation will fail if any of the configured actions fails (e.g. due to insufficient permissions by the editing Oak ContentSession). +<a name="default_implementation"></a> ### Default Implementations Oak 1.5 provides the following base implementation for `GroupAction` implementations to build upon: - `AbstractGroupAction`: abstract base implementation that doesn't perform any action. -### Pluggability - -Refer to [Authorizable Actions | Pluggability ](authorizableaction.html#Pluggability) for details on how to plug -a new group action into the system. - +<a name="xml_import"></a> ### XML Import During import the group actions are called in the same fashion as for regular groups as long as the member reference can be resolved to an existing authorizable. Member IDs of authorizables that do not exist at group import time or failed member IDs are passed to the group actions if `ImportBehavior.BESTEFFORT` is set for the import. +<a name="pluggability"></a> +### Pluggability + +Refer to [Authorizable Actions | Pluggability ](authorizableaction.html#Pluggability) for details on how to plug +a new group action into the system. + ##### Examples ###### Example Action Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/history.md Thu Nov 1 09:07:01 2018 @@ -24,6 +24,7 @@ Since version 1.3.3 Oak provides functio of passwords after password changes and to prevent a password to be set during changing a user's password if found in said history. +<a href="configuration"></a> ### Configuration An administrator may enable password history via the @@ -42,6 +43,7 @@ history and sets feature to remember the Note, that the current implementation has a limit of at most 1000 passwords remembered in the history. +<a href="how"></a> ### How it works #### Representation in the Repository Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md?rev=1845417&r1=1845416&r2=1845417&view=diff ============================================================================== --- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md (original) +++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/membership.md Thu Nov 1 09:07:01 2018 @@ -18,6 +18,7 @@ Group Membership -------------------------------------------------------------------------------- +<a href="jcr_api"></a> ### Jackrabbit API The Jackrabbit API extensions provide various methods to edit and explore the @@ -37,6 +38,7 @@ member relationship of users and groups: - `declaredMemberOf() Iterator<Group>` - `memberOf() Iterator<Group>` +<a href="default_implementation"></a> ### Characteristics of the Default Implementation #### Member Representation in the Repository @@ -199,6 +201,7 @@ The following scenarios may leave the cy See [OAK-3170] for additional information. +<a href="configuration"></a> ### Configuration Note that as of Oak 1.0 the implementation is responsible for defining the