jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1730074 [8/8] - in /jackrabbit/site/live/oak/docs: ./ META-INF/ architecture/ coldstandby/ features/ nodestore/ nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/ security/accesscontrol/ security/authentication/ security/a...
Date Fri, 12 Feb 2016 17:09:07 GMT
Added: jackrabbit/site/live/oak/docs/security/user/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/default.html?rev=1730074&view=auto
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/default.html (added)
+++ jackrabbit/site/live/oak/docs/security/user/default.html Fri Feb 12 17:09:05 2016
@@ -0,0 +1,1060 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia at 2016-02-11
+ | Rendered using Apache Maven Fluido Skin 1.3.0
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta name="Date-Revision-yyyymmdd" content="20160211" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>Jackrabbit Oak - User Management : The Default Implementation</title>
+    <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
+    <link rel="stylesheet" href="../../css/site.css" />
+    <link rel="stylesheet" href="../../css/print.css" media="print" />
+
+      
+    <script type="text/javascript" src="../../js/apache-maven-fluido-1.3.0.min.js"></script>
+
+    
+            </head>
+        <body class="topBarEnabled">
+          
+    
+    
+            
+    
+    
+    <a href="http://github.com/apache/jackrabbit-oak">
+      <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_red_aa0000.png"
+        alt="Fork me on GitHub">
+    </a>
+  
+                
+                    
+                
+
+    <div id="topbar" class="navbar navbar-fixed-top ">
+      <div class="navbar-inner">
+                <div class="container-fluid">
+        <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+          <span class="icon-bar"></span>
+        </a>
+                
+                                                                                <a class="brand" href="../../"  title="Oak logo">
+
+                                
+                                                                                                                    <img src="../../oak_logo.png" alt="Oak logo" />
+                
+                </a>
+                    
+                                <ul class="nav">
+                          <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Overview <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../index.html"  title="Jackrabbit Oak">Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="../../license.html"  title="License">License</a>
+</li>
+                  
+                      <li>      <a href="../../downloads.html"  title="Downloads">Downloads</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Concepts and Architecture <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../architecture/overview.html"  title="Overview">Overview</a>
+</li>
+                  
+                      <li>      <a href="../../architecture/nodestate.html"  title="The Node State Model">The Node State Model</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://www.day.com/specs/jcr/2.0/index.html"  title="JCR API">JCR API</a>
+</li>
+                  
+                      <li>      <a href="../../oak_api/overview.html"  title="Oak API">Oak API</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Features and Plugins <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../features/atomic-counter.html"  title="Atomic Counter">Atomic Counter</a>
+</li>
+                  
+                      <li>      <a href="../../plugins/blobstore.html"  title="Blob Storage">Blob Storage</a>
+</li>
+                  
+                      <li>      <a href="../../clustering.html"  title="Clustering">Clustering</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/documentmk.html"  title="DocumentNodeStore">DocumentNodeStore</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/overview.html"  title="Node Storage">Node Storage</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/persistent-cache.html"  title="Persistent Cache">Persistent Cache</a>
+</li>
+                  
+                      <li>      <a href="../../query/query.html"  title="Query">Query</a>
+</li>
+                  
+                      <li>      <a href="../../security/overview.html"  title="Security">Security</a>
+</li>
+                  
+                      <li>      <a href="../../nodestore/segment/overview.html"  title="Segment Node Store">Segment Node Store</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Using Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../use_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../construct.html"  title="Repository Construction">Repository Construction</a>
+</li>
+                  
+                      <li>      <a href="../../osgi_config.html"  title="Configuring Oak">Configuring Oak</a>
+</li>
+                  
+                      <li>      <a href="../../command_line.html"  title="Command Line Tools">Command Line Tools</a>
+</li>
+                  
+                      <li>      <a href="../../migration.html"  title="Migration">Migration</a>
+</li>
+                  
+                      <li>      <a href="../../differences.html"  title="Differences to Jackrabbit 2">Differences to Jackrabbit 2</a>
+</li>
+                  
+                      <li>      <a href="../../known_issues.html"  title="Known Issues">Known Issues</a>
+</li>
+                  
+                      <li>      <a href="../../dos_and_donts.html"  title="Dos and Don'ts">Dos and Don'ts</a>
+</li>
+                  
+                      <li>      <a href="../../coldstandby/coldstandby.html"  title="Cold Standby">Cold Standby</a>
+</li>
+                  
+                      <li>      <a href="../../FAQ.html"  title="FAQ">FAQ</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Developing Oak <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="../../dev_getting_started.html"  title="Getting Started">Getting Started</a>
+</li>
+                  
+                      <li>      <a href="../../participating.html"  title="Participating">Participating</a>
+</li>
+                  
+                      <li>      <a href="../../developing-with-git.html"  title="Developing with Git">Developing with Git</a>
+</li>
+                  
+                      <li>      <a href="../../diagnostic-builds.html"  title="Cutting diagnostic builds">Cutting diagnostic builds</a>
+</li>
+                  
+                      <li>      <a href="../../attribution.html"  title="Attribution">Attribution</a>
+</li>
+                          </ul>
+      </li>
+                <li class="dropdown">
+        <a href="#" class="dropdown-toggle" data-toggle="dropdown">Links <b class="caret"></b></a>
+        <ul class="dropdown-menu">
+        
+                      <li>      <a href="http://jackrabbit.apache.org/oak"  title="Apache Jackrabbit Oak">Apache Jackrabbit Oak</a>
+</li>
+                  
+                      <li>      <a href="http://jackrabbit.apache.org/"  title="Apache Jackrabbit">Apache Jackrabbit</a>
+</li>
+                          </ul>
+      </li>
+                  </ul>
+          
+          
+          
+                   
+                      </div>
+          
+        </div>
+      </div>
+    </div>
+    
+        <div class="container-fluid">
+          <div id="banner">
+        <div class="pull-left">
+                                <div id="bannerLeft">
+                <h2>Oak Documentation</h2>
+                </div>
+                      </div>
+        <div class="pull-right">  </div>
+        <div class="clear"><hr/></div>
+      </div>
+
+      <div id="breadcrumbs">
+        <ul class="breadcrumb">
+                
+                    
+                  <li id="publishDate">Last Published: 2016-02-11</li>
+                  <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
+                      
+                
+                    
+      
+                            </ul>
+      </div>
+
+            
+      <div class="row-fluid">
+        <div id="leftColumn" class="span3">
+          <div class="well sidebar-nav">
+                
+                    
+                <ul class="nav nav-list">
+                    <li class="nav-header">Overview</li>
+                                
+      <li>
+    
+                          <a href="../../index.html" title="Jackrabbit Oak">
+          <i class="none"></i>
+        Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../license.html" title="License">
+          <i class="none"></i>
+        License</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../downloads.html" title="Downloads">
+          <i class="none"></i>
+        Downloads</a>
+            </li>
+                              <li class="nav-header">Concepts and Architecture</li>
+                                
+      <li>
+    
+                          <a href="../../architecture/overview.html" title="Overview">
+          <i class="none"></i>
+        Overview</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../architecture/nodestate.html" title="The Node State Model">
+          <i class="none"></i>
+        The Node State Model</a>
+            </li>
+                              <li class="nav-header">Main APIs</li>
+                                
+      <li>
+    
+                          <a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API">
+          <i class="none"></i>
+        JCR API</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../oak_api/overview.html" title="Oak API">
+          <i class="none"></i>
+        Oak API</a>
+            </li>
+                              <li class="nav-header">Features and Plugins</li>
+                                
+      <li>
+    
+                          <a href="../../features/atomic-counter.html" title="Atomic Counter">
+          <i class="none"></i>
+        Atomic Counter</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../plugins/blobstore.html" title="Blob Storage">
+          <i class="none"></i>
+        Blob Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../clustering.html" title="Clustering">
+          <i class="none"></i>
+        Clustering</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/documentmk.html" title="DocumentNodeStore">
+          <i class="none"></i>
+        DocumentNodeStore</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/overview.html" title="Node Storage">
+          <i class="none"></i>
+        Node Storage</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/persistent-cache.html" title="Persistent Cache">
+          <i class="none"></i>
+        Persistent Cache</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../query/query.html" title="Query">
+          <i class="none"></i>
+        Query</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../security/overview.html" title="Security">
+          <i class="none"></i>
+        Security</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../nodestore/segment/overview.html" title="Segment Node Store">
+          <i class="none"></i>
+        Segment Node Store</a>
+            </li>
+                              <li class="nav-header">Using Oak</li>
+                                
+      <li>
+    
+                          <a href="../../use_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../construct.html" title="Repository Construction">
+          <i class="none"></i>
+        Repository Construction</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../osgi_config.html" title="Configuring Oak">
+          <i class="none"></i>
+        Configuring Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../command_line.html" title="Command Line Tools">
+          <i class="none"></i>
+        Command Line Tools</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../migration.html" title="Migration">
+          <i class="none"></i>
+        Migration</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../differences.html" title="Differences to Jackrabbit 2">
+          <i class="none"></i>
+        Differences to Jackrabbit 2</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../known_issues.html" title="Known Issues">
+          <i class="none"></i>
+        Known Issues</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../dos_and_donts.html" title="Dos and Don'ts">
+          <i class="none"></i>
+        Dos and Don'ts</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../coldstandby/coldstandby.html" title="Cold Standby">
+          <i class="none"></i>
+        Cold Standby</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../FAQ.html" title="FAQ">
+          <i class="none"></i>
+        FAQ</a>
+            </li>
+                              <li class="nav-header">Developing Oak</li>
+                                
+      <li>
+    
+                          <a href="../../dev_getting_started.html" title="Getting Started">
+          <i class="none"></i>
+        Getting Started</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../participating.html" title="Participating">
+          <i class="none"></i>
+        Participating</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../developing-with-git.html" title="Developing with Git">
+          <i class="none"></i>
+        Developing with Git</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../diagnostic-builds.html" title="Cutting diagnostic builds">
+          <i class="none"></i>
+        Cutting diagnostic builds</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="../../attribution.html" title="Attribution">
+          <i class="none"></i>
+        Attribution</a>
+            </li>
+                              <li class="nav-header">Links</li>
+                                
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/oak" class="externalLink" title="Apache Jackrabbit Oak">
+          <i class="none"></i>
+        Apache Jackrabbit Oak</a>
+            </li>
+                  
+      <li>
+    
+                          <a href="http://jackrabbit.apache.org/" class="externalLink" title="Apache Jackrabbit">
+          <i class="none"></i>
+        Apache Jackrabbit</a>
+            </li>
+            </ul>
+                
+                    
+                
+          <hr class="divider" />
+
+           <div id="poweredBy">
+                   
+    <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script>
+
+    
+    <div class="g-plusone" data-href="http://jackrabbit.apache.org/oak/docs/" data-size="tall" ></div>
+
+                   <div class="clear"></div>
+                            <div class="clear"></div>
+                            <div class="clear"></div>
+                             <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
+        <img class="builtBy" alt="Built by Maven" src="../../images/logos/maven-feather.png" />
+      </a>
+                  </div>
+          </div>
+        </div>
+        
+                
+        <div id="bodyColumn"  class="span9" >
+                                  
+            <!-- Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. --><div class="section">
+<h2>User Management : The Default Implementation<a name="User_Management_:_The_Default_Implementation"></a></h2>
+<div class="section">
+<h3>General Notes<a name="General_Notes"></a></h3>
+<p>The default user management implementation stores user/group information in the content repository. In contrast to Jackrabbit 2.x, which by default used a single, dedicated workspace for user/group data, this data will as of Oak 1.0 be stored separately for each JCR workspace.</p>
+<p>Consequently the <tt>UserManager</tt> associated with the editing sessions, performs all actions with this editing session. This corresponds to the behavior as defined the alternative implementation present with Jackrabbit 2.x ((see Jackrabbit 2.x <tt>UserPerWorkspaceUserManager</tt>).</p>
+
+<ul>
+  
+<li>The Oak implementation is build on the Oak API. This allows for double usage as  extension to the JCR API as well as within the Oak layer (aka SPI).</li>
+  
+<li>The <tt>UserManager</tt> is always associated with the same JCR workspace as the editing  <tt>Session</tt> from which the class has been obtained.</li>
+  
+<li>Changes made to the user management API are always transient and require <tt>Session#save()</tt> to be persisted.</li>
+  
+<li>In case of any failure during user management related write operations the API  consumer is in charge of specifically revert pending or invalid transient modifications  or calling <tt>Session#refresh(false)</tt>.</li>
+</ul></div>
+<div class="section">
+<h3>Differences wrt Jackrabbit 2.x<a name="Differences_wrt_Jackrabbit_2.x"></a></h3>
+<p>A summary of all changes with respect to the former implementation present with Jackrabbit 2.x is present in the corresponding <a href="differences.html">section</a>.</p></div>
+<div class="section">
+<h3>Built-in Users and Special Groups<a name="Built-in_Users_and_Special_Groups"></a></h3>
+<p>The setup of builtin user and group accounts is triggered by the configured <tt>WorkspaceInitializer</tt> associated with the user management configuration (see Configuration section below).</p>
+<p>The default user management implementation in OAK comes with an initializer that creates the following builtin user accounts:</p>
+<div class="section">
+<h4>Administrator<a name="Administrator"></a></h4>
+<p>The admin user is always being created. The ID of this user is retrieved from the user configuration parameter <tt>PARAM_ADMIN_ID</tt>, which defaults to <tt>admin</tt>.</p>
+<p>As of OAK 1.0 however the administrator user might be created without initial password forcing the application to set the password upon start (see <tt>PARAM_OMIT_ADMIN_PW</tt> configuration parameter).</p>
+<div class="section">
+<h5>Anonymous User<a name="Anonymous_User"></a></h5>
+<p>In contrast to Jackrabbit 2.x the anonymous (or guest) user is optional. Creation will be skipped if the value of the <tt>PARAM_ANONYMOUS_ID</tt> configuration parameter is <tt>null</tt> or empty.</p>
+<p>Note, that the anonymous user will always be created without specifying a password in order to prevent regular login with <tt>SimpleCredentials</tt>. The proper way to obtain a guest session is:</p>
+
+<div class="source">
+<pre>Repository#login(new GuestCredentials(), wspName);
+</pre></div>
+<p>See section <a href="../authentication.html">Authentication</a> for further information about guest login.</p></div></div>
+<div class="section">
+<h4>Everyone Group<a name="Everyone_Group"></a></h4>
+<p>The default user management implementation in Oak contains special handling for the optional group that represents the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/principal/EveryonePrincipal.html#NAME">everyone</a> principal, which is marked by the reserved principal name and by definition has all other principals as members.</p>
+<p>This special group always contains all Authorizable as member and cannot be edited with user management API. As of OAK this fact is consistently reflected in all group membership related methods. See also <a href="../principal.html">Principal Management</a>.</p></div></div>
+<div class="section">
+<h3>User Management Operations<a name="User_Management_Operations"></a></h3>
+<div class="section">
+<h4>Reading Authorizables<a name="Reading_Authorizables"></a></h4>
+<div class="section">
+<h5>Handling of the Authorizable ID<a name="Handling_of_the_Authorizable_ID"></a></h5>
+
+<ul>
+  
+<li>As of Oak the node type definition of <tt>rep:Authorizable</tt> defines a new property <tt>rep:authorizableId</tt> which is intended to store the ID of a user or group.</li>
+  
+<li>The default implementation comes with a dedicated property index for <tt>rep:authorizableId</tt> which asserts the uniqueness of that ID.</li>
+  
+<li><tt>Authorizable#getID</tt> returns the string value contained in <tt>rep:authorizableID</tt> and for backwards compatibility falls back on the node name in case the ID property is missing.</li>
+  
+<li>The name of the authorizable node is generated based on a configurable implementation of the <tt>AuthorizableNodeName</tt> interface (see configuration section below). By default it uses the ID as name hint and includes a conversion to a valid JCR node name.</li>
+</ul></div>
+<div class="section">
+<h5>equals() and hashCode()<a name="equals_and_hashCode"></a></h5>
+<p>The implementation of <tt>Object#equals()</tt> and <tt>Object#hashCode()</tt> for user and groups slightly differs from Jackrabbit 2.x. It no longer relies on the <i>sameness</i> of the underlaying JCR node but only compares IDs and the user manager instance.</p></div></div>
+<div class="section">
+<h4>Creating Authorizables<a name="Creating_Authorizables"></a></h4>
+
+<ul>
+  
+<li>The <tt>rep:password</tt> property is no longer defined to be mandatory. Therefore a new user might be created without specifying a password. Note however, that <tt>User#changePassword</tt> does not allow to remove the password property.</li>
+  
+<li>Since version 1.1.0 Oak supports the new API to create dedicated system users <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-3802">JCR-3802</a>.</li>
+</ul></div>
+<div class="section">
+<h4>Query<a name="Query"></a></h4>
+<p>See section <a href="query.html">Searching Users and Groups</a> for details.</p></div>
+<div class="section">
+<h4>Group Membership<a name="Group_Membership"></a></h4>
+<p>See section <a href="membership.html">Group Membership</a> for details.</p></div>
+<div class="section">
+<h4>Autosave Behavior<a name="Autosave_Behavior"></a></h4>
+<p>Due to the nature of the UserManager (see above) we decided to drop the auto-save behavior in the default implementation present with OAK. Consequently,</p>
+
+<ul>
+  
+<li><tt>UserManager#autoSave(boolean)</tt> throws <tt>UnsupportedRepositoryOperationException</tt></li>
+  
+<li><tt>UserManager#isAutoSave()</tt> always returns <tt>false</tt></li>
+</ul>
+<p>See also <tt>PARAM_SUPPORT_AUTOSAVE</tt> below; while this should not be needed if application code has been written against the Jackrabbit API (and thus testing if auto-save mode is enabled or not) this configuration option can be used as last resort.</p></div>
+<div class="section">
+<h4>XML Import<a name="XML_Import"></a></h4>
+<p>As of Oak 1.0 user and group nodes can be imported both with Session and Workspace import. Other differences compared to Jackrabbit 2.x:</p>
+
+<ul>
+  
+<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-&gt; see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
+  
+<li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
+</ul></div>
+<div class="section">
+<h4>Password Expiry and Force Initial Password Change<a name="Password_Expiry_and_Force_Initial_Password_Change"></a></h4>
+<p>Since Oak 1.1.0 the default user management and authentication implementation provides password expiry and initial password change.</p>
+<p>By default these features are disabled. See section <a href="expiry.html">Password Expiry and Force Initial Password Change</a> for details.</p></div>
+<div class="section">
+<h4>Password History<a name="Password_History"></a></h4>
+<p>Since Oak 1.3.3 the default user management implementation provides password history support. By default this feature is disabled.</p>
+<p>See section <a href="history.html">Password History</a> for details.</p></div></div>
+<div class="section">
+<h3>User/Group Representation in the Repository<a name="UserGroup_Representation_in_the_Repository"></a></h3>
+<p>The following block lists the built-in node types related to user management tasks:</p>
+
+<div class="source">
+<pre>[rep:Authorizable] &gt; mix:referenceable, nt:hierarchyNode
+  abstract
+  + * (nt:base) = nt:unstructured VERSION
+  - rep:principalName  (STRING) protected mandatory
+  - rep:authorizableId (STRING) protected /* @since oak 1.0 */
+  - * (UNDEFINED)
+  - * (UNDEFINED) multiple
+
+[rep:User] &gt; rep:Authorizable, rep:Impersonatable
+  + rep:pwd (rep:Password) = rep:Password protected /* @since oak 1.1.0 */
+  - rep:password (STRING) protected
+  - rep:disabled (STRING) protected
+
+[rep:SystemUser] &gt; rep:User /* @since oak 1.1.0 */
+
+[rep:Impersonatable]
+  mixin
+  - rep:impersonators (STRING) protected multiple
+
+/* @since oak 1.1.0 */
+[rep:Password]
+  - * (UNDEFINED) protected
+  - * (UNDEFINED) protected multiple
+
+[rep:Group] &gt; rep:Authorizable, rep:MemberReferences
+  + rep:members (rep:Members) = rep:Members multiple protected VERSION /* @deprecated since oak 1.0 */
+  + rep:membersList (rep:MemberReferencesList) = rep:MemberReferencesList protected COPY /* @since oak 1.0 */
+
+
+[rep:AuthorizableFolder] &gt; nt:hierarchyNode
+  + * (rep:Authorizable) = rep:User VERSION
+  + * (rep:AuthorizableFolder) = rep:AuthorizableFolder VERSION    
+
+/* @since oak 1.0 */
+[rep:MemberReferences]
+  - rep:members (WEAKREFERENCE) protected multiple &lt; 'rep:Authorizable'
+
+/* @since oak 1.0 */
+[rep:MemberReferencesList]
+  + * (rep:MemberReferences) = rep:MemberReferences protected COPY
+
+/* @deprecated since oak 1.0 */
+[rep:Members]
+  orderable
+  + * (rep:Members) = rep:Members protected multiple
+  - * (WEAKREFERENCE) protected &lt; 'rep:Authorizable'
+</pre></div>
+<p><a name="validation"></a></p></div>
+<div class="section">
+<h3>Validation<a name="Validation"></a></h3>
+<p>The consistency of this content structure is asserted by a dedicated <tt>UserValidator</tt>. The corresponding errors are all of type <tt>Constraint</tt> with the following codes:</p>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Code </th>
+      
+<th>Message </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td>0020 </td>
+      
+<td>Admin user cannot be disabled </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0021 </td>
+      
+<td>Invalid jcr:uuid for authorizable (creation) </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0022 </td>
+      
+<td>Changing Id, principal name after creation </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0023 </td>
+      
+<td>Invalid jcr:uuid for authorizable (mod) </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0024 </td>
+      
+<td>Password may not be plain text </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0025 </td>
+      
+<td>Attempt to remove id, principalname or pw </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0026 </td>
+      
+<td>Mandatory property rep:principalName missing </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0027 </td>
+      
+<td>The admin user cannot be removed </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0028 </td>
+      
+<td>Attempt to create outside of configured scope </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0029 </td>
+      
+<td>Intermediate folders not rep:AuthorizableFolder </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0030 </td>
+      
+<td>Missing uuid for group (check for cyclic membership) </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0031 </td>
+      
+<td>Cyclic group membership </td>
+    </tr>
+    
+<tr class="b">
+      
+<td>0032 </td>
+      
+<td>Attempt to set password with system user </td>
+    </tr>
+    
+<tr class="a">
+      
+<td>0033 </td>
+      
+<td>Attempt to add rep:pwd node to a system user </td>
+    </tr>
+  </tbody>
+</table>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>The following user management specific methods are present with the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserConfiguration.html">UserConfiguration</a> as of OAK 1.0:</p>
+
+<ul>
+  
+<li>getUserManager: Obtain a new user manager instance</li>
+</ul>
+<div class="section">
+<h4>Configuration Parameters supported by the default implementation<a name="Configuration_Parameters_supported_by_the_default_implementation"></a></h4>
+
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Parameter </th>
+      
+<th>Type </th>
+      
+<th>Default </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td><tt>PARAM_ADMIN_ID</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;admin&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_OMIT_ADMIN_PW</tt> </td>
+      
+<td>boolean </td>
+      
+<td>false </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_ANONYMOUS_ID</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;anonymous&#x201d; (nullable) </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_USER_PATH</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;/rep:security/rep:authorizables/rep:users&#x201d; </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_GROUP_PATH</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;/rep:security/rep:authorizables/rep:groups&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_DEFAULT_DEPTH</tt> </td>
+      
+<td>int </td>
+      
+<td>2 </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_HASH_ALGORITHM</tt> </td>
+      
+<td>String </td>
+      
+<td>&#x201c;SHA-256&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_PASSWORD_HASH_ITERATIONS</tt> </td>
+      
+<td>int </td>
+      
+<td>1000 </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_SALT_SIZE</tt> </td>
+      
+<td>int </td>
+      
+<td>8 </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_AUTHORIZABLE_NODE_NAME</tt> </td>
+      
+<td>AuthorizableNodeName </td>
+      
+<td>AuthorizableNodeName#DEFAULT </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_AUTHORIZABLE_ACTION_PROVIDER</tt></td>
+      
+<td>AuthorizableActionProvider </td>
+      
+<td>DefaultAuthorizableActionProvider </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_SUPPORT_AUTOSAVE</tt> </td>
+      
+<td>boolean </td>
+      
+<td>false </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+      
+<td>String (&#x201c;abort&#x201d;, &#x201c;ignore&#x201d;, &#x201c;besteffort&#x201d;) </td>
+      
+<td>&#x201c;ignore&#x201d; </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+      
+<td>int </td>
+      
+<td>0 </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+      
+<td>boolean </td>
+      
+<td>false </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+      
+<td>int (upper limit: 1000) </td>
+      
+<td>0 </td>
+    </tr>
+    
+<tr class="b">
+      
+<td><tt>PARAM_CACHE_EXPIRATION</tt> </td>
+      
+<td>long </td>
+      
+<td>0 </td>
+    </tr>
+    
+<tr class="a">
+      
+<td> </td>
+      
+<td> </td>
+      
+<td> </td>
+    </tr>
+  </tbody>
+</table>
+<p>The following configuration parameters present with the default implementation in Jackrabbit 2.x are no longer supported and will be ignored:</p>
+
+<ul>
+  
+<li><tt>compatibleJR16</tt></li>
+  
+<li><tt>autoExpandTree</tt></li>
+  
+<li><tt>autoExpandSize</tt></li>
+  
+<li><tt>groupMembershipSplitSize</tt></li>
+</ul>
+<p>The optional <tt>cacheExpiration</tt> configuration option listed above is discussed in detail in section <a href="../principal/cache.html">Caching Results of Principal Resolution</a>. It is not related to user management s.str. but affects the implementation specific <tt>PrincipalProvider</tt> implementation exposed by <tt>UserConfiguration.getUserPrincipalProvider</tt>.</p>
+<p><a name="pluggability"></a></p></div></div>
+<div class="section">
+<h3>Pluggability<a name="Pluggability"></a></h3>
+<p>Within the default user management implementation the following parts can be modified or extended at runtime by providing corresponding OSGi services or passing appropriate configuration parameters exposing the custom implementations:</p>
+
+<ul>
+  
+<li><tt>AuthorizableActionProvider</tt>: Defines the authorizable actions, see <a href="user/authorizableaction.html">Authorizable Actions</a>.</li>
+  
+<li><tt>AuthorizableNodeName</tt>: Defines the generation of the authorizable node names  in case the user management implementation stores user information in the repository.  See <a href="user/authorizablenodename.html">Authorizable Node Name Generation</a>.</li>
+  
+<li><tt>UserAuthenticationFactory</tt>: see below</li>
+</ul>
+<div class="section">
+<h4>UserAuthenticationFactory : Authenticating Users<a name="UserAuthenticationFactory_:_Authenticating_Users"></a></h4>
+<p>Since Oak 1.1.5 the default user management implementation allows to configure and thus replace the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>, which links the user management implementation with the authentication (specifically the <a href="../authentication/default.html#user_authentication">uid/pw-login</a>) as it exposes the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation to be used for verification of the specified credentials according to details provided by a given user management implementation. </p>
+<div class="section">
+<h5>Examples<a name="Examples"></a></h5>
+<div class="section">
+<h6>Example UserAuthenticationFactory<a name="Example_UserAuthenticationFactory"></a></h6>
+
+<div class="source">
+<pre>@Component()
+@Service(UserAuthenticationFactory.class)
+public class MyUserAuthenticationFactory implements UserAuthenticationFactory {
+
+    private Set&lt;String&gt; ids = Collections.emptySet();
+
+    public MyUserAuthenticationFactory() {}
+
+    //--------------------------------------&lt; UserAuthenticationFactory &gt;---
+    @Override
+    Authentication getAuthentication(@Nonnull UserConfiguration configuration, @Nonnull Root root, @Nullable String userId) {
+        final boolean canAuthenticate = (userId != null &amp;&amp; ids.contains(userId));
+        return new Authentication() {
+            @Override
+            public boolean authenticate(@Nullable Credentials credentials) {
+                return canAuthenticate;
+            }
+        };
+    }
+
+    //------------------------------------------------&lt; SCR Integration &gt;---
+    @Activate
+    private void activate(Map&lt;String, Object&gt; properties) {
+         ids = ImmutableSet.copyOf(PropertiesUtil.toStringArray(properties.get(&quot;ids&quot;), new String[0]));
+    }
+}
+</pre></div>
+<!-- hidden references --></div></div></div></div></div>
+                  </div>
+            </div>
+          </div>
+
+    <hr/>
+
+    <footer>
+            <div class="container-fluid">
+              <div class="row span12">Copyright &copy;                    2012-2016
+                        <a href="http://www.apache.org/">The Apache Software Foundation</a>.
+            All Rights Reserved.      
+                    
+      </div>
+
+        
+        
+          
+    
+    
+                
+    <div id="ohloh" class="pull-right">
+      <script type="text/javascript" src="http://www.ohloh.net/p/jackrabbit-oak/widgets/project_thin_badge.js"></script>
+    </div>
+        </div>
+    </footer>
+  </body>
+</html>
\ No newline at end of file

Propchange: jackrabbit/site/live/oak/docs/security/user/default.html
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/site/live/oak/docs/security/user/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/differences.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/differences.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - User Management : Differences to Jackrabbit 2.x</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -565,7 +565,7 @@
 
 <ul>
   
-<li>Importing an authorizable to another tree than the configured user/group node will only failed upon save (-&gt; see <tt>UserValidator</tt> during the <tt>Root#commit</tt>). With Jackrabbit 2.x core it used to fail immediately.</li>
+<li>Importing an authorizable to another tree than the configured user/group node  will only failed upon save (-&gt; see <tt>UserValidator</tt> during the <tt>Root#commit</tt>).  With Jackrabbit 2.x core it used to fail immediately.</li>
   
 <li>The <tt>BestEffort</tt> behavior is now also implemented for the import of impersonators (was missing in Jackrabbit /2.x).</li>
   
@@ -639,8 +639,7 @@
 <li>&#x201c;autoExpandSize&#x201d;</li>
   
 <li>&#x201c;groupMembershipSplitSize&#x201d;</li>
-</ul>
-<!-- hidden references --></div></div></div>
+</ul></div></div></div>
                   </div>
             </div>
           </div>

Modified: jackrabbit/site/live/oak/docs/security/user/expiry.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/expiry.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/expiry.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/expiry.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-12
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160212" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Password Expiry and Force Initial Password Change</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-12</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -510,7 +510,7 @@
 <h2>Password Expiry and Force Initial Password Change<a name="Password_Expiry_and_Force_Initial_Password_Change"></a></h2>
 <div class="section">
 <h3>General<a name="General"></a></h3>
-<p>Oak provides functionality to expire passwords of users as well as force users to change their password upon initial (first-time) login.</p></div>
+<p>Since version 1.1.0 Oak provides functionality to expire passwords of users as well as force users to change their password upon initial (first-time) login.</p></div>
 <div class="section">
 <h3>Password Expiry<a name="Password_Expiry"></a></h3>
 <p>Administrators may configure passwords to expire within a configurable amount of time (days). A user whose password has expired will no longer be able to obtain a session/login.</p></div>
@@ -518,15 +518,56 @@
 <h3>Force Initial Password Change<a name="Force_Initial_Password_Change"></a></h3>
 <p>An administrator may configure the system such that a user is forced to set a new password upon first login. This is a special form of Password Expiry above, in that upon creation a user account&#x2019;s password is expired by default. Upon initial login, the user will not be able to obtain a session/login and the password needs to be changed prior to a next attempt. For specifying the new password, the initial password has to be provided.</p></div>
 <div class="section">
-<h3>Configuration of Expiry / Force Initial Password Change<a name="Configuration_of_Expiry__Force_Initial_Password_Change"></a></h3>
-<p>An administrator may enable password expiry and initial password change via the <i>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</i> OSGi configuration. By default expiry is disabled.</p>
+<h3>Configuration<a name="Configuration"></a></h3>
+<p>An administrator may enable password expiry and initial password change via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default both features are disabled.</p>
 <p>The following configuration options are supported:</p>
 
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Parameter </th>
+      
+<th>Type </th>
+      
+<th>Default </th>
+      
+<th>Description </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_MAX_AGE</tt> </td>
+      
+<td>int </td>
+      
+<td>0 </td>
+      
+<td>Number of days until the password expires. </td>
+    </tr>
+    
+<tr class="a">
+      
+<td><tt>PARAM_PASSWORD_INITIAL_CHANGE</tt> </td>
+      
+<td>boolean </td>
+      
+<td>false </td>
+      
+<td>boolean flag to enable initial pw change. </td>
+    </tr>
+  </tbody>
+</table>
+<p>Note:</p>
+
 <ul>
   
-<li>Maximum Password Age (<i>maxPasswordAge</i>, days): When greater 0 enables password  expiry and sets the expiration time in days.</li>
+<li>Maximum Password Age (<tt>maxPasswordAge</tt>) will only be enabled when a value greater 0 is set (expiration time in days).</li>
   
-<li>Change Password On First Login (<i>initialPasswordChange</i>, true|false):  When enabled, forces users to change their password upon first login.</li>
+<li>Change Password On First Login (<tt>initialPasswordChange</tt>): When enabled, forces users to change their password upon first login.</li>
 </ul></div>
 <div class="section">
 <h3>How it works<a name="How_it_works"></a></h3>
@@ -536,11 +577,13 @@
 
 <ul>
   
-<li>The current date-time is after or on the date-time + maxPasswordAge  specified in a <i>rep:passwordLastModified</i> property</li>
+<li>The current date-time is after or on the date-time + maxPasswordAge  specified in a <tt>rep:passwordLastModified</tt> property</li>
   
-<li>OR: Expiry and/or Enforce Password Change is enabled, but no  <i>rep:passwordLastModified</i> property exists</li>
+<li>OR: Expiry and/or Enforce Password Change is enabled, but no  <tt>rep:passwordLastModified</tt> property exists</li>
 </ul>
-<p>For the above, a password node <i>rep:pw</i> and a property <i>rep:passwordLastModified</i>, governed by a new <i>rep:Password</i> node type and located in the user&#x2019;s home, have been introduced, leaving open future enhancements to password management (such as password policies, history, et al):</p>
+<p>For the above, a password node <tt>rep:pw</tt> and a property <tt>rep:passwordLastModified</tt>, governed by a new <tt>rep:Password</tt> node type and located in the user&#x2019;s home, have been introduced, leaving open future enhancements to password management (such as password policies, history, et al):</p></div>
+<div class="section">
+<h4>Representation in the Repository<a name="Representation_in_the_Repository"></a></h4>
 <div class="section">
 <h5>Node Type rep:Password<a name="Node_Type_rep:Password"></a></h5>
 
@@ -557,31 +600,43 @@
     + rep:pwd (rep:Password) = rep:Password protected
     ...
 </pre></div>
-<p>The <i>rep:pw</i> node and the <i>rep:passwordLastModified</i> property are defined protected in order to guard against the user modifying (overcoming) her password expiry. The new sub-node also has the advantage of allowing repository consumers to e.g. register specific commit hooks / actions on such a node.</p>
-<p>In the future the <i>rep:password</i> property on the user node may be migrated to the <i>rep:pw</i> sub-node.</p></div></div>
+<p>The <tt>rep:pw</tt> node and the <tt>rep:passwordLastModified</tt> property are defined protected in order to guard against the user modifying (overcoming) her password expiry. The new sub-node also has the advantage of allowing repository consumers to e.g. register specific commit hooks / actions on such a node.</p>
+<p>In the future the <tt>rep:password</tt> property on the user node may be migrated to the <tt>rep:pw</tt> sub-node.</p></div></div>
 <div class="section">
-<h4>User Creation With Default Expired Password<a name="User_Creation_With_Default_Expired_Password"></a></h4>
-<p>Upon initial creation of a user, the <i>rep:passwordLastModified</i> property is omitted. If expiry or <i>initialPasswordChange</i> are enabled, the absence of the property will be interpreted as immediate expiry of the password. When subsequently the user changes her password via <i>User#changePassword</i>, the <i>rep:passwordLastModified</i> property is set and henceforth interpreted.</p></div>
+<h4>User Creation<a name="User_Creation"></a></h4>
+<p>Upon initial creation of a user, the <tt>rep:passwordLastModified</tt> property is omitted. If expiry or <tt>initialPasswordChange</tt> are enabled, the absence of the property will be interpreted as immediate expiry of the password. When subsequently the user changes her password via <tt>User#changePassword</tt>, the <tt>rep:passwordLastModified</tt> property is set and henceforth interpreted.</p></div>
 <div class="section">
-<h4>Core Authentication Password Expiry Aware<a name="Core_Authentication_Password_Expiry_Aware"></a></h4>
-<p>A login module must throw a <i>javax.security.auth.login.CredentialExpiredException</i> upon encountering an expired password. A consumer implementation can then differentiate between a failed login (due to a wrong password specified) and an expired password, allowing the consumer to take action, e.g. to redirect to a change password form.</p>
-<p>In Oak, the Authentication (currently <i>UserAuthentication</i>) implementation compares within its <i>#authenticate()</i> method the system time with the value stored in the rep:passwordLastModified_ and throws a <i>CredentialExpiredException</i> if now is after or on the date-time specified by the value.</p>
-<p>In the case of <i>initialPasswordChange</i> a password is considered expired if no <i>rep:passwordLastModified</i> property can be found on login.</p>
-<p>Both expiry and force initial password change are checked <i>after</i> regular credentials verification, so as to prevent an attacker identifying valid users by being redirected to a change password form upon expiry.</p></div>
-<div class="section">
-<h4>Oak JCR XML Import<a name="Oak_JCR_XML_Import"></a></h4>
-<p>When users are imported via the Oak JCR XML importer, the expiry relevant nodes and property are supported. If the XML specifies a <i>rep:pw</i> node and optionally a <i>rep:passwordLastModified</i> property, these are imported, irrespective of the password expiry or force initial password change being enabled in the configuration. If they&#x2019;re enabled, the imported property will be used in the normal login process as described above. If not enabled, the imported property will have no effect.</p>
-<p>On the other hand, if the imported user already exists, potentially existing <i>rep:passwordLastModified</i> properties will be overwritten with the value from the import. If password expiry is enabled, this may cause passwords to expire earlier or later than anticipated, governed by the new value. Also, an import may create such a property where none previously existed, thus effectively cancelling the need to change the password on first login - if the feature is enabled.</p>
-<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p></div>
+<h4>Authentication<a name="Authentication"></a></h4>
+<p>A login module must throw a <tt>javax.security.auth.login.CredentialExpiredException</tt> upon encountering an expired password. A consumer implementation can then differentiate between a failed login (due to a wrong password specified) and an expired password, allowing the consumer to take action, e.g. to redirect to a change password form.</p>
+<p>In Oak, the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation provided by default with the user management compares within its <tt>authenticate()</tt> method the system time with the value stored in the <tt>rep:passwordLastModified</tt> and throws a <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/CredentialExpiredException.html">CredentialExpiredException</a> if now is after or on the date-time specified by the value.</p>
+<p>In the case of <tt>initialPasswordChange</tt> a password is considered expired if no <tt>rep:passwordLastModified</tt> property can be found on login.</p>
+<p>Both expiry and force initial password change are checked <i>after</i> regular credentials verification, so as to prevent an attacker identifying valid users by being redirected to a change password form upon expiry.</p>
+<div class="section">
+<h5>UserAuthenticationFactory<a name="UserAuthenticationFactory"></a></h5>
+<p>As described with section <a href="default.html#pluggability">User Management: The Default Implementation</a> it is possible to change the default implementation of the <tt>UserAuthenticationFactory</tt> by pluggin a custom implementation at runtime.</p>
+<p>It&#x2019;s important to note that the authentication related part of password expiry is handled by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/Authentication.html">Authentication</a> implementation exposed by the default <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/user/UserAuthenticationFactory.html">UserAuthenticationFactory</a>. Replacing the factory will ultimately disable the password expiry feature unless a custom implementation respects and enforces the constraints explained before.</p></div></div>
 <div class="section">
 <h4>Changing an Expired Password<a name="Changing_an_Expired_Password"></a></h4>
 <p>Oak supports changing a user&#x2019;s expired password as part of the normal login process.</p>
-<p>Consumers of the repository already specify <i>javax.jcr.SimpleCredentials</i> during login, as part of the normal authentication process. In order to change the password for an expired user, the login may be called with the affected user&#x2019;s <i>javax.jcr.SimpleCredentials</i>, while additionally providing the new password via a credentials attribute <i>newPassword</i>.</p>
-<p>After verifying the user&#x2019;s credentials, <i>before</i> checking expiry, said attribute is then used by the <i>UserAuthentication</i> to change the user&#x2019;s password.</p>
+<p>Consumers of the repository already specify <tt>javax.jcr.SimpleCredentials</tt> during login, as part of the normal authentication process. In order to change the password for an expired user, the login may be called with the affected user&#x2019;s <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html">SimpleCredentials</a>, while additionally providing the new password via a credentials attribute <tt>newPassword</tt>.</p>
+<p>After verifying the user&#x2019;s credentials, <i>before</i> checking expiry, said attribute is then used by the <tt>Authentication</tt> implementation to change the user&#x2019;s password.</p>
 <p>This way the user can change the password while the expiry check succeeds (password expired = false) and a session/login is provided at the same time.</p>
-<p>This method of changing password via the normal login call only works if a user&#x2019;s password is in fact expired and cannot be used for regular password changes (attribute is ignored, use <i>User#changePassword</i> directly instead).</p>
-<p>Should the <a href="history.html">Password History feature</a> be enabled, and - for the above password change - a password already in the history be used, the change will fail and the login still throw a <i>CredentialExpiredException</i>. In order for consumers of the exception to become aware that the credentials are still considered expired, and that the password was not changed due to the new password having been found in the password history, the credentials object is fitted with an additional attribute with name <i>PasswordHistoryException</i>. This attribute may contain the following two values:</p>
-<p><i>&#x201c;New password was found in password history.&#x201d;</i> or <i>&quot;&#x201c;New password is identical to the current password.&#x201d;</i></p></div></div></div>
+<p>This method of changing password via the normal login call only works if a user&#x2019;s password is in fact expired and cannot be used for regular password changes (attribute is ignored, use <tt>User#changePassword</tt> directly instead).</p>
+<p>Should the <a href="history.html">Password History feature</a> be enabled, and - for the above password change - a password already in the history be used, the change will fail and the login still throw a <a class="externalLink" href="https://docs.oracle.com/javase/7/docs/api/javax/security/auth/login/CredentialExpiredException.html">CredentialExpiredException</a>. In order for consumers of the exception to become aware that the credentials are still considered expired, and that the password was not changed due to the new password having been found in the password history, the credentials object is fitted with an additional attribute with name <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/security/user/PasswordHistoryException.html">PasswordHistoryException</a>.</p>
+<p>This attribute may contain the following two values:</p>
+
+<ul>
+  
+<li><i>&#x201c;New password was found in password history.&#x201d;</i> or</li>
+  
+<li><i>&quot;&#x201c;New password is identical to the current password.&#x201d;</i></li>
+</ul></div>
+<div class="section">
+<h4>XML Import<a name="XML_Import"></a></h4>
+<p>When users are imported via the Oak JCR XML importer, the expiry relevant nodes and property are supported. If the XML specifies a <tt>rep:pw</tt> node and optionally a <tt>rep:passwordLastModified</tt> property, these are imported, irrespective of the password expiry or force initial password change being enabled in the configuration. If they&#x2019;re enabled, the imported property will be used in the normal login process as described above. If not enabled, the imported property will have no effect.</p>
+<p>On the other hand, if the imported user already exists, potentially existing <tt>rep:passwordLastModified</tt> properties will be overwritten with the value from the import. If password expiry is enabled, this may cause passwords to expire earlier or later than anticipated, governed by the new value. Also, an import may create such a property where none previously existed, thus effectively cancelling the need to change the password on first login - if the feature is enabled.</p>
+<p>Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.</p>
+<!-- hidden references --></div></div></div>
                   </div>
             </div>
           </div>

Modified: jackrabbit/site/live/oak/docs/security/user/history.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/history.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/history.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/history.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-11
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160211" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Password History</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-11</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 
@@ -510,35 +510,83 @@
 <h2>Password History<a name="Password_History"></a></h2>
 <div class="section">
 <h3>General<a name="General"></a></h3>
-<p>Oak provides functionality to remember a configurable number of passwords after password changes and to prevent a password to be set during changing a user&#x2019;s password if found in said history.</p></div>
+<p>Since version 1.3.3 Oak provides functionality to remember a configurable number of passwords after password changes and to prevent a password to be set during changing a user&#x2019;s password if found in said history.</p></div>
 <div class="section">
 <h3>Configuration<a name="Configuration"></a></h3>
-<p>An administrator may enable password history via the <i>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</i> OSGi configuration. By default the history is disabled.</p>
+<p>An administrator may enable password history via the <tt>org.apache.jackrabbit.oak.security.user.UserConfigurationImpl</tt> OSGi configuration. By default the history is disabled (<tt>passwordHistorySize</tt> set to 0).</p>
 <p>The following configuration option is supported:</p>
 
-<ul>
-  
-<li>Maximum Password History Size (<i>passwordHistorySize</i>, number of passwords): When greater 0 enables password  history and sets feature to remember the specified number of passwords for a user.</li>
-</ul>
-<p>Note, that the current implementation has a limit of at most 1000 passwords remembered in the history.</p></div>
+<table border="0" class="table table-striped">
+  <thead>
+    
+<tr class="a">
+      
+<th>Parameter </th>
+      
+<th>Type </th>
+      
+<th>Default </th>
+      
+<th>Description </th>
+    </tr>
+  </thead>
+  <tbody>
+    
+<tr class="b">
+      
+<td><tt>PARAM_PASSWORD_HISTORY_SIZE</tt> </td>
+      
+<td>int </td>
+      
+<td>0 </td>
+      
+<td>Number of passwords to be stored in the history </td>
+    </tr>
+    
+<tr class="a">
+      
+<td> </td>
+      
+<td> </td>
+      
+<td> </td>
+      
+<td> </td>
+    </tr>
+  </tbody>
+</table>
+<p>Setting the configuration option to a value greater than 0 enables password history and sets feature to remember the specified number of passwords for a user. Note, that the current implementation has a limit of at most 1000 passwords remembered in the history.</p></div>
 <div class="section">
 <h3>How it works<a name="How_it_works"></a></h3>
 <div class="section">
+<h4>Representation in the Repository<a name="Representation_in_the_Repository"></a></h4>
+<p>History password hashes are recorded in a multi-value property <tt>rep:pwdHistory</tt> on the user&#x2019;s <tt>rep:pwd</tt> node, which mandates the specific node type <tt>rep:Password</tt></p>
+<p>The <tt>rep:pwdHistory</tt> property is defined protected in order to guard against the user modifying (overcoming) her password history limitations.</p>
+
+<div class="source">
+<pre>[rep:User]  &gt; rep:Authorizable, rep:Impersonatable
+    + rep:pwd (rep:Password) = rep:Password protected
+    - rep:password (STRING) protected
+    ...
+
+[rep:Password]
+    - * (UNDEFINED) protected
+    - * (UNDEFINED) protected multiple
+</pre></div></div>
+<div class="section">
 <h4>Recording of Passwords<a name="Recording_of_Passwords"></a></h4>
 <p>If the feature is enabled, during a user changing her password, the old password hash is recorded in the password history.</p>
 <p>The old password hash is only recorded if a password was set (non-empty). Therefore setting a password for a user for the first time (i.e. during creation or if the user doesn&#x2019;t have a password set before) does not result in a history record, as there is no old password.</p>
-<p>The old password hash is copied to the password history <i>after</i> the provided new password has been validated but <i>before</i> the new password hash is written to the user&#x2019;s <i>rep:password</i> property.</p>
+<p>The old password hash is copied to the password history <i>after</i> the provided new password has been validated but <i>before</i> the new password hash is written to the user&#x2019;s <tt>rep:password</tt> property.</p>
 <p>The history operates as a FIFO list. A new password history record exceeding the configured max history size, results in the oldest recorded password from being removed from the history.</p>
-<p>Also, if the configuration parameter for the history size is changed to a non-zero but smaller value than before, upon the next password change the oldest records exceeding the new history size are removed.</p>
-<p>History password hashes are recorded in a multi-value property <i>rep:pwdHistory</i> on the user&#x2019;s <i>rep:pwd</i> node.</p>
-<p>The <i>rep:pwdHistory</i> property is defined protected in order to guard against the user modifying (overcoming) her password history limitations.</p></div>
+<p>Also, if the configuration parameter for the history size is changed to a non-zero but smaller value than before, upon the next password change the oldest records exceeding the new history size are removed. </p></div>
 <div class="section">
 <h4>Evaluation of Password History<a name="Evaluation_of_Password_History"></a></h4>
 <p>Upon a user changing her password and if the password history feature is enabled (configured password history size &gt; 0), implementation checks if the current password or any of the password hashes recorded in the history matches the new password.</p>
-<p>If any record is a match, a <i>ConstraintViolationException</i> is thrown and the user&#x2019;s password is <i>NOT</i> changed.</p></div>
+<p>If any record is a match, a <tt>ConstraintViolationException</tt> is thrown and the user&#x2019;s password is <i>NOT</i> changed.</p></div>
 <div class="section">
-<h4>Oak JCR XML Import<a name="Oak_JCR_XML_Import"></a></h4>
-<p>When users are imported via the Oak JCR XML importer, password history is imported irrespective on whether the password history feature is enabled or not.</p></div></div></div>
+<h4>XML Import<a name="XML_Import"></a></h4>
+<p>When users are imported via the JCR XML importer, password history is imported irrespective on whether the password history feature is enabled or not.</p></div></div></div>
                   </div>
             </div>
           </div>

Modified: jackrabbit/site/live/oak/docs/security/user/membership.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/membership.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/membership.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/membership.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Group Membership</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/security/user/query.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/query.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/user/query.html (original)
+++ jackrabbit/site/live/oak/docs/security/user/query.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Searching Users and Groups</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 

Modified: jackrabbit/site/live/oak/docs/use_getting_started.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/use_getting_started.html?rev=1730074&r1=1730073&r2=1730074&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/use_getting_started.html (original)
+++ jackrabbit/site/live/oak/docs/use_getting_started.html Fri Feb 12 17:09:05 2016
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2016-02-08
+ | Generated by Apache Maven Doxia at 2016-02-10
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20160208" />
+    <meta name="Date-Revision-yyyymmdd" content="20160210" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak - Runnable jar</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -213,7 +213,7 @@
         <ul class="breadcrumb">
                 
                     
-                  <li id="publishDate">Last Published: 2016-02-08</li>
+                  <li id="publishDate">Last Published: 2016-02-10</li>
                   <li class="divider">|</li> <li id="projectVersion">Version: 1.4-SNAPSHOT</li>
                       
                 



Mime
View raw message