jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mreut...@apache.org
Subject svn commit: r1835390 [15/23] - in /jackrabbit/site/live/oak/docs: ./ architecture/ coldstandby/ features/ nodestore/ nodestore/document/ nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/ security/accesscontrol/ security/authentication...
Date Mon, 09 Jul 2018 08:53:19 GMT
Modified: jackrabbit/site/live/oak/docs/release-schedule.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/release-schedule.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/release-schedule.html (original)
+++ jackrabbit/site/live/oak/docs/release-schedule.html Mon Jul  9 08:53:17 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24 
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09 
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180524" />
+    <meta name="Date-Revision-yyyymmdd" content="20180709" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak &#x2013; Release Schedule</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+        <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 1.10-SNAPSHOT</li>
         </ul>
@@ -241,21 +241,16 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-  --><h1>Release Schedule</h1>
+  -->
+<h1>Release Schedule</h1>
 <p>Here is the frequency where the team <b>aim</b> to cut new releases. As we strive for quality rather than frequency the date may slip according to needs.</p>
-
 <ul>
-  
+
 <li>Trunk: every 2 weeks (2 / month, ~26 /year)</li>
-  
 <li>1.8: every 4 weeks (1 / month, ~12 / year)</li>
-  
 <li>1.6: every 8 weeks (1 / other month, ~6 / year)</li>
-  
 <li>1.4: every 13 weeks (1 / quarter, ~4 / year)</li>
-  
 <li>1.2: every 13 weeks (1 / quarter, ~4 / year)</li>
-  
 <li>1.0: every 26 weeks (~2 / year)</li>
 </ul>
         </div>

Modified: jackrabbit/site/live/oak/docs/security/accesscontrol.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol.html Mon Jul  9 08:53:17 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24 
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09 
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180524" />
+    <meta name="Date-Revision-yyyymmdd" content="20180709" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak &#x2013; Access Control Management</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+        <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 1.10-SNAPSHOT</li>
         </ul>
@@ -240,179 +240,148 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
---><div class="section">
+-->
+<div class="section">
 <h2><a name="Access_Control_Management"></a>Access Control Management</h2>
 <div class="section">
 <h3><a name="General"></a>General</h3>
-<p>This section covers fundamental concepts of the access control related APIs provided by JCR and Jackrabbit as well as the extensions points defined by Oak. </p>
+<p>This section covers fundamental concepts of the access control related APIs provided by JCR and Jackrabbit as well as the extensions points defined by Oak.</p>
 <p>If you are already familiar with the API and looking for examples you may directly read <a href="accesscontrol/editing.html">Using the Access Control Management API</a> for a comprehensive list of method calls as well as examples that may be used to edit the access control content of the repository.</p>
-<p><a name="jcr_api"></a></p></div>
-<div class="section">
-<h3><a name="JCR_API"></a>JCR API</h3>
-<p>Access Control Management is an optional feature defined by <a class="externalLink" href="http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html">JSR 283</a> consisting of</p>
+<a name="jcr_api"></a>
+### JCR API
 
+<p>Access Control Management is an optional feature defined by <a class="externalLink" href="http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html">JSR 283</a> consisting of</p>
 <blockquote>
+
 <p>&#x2022; Privilege discovery: Determining the privileges that a user has in relation to a node.</p>
 <p>&#x2022; Assigning access control policies: Setting the privileges that a user has in relation to a node using access control policies specific to the implementation.</p>
 </blockquote>
 <p>Whether or not a given implementation supports access control management is defined by the <tt>Repository.OPTION_ACCESS_CONTROL_SUPPORTED</tt> descriptor.</p>
 <p>Since Oak comes with a dedicated <a href="privilege.html">privilege management</a> this section focuses on reading and editing access control information. The main interfaces defined by JSR 283 are:</p>
-
 <ul>
-  
+
 <li><tt>AccessControlManager</tt>: Main entry point for access control related operations</li>
-  
 <li><tt>AccessControlPolicy</tt>: Marker interface for any kind of policies defined by the implementation.
-  
 <ul>
-    
+
 <li><tt>AccessControlList</tt>: mutable policy that may have a list of entries.</li>
-    
 <li><tt>NamedAccessControlPolicy</tt>: opaque immutable policy with a JCR name.</li>
-  </ul></li>
-  
+</ul>
+</li>
 <li><tt>AccessControlEntry</tt>: association of privilege(s) with a given principal bound to a given node by the <tt>AccessControlList</tt>.</li>
 </ul>
 <p>The JCR access control management has the following characteristics:</p>
-
 <ul>
-  
+
 <li><i>path-based</i>: policies are bound to nodes; a given node may have multiple policies; the <tt>null</tt> path identifies repository level policies.</li>
-  
 <li><i>transient</i>: access control related modifications are always transient</li>
-  
 <li><i>binding</i>: policies are decoupled from the repository; in order to bind a policy to a node or apply modifications made to an existing policy <tt>AccessControlManager.setPolicy</tt> must be called.</li>
-  
 <li><i>effect</i>: policies bound to a given node only take effect upon <tt>Session.save()</tt>. Access to properties is defined by the their parent node.</li>
-  
 <li><i>scope</i>: a given policy may not only affect the node it is bound to but may have an effect on accessibility of items elsewhere in the workspace.</li>
 </ul>
-<p><a name="jackrabbit_api"></a></p></div>
-<div class="section">
-<h3><a name="Jackrabbit_API"></a>Jackrabbit API</h3>
-<p>The Jackrabbit API defines various access control related extensions to the JCR API in order to cover common needs such as for example:</p>
+<a name="jackrabbit_api"></a>
+### Jackrabbit API
 
+<p>The Jackrabbit API defines various access control related extensions to the JCR API in order to cover common needs such as for example:</p>
 <ul>
-  
+
 <li><i>deny access</i>: access control entries can be defined to deny privileges at a given path (JCR only defines allowing access control entries)</li>
-  
 <li><i>restrictions</i>: limit the effect of a given access control entry by the mean of restrictions</li>
-  
 <li><i>convenience</i>:
-  
 <ul>
-    
+
 <li>reordering of access control entries in a access control list</li>
-    
 <li>retrieve the path of the node a given policy is (or can be) bound to</li>
-  </ul></li>
-  
+</ul>
+</li>
 <li><i>principal-based</i>:
-  
 <ul>
-    
+
 <li>principal-based access control management API (in contrast to the path-based default specified by JSR 283)</li>
-    
 <li>privilege discovery for a set of principals</li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <p>The following interfaces and extensions are defined:</p>
-
 <ul>
-  
+
 <li><tt>JackrabbitAccessControlManager</tt></li>
-  
 <li><tt>JackrabbitAccessControlPolicy</tt></li>
-  
 <li><tt>JackrabbitAccessControlList</tt></li>
-  
 <li><tt>JackrabbitAccessControlEntry</tt></li>
 </ul>
-<p><a name="api_extensions"></a></p></div>
-<div class="section">
-<h3><a name="API_Extensions"></a>API Extensions</h3>
-<p>Oak defines the following interfaces extending the access control management API:</p>
+<a name="api_extensions"></a>
+### API Extensions
 
+<p>Oak defines the following interfaces extending the access control management API:</p>
 <ul>
-  
-<li><tt>PolicyOwner</tt>: Interface to improve pluggability of the access control management  and allows to termine if a giving manager handles a given policy.</li>
-  
+
+<li><tt>PolicyOwner</tt>: Interface to improve pluggability of the access control management and allows to termine if a giving manager handles a given policy.</li>
 <li><tt>AccessControlConstants</tt>: Constants related to access control management.</li>
 </ul>
 <p>In addition it provides some access control related base classes in <tt>org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol</tt> that may be used for a custom implementation:</p>
-
 <ul>
-  
+
 <li><tt>AbstractAccessControlList</tt>: abstract base implementation of the <tt>JackrabbitAccessControlList</tt> interface
-  
 <ul>
-    
+
 <li><tt>ImmutableACL</tt>: immutable subclass of <tt>AbstractAccessControlList</tt></li>
-    
 <li><tt>ACE</tt>: abstract subclass that implements common methods of a mutable access control list.</li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <div class="section">
 <h4><a name="Restriction_Management"></a>Restriction Management</h4>
 <p>Oak 1.0 defines a dedicated restriction management API. See <a href="authorization/restriction.html">Restriction Management</a> for details and further information regarding extensibility and pluggability.</p>
-<p><a name="utilities"></a></p></div></div>
-<div class="section">
-<h3><a name="Utilities"></a>Utilities</h3>
-<p>The jcr-commons module present with Jackrabbit provide some access control related utilities that simplify the creation of new policies and entries such as for example:</p>
+<a name="utilities"></a>
+### Utilities
 
+<p>The jcr-commons module present with Jackrabbit provide some access control related utilities that simplify the creation of new policies and entries such as for example:</p>
 <ul>
-  
+
 <li><tt>AccessControlUtils.getAccessControlList(Session, String)</tt></li>
-  
 <li><tt>AccessControlUtils.getAccessControlList(AccessControlManager, String)</tt></li>
-  
 <li><tt>AccessControlUtils.addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
 </ul>
 <p>See <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/jackrabbit/authorization/AccessControlUtils.java">org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils</a> for the complete list of methods.</p>
 <div class="section">
-<div class="section">
 <h5><a name="Examples"></a>Examples</h5>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">String path = node.getPath();
+<div>
+<div>
+<pre class="source">String path = node.getPath();
 JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, path);
 acl.addEntry(principal, privileges, true);
 acMgr.setPolicy(path, acl);
 session.save();
 </pre></div></div>
-<p><a name="default_implementation"></a></p></div></div></div>
-<div class="section">
-<h3><a name="Characteristics_of_the_Default_Implementation"></a>Characteristics of the Default Implementation</h3>
-<p>The behavior of the default access control implementation is described in sections <a href="accesscontrol/default.html">Access Control Management: The Default Implementation</a><br />and <a href="authorization/restriction.html">Restriction Management</a>.</p>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
-<p>The configuration of the access control management implementation is handled within the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>, which is used for all authorization related matters. This class provides the following two access control related methods:</p>
+<a name="default_implementation"></a>
+### Characteristics of the Default Implementation
+
+<p>The behavior of the default access control implementation is described in sections <a href="accesscontrol/default.html">Access Control Management: The Default Implementation</a><br />
+and <a href="authorization/restriction.html">Restriction Management</a>.</p>
+<a name="configuration"></a>
+### Configuration
 
+<p>The configuration of the access control management implementation is handled within the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>, which is used for all authorization related matters. This class provides the following two access control related methods:</p>
 <ul>
-  
+
 <li><tt>getAccessControlManager</tt>: get a new ac manager instance.</li>
-  
 <li><tt>getRestrictionProvider</tt>: get a new instance of the restriction provider.</li>
-</ul>
+</ul></div></div>
 <div class="section">
 <h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
 <p>The supported configuration options of the default implementation are described in the corresponding <a href="accesscontrol/default.html#configuration">section</a>.</p>
-<p><a name="further_reading"></a></p></div></div>
-<div class="section">
-<h3><a name="Further_Reading"></a>Further Reading</h3>
+<a name="further_reading"></a>
+### Further Reading
 
 <ul>
-  
+
 <li><a href="accesscontrol/differences.html">Differences wrt Jackrabbit 2.x</a></li>
-  
 <li><a href="accesscontrol/default.html">Access Control Management: The Default Implementation</a></li>
-  
 <li><a href="accesscontrol/editing.html">Using the Access Control Management API</a></li>
-  
 <li><a href="authorization/restriction.html">Restriction Management</a></li>
-</ul>
-<!-- hidden references --></div></div>
+</ul><!-- hidden references --></div></div></div>
         </div>
       </div>
     </div>

Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/default.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/default.html Mon Jul  9 08:53:17 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24 
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09 
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180524" />
+    <meta name="Date-Revision-yyyymmdd" content="20180709" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak &#x2013; Access Control Management : The Default Implementation</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+        <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 1.10-SNAPSHOT</li>
         </ul>
@@ -240,7 +240,8 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
---><div class="section">
+-->
+<div class="section">
 <h2><a name="Access_Control_Management_:_The_Default_Implementation"></a>Access Control Management : The Default Implementation</h2>
 <div class="section">
 <h3><a name="General"></a>General</h3>
@@ -257,57 +258,32 @@
 <div class="section">
 <h4><a name="Access_Control_Policies"></a>Access Control Policies</h4>
 <p>The Oak access control management exposes two types of policies that cover all use case defined by the specification and required by the default setup:</p>
-
 <table border="0" class="table table-striped">
-  <thead>
-    
+<thead>
+
 <tr class="a">
-      
-<th>Name </th>
-      
-<th>Policy </th>
-      
-<th>Description </th>
-    </tr>
-  </thead>
-  <tbody>
-    
-<tr class="b">
-      
-<td>Default ACL </td>
-      
-<td><tt>JackrabbitAccessControlList</tt> </td>
-      
-<td>access control on individual nodes </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>Repo-Level ACL </td>
-      
-<td><tt>JackrabbitAccessControlList</tt> </td>
-      
-<td>repo-level access control for the <tt>null</tt> path </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>Read Policy </td>
-      
-<td><tt>NamedAccessControlPolicy</tt> </td>
-      
-<td>trees that are configured to be readable to everyone </td>
-    </tr>
-    
+<th> Name            </th>
+<th> Policy                        </th>
+<th> Description                </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> Default ACL     </td>
+<td> <tt>JackrabbitAccessControlList</tt> </td>
+<td> access control on individual nodes </td></tr>
+<tr class="a">
+<td> Repo-Level ACL  </td>
+<td> <tt>JackrabbitAccessControlList</tt> </td>
+<td> repo-level access control for the <tt>null</tt> path </td></tr>
+<tr class="b">
+<td> Read Policy     </td>
+<td> <tt>NamedAccessControlPolicy</tt>    </td>
+<td> trees that are configured to be readable to everyone </td></tr>
 <tr class="a">
-      
-<td> </td>
-      
 <td> </td>
-      
 <td> </td>
-    </tr>
-  </tbody>
+<td> </td></tr>
+</tbody>
 </table>
 <div class="section">
 <h5><a name="Default_ACL"></a>Default ACL</h5>
@@ -322,38 +298,33 @@
 <h5><a name="Read_Policy"></a>Read Policy</h5>
 <p>These immutable policy has been introduced in Oak 1.0 in order to allow for opening up trees that need to be readable to all sessions irrespective of other effective policies.</p>
 <p>By default these policies are bound to the following trees:</p>
-
 <ul>
-  
+
 <li><tt>/jcr:system/rep:namespaces</tt>: stores all registered namespaces</li>
-  
 <li><tt>/jcr:system/jcr:nodeTypes</tt>: stores all registered node types</li>
-  
 <li><tt>/jcr:system/rep:privileges</tt>: stores all registered privileges</li>
 </ul>
 <p>The default set can be changed or extended by setting the corresponding configuration option. However, it is important to note that many JCR API calls rely on the accessibility of the namespace, nodetype and privilege information. Removing the corresponding paths from the configuration will most probably have undesired effects.</p></div></div>
 <div class="section">
 <h4><a name="Access_Control_Entries"></a>Access Control Entries</h4>
 <p>The access control entries present in a given list are subject to the following rules applied upon editing but not enforced by <tt>CommitHook</tt>s:</p>
-
 <ul>
-  
+
 <li><i>uniqueness</i>: a given entry may only appear onces in a list</li>
-  
 <li><i>merging</i>: if an entry exists for a given principal with the same allow-status and restrictions, the existing entry will be updated without being moved in the list.</li>
-  
 <li><i>redundancy</i>: if an new entry makes an existing entry (partially) redundant the existing entry will be updated or removed altogether.</li>
 </ul></div>
 <div class="section">
 <h4><a name="Restrictions"></a>Restrictions</h4>
 <p>Access control entries may be created by limiting their effect by adding restrictions as mentioned by JSR 283. Details about the restriction management in Oak 1.0 as well as a list of built-in restrictions and extensibility can be found in section <a href="../authorization/restriction.html">Restriction Management</a>.</p>
-<p><a name="representation"></a></p></div></div>
-<div class="section">
-<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
+<a name="representation"></a>
+### Representation in the Repository
+
 <p>All access control policies defined with an Oak repository are stores child of the node they are bound to. The node type definition used to represent access control content:</p>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:AccessControllable]
+<div>
+<div>
+<pre class="source">[rep:AccessControllable]
   mixin
   + rep:policy (rep:Policy) protected IGNORE
 
@@ -387,14 +358,15 @@
   - * (UNDEFINED) protected
   - * (UNDEFINED) protected multiple
 </pre></div></div>
-<div class="section">
+
 <div class="section">
 <h5><a name="Examples"></a>Examples</h5>
 <div class="section">
 <h6><a name="Regular_ACL_at_content"></a>Regular ACL at /content</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">&quot;&quot;: {
+<div>
+<div>
+<pre class="source">&quot;&quot;: {
     &quot;jcr:primaryType&quot;: &quot;rep:root&quot;,
     &quot;content&quot;: {
         &quot;jcr:primaryType&quot;: &quot;oak:Unstructured&quot;,
@@ -418,12 +390,14 @@
         }
     }
 }
-</pre></div></div></div>
+</pre></div></div>
+</div>
 <div class="section">
 <h6><a name="Repo-Level_Policy"></a>Repo-Level Policy</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">&quot;&quot;: {
+<div>
+<div>
+<pre class="source">&quot;&quot;: {
     &quot;jcr:primaryType&quot;: &quot;rep:root&quot;,
     &quot;jcr:mixinTypes&quot;: &quot;rep:RepoAccessControllable&quot;,
     &quot;rep:repoPolicy&quot;: {
@@ -435,7 +409,8 @@
         }
     }
 }
-</pre></div></div></div></div></div></div>
+</pre></div></div>
+</div></div></div></div>
 <div class="section">
 <h3><a name="XML_Import"></a>XML Import</h3>
 <p>As of OAK 1.0 access control content can be imported both with Session and Workspace import.</p>
@@ -444,186 +419,104 @@
 <p>The different <tt>ImportBehavior</tt> flags are implemented as follows: - <tt>ABORT</tt>: throws an <tt>AccessControlException</tt> if the principal is unknown - <tt>IGNORE</tt>: ignore the entry defining the unknown principal - <tt>BESTEFFORT</tt>: import the access control entry with an unknown principal.</p>
 <p>In order to get the same best effort behavior as present with Jackrabbit 2.x the configuration parameters of the <tt>AuthorizationConfiguration</tt> must contain the following entry:</p>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">importBehavior = &quot;besteffort&quot;
+<div>
+<div>
+<pre class="source">importBehavior = &quot;besteffort&quot;
 </pre></div></div>
+
 <p>See also (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>))</p>
-<p><a name="validation"></a></p></div>
-<div class="section">
-<h3><a name="Validation"></a>Validation</h3>
-<p>The consistency of this content structure is asserted by a dedicated <tt>AccessControlValidator</tt>. The corresponding errors are all of type <tt>AccessControl</tt> with the following codes:</p>
+<a name="validation"></a>
+### Validation
 
+<p>The consistency of this content structure is asserted by a dedicated <tt>AccessControlValidator</tt>. The corresponding errors are all of type <tt>AccessControl</tt> with the following codes:</p>
 <table border="0" class="table table-striped">
-  <thead>
-    
+<thead>
+
 <tr class="a">
-      
-<th>Code </th>
-      
-<th>Message </th>
-    </tr>
-  </thead>
-  <tbody>
-    
-<tr class="b">
-      
-<td>0001 </td>
-      
-<td>Generic access control violation </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0002 </td>
-      
-<td>Access control entry node expected </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0003 </td>
-      
-<td>Invalid policy name </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0004 </td>
-      
-<td>Invalid policy node: Order of children is not stable </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0005 </td>
-      
-<td>Access control policy within access control content </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0006 </td>
-      
-<td>Isolated policy node </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0007 </td>
-      
-<td>Isolated access control entry </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0008 </td>
-      
-<td>ACE without principal name </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0009 </td>
-      
-<td>ACE without privileges </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0010 </td>
-      
-<td>ACE contains invalid privilege name </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0011 </td>
-      
-<td>ACE uses abstract privilege </td>
-    </tr>
-    
-<tr class="a">
-      
-<td>0012 </td>
-      
-<td>Repository level policies defined with non-root node </td>
-    </tr>
-    
-<tr class="b">
-      
-<td>0013 </td>
-      
-<td>Duplicate ACE found in policy </td>
-    </tr>
-  </tbody>
+<th> Code              </th>
+<th> Message                                                  </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> 0001              </td>
+<td> Generic access control violation                         </td></tr>
+<tr class="a">
+<td> 0002              </td>
+<td> Access control entry node expected                       </td></tr>
+<tr class="b">
+<td> 0003              </td>
+<td> Invalid policy name                                      </td></tr>
+<tr class="a">
+<td> 0004              </td>
+<td> Invalid policy node: Order of children is not stable     </td></tr>
+<tr class="b">
+<td> 0005              </td>
+<td> Access control policy within access control content      </td></tr>
+<tr class="a">
+<td> 0006              </td>
+<td> Isolated policy node                                     </td></tr>
+<tr class="b">
+<td> 0007              </td>
+<td> Isolated access control entry                            </td></tr>
+<tr class="a">
+<td> 0008              </td>
+<td> ACE without principal name                               </td></tr>
+<tr class="b">
+<td> 0009              </td>
+<td> ACE without privileges                                   </td></tr>
+<tr class="a">
+<td> 0010              </td>
+<td> ACE contains invalid privilege name                      </td></tr>
+<tr class="b">
+<td> 0011              </td>
+<td> ACE uses abstract privilege                              </td></tr>
+<tr class="a">
+<td> 0012              </td>
+<td> Repository level policies defined with non-root node     </td></tr>
+<tr class="b">
+<td> 0013              </td>
+<td> Duplicate ACE found in policy                            </td></tr>
+</tbody>
 </table>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
+<a name="configuration"></a>
+### Configuration
+
 <div class="section">
 <h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
 <p>The default implementation supports the following configuration parameters:</p>
-
 <table border="0" class="table table-striped">
-  <thead>
-    
+<thead>
+
+<tr class="a">
+<th> Parameter                    </th>
+<th> Type                </th>
+<th> Default                  </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> <tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
+<td> RestrictionProvider </td>
+<td> RestrictionProviderImpl  </td></tr>
 <tr class="a">
-      
-<th>Parameter </th>
-      
-<th>Type </th>
-      
-<th>Default </th>
-    </tr>
-  </thead>
-  <tbody>
-    
-<tr class="b">
-      
-<td><tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
-      
-<td>RestrictionProvider </td>
-      
-<td>RestrictionProviderImpl </td>
-    </tr>
-    
-<tr class="a">
-      
-<td><tt>PARAM_READ_PATHS</tt> </td>
-      
-<td>Set&lt;String&gt; </td>
-      
-<td>paths to namespace, nodetype and privilege root nodes </td>
-    </tr>
-    
-<tr class="b">
-      
-<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-      
-<td>String (&#x201c;abort&#x201d;, &#x201c;ignore&#x201d;, &#x201c;besteffort&#x201d;) </td>
-      
-<td>&#x201c;abort&#x201d; </td>
-    </tr>
-    
+<td> <tt>PARAM_READ_PATHS</tt>           </td>
+<td> Set&lt;String&gt;       </td>
+<td> paths to namespace, nodetype and privilege root nodes  </td></tr>
+<tr class="b">
+<td> <tt>PARAM_IMPORT_BEHAVIOR</tt>      </td>
+<td> String (&#x201c;abort&#x201d;, &#x201c;ignore&#x201d;, &#x201c;besteffort&#x201d;) </td>
+<td> &#x201c;abort&#x201d; </td></tr>
 <tr class="a">
-      
-<td> </td>
-      
 <td> </td>
-      
 <td> </td>
-    </tr>
-  </tbody>
+<td> </td></tr>
+</tbody>
 </table>
 <p>Differences to Jackrabbit 2.x:</p>
-
 <ul>
-  
+
 <li>The &#x201c;omit-default-permission&#x201d; configuration option present with the Jackrabbit&#x2019;s AccessControlProvider implementations is no longer supported with Oak.</li>
-  
 <li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
-</ul>
-<!-- hidden references --></div></div></div>
+</ul><!-- hidden references --></div></div></div>
         </div>
       </div>
     </div>

Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/differences.html Mon Jul  9 08:53:17 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24 
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09 
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180524" />
+    <meta name="Date-Revision-yyyymmdd" content="20180709" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak &#x2013; Access Control Management : Differences wrt Jackrabbit 2.x</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+        <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 1.10-SNAPSHOT</li>
         </ul>
@@ -240,7 +240,8 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-  --><div class="section">
+  -->
+<div class="section">
 <div class="section">
 <h3><a name="Access_Control_Management_:_Differences_wrt_Jackrabbit_2.x"></a>Access Control Management : Differences wrt Jackrabbit 2.x</h3>
 <div class="section">
@@ -252,7 +253,7 @@
 <p>As of OAK those methods throw <tt>PathNotFoundException</tt> if the corresponding node is not accessible by the editing session. This is in accordance with the behavior mandated by JSR 283 and a bug in Jackrabbit 2.x.</p></div>
 <div class="section">
 <h6><a name="getEffectivePolicies"></a>getEffectivePolicies</h6>
-<p>In contrast to Jackrabbit 2.x the editing session is used to retrieve the effective policies and the policies returned by these methods are guarantueed to only return information that is otherwise accessible by the session. The corresponding methods in Jackrabbit 2.x use to throw an exception in this situation.</p></div></div>
+<p>In contrast to Jackrabbit 2.x the editing session is used to retrieve the effective policies and the policies returned by these methods are guarantueed to only return information that is otherwise accessible by the session. The corresponding methods in Jackrabbit 2.x use to throw an  exception in this situation.</p></div></div>
 <div class="section">
 <h5><a name="AccessControlPolicy"></a>AccessControlPolicy</h5>
 <p>OAK introduces a new type of policy that enforces regular read-access for everyone on the trees that hold this new <tt>ReadPolicy</tt> (see <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-951">OAK-951</a>). The main usage of this new policy is to ensure backwards compatible behavior of repository level information (node types, namespace, privileges) that are now kept within the content repository. In Jackrabbit 2.x this information was stored in the file system without the ability to apply or enforce regular access control such as present with items in the repository.</p>
@@ -270,34 +271,28 @@
 <div class="section">
 <h5><a name="Restrictions"></a>Restrictions</h5>
 <p>The implementation of additional restrictions associated with an ACE has been slighly modified/extended.</p>
-<p>See section <a href="../authorization/restriction.html">Restriction Management</a> for details. </p></div>
+<p>See section <a href="../authorization/restriction.html">Restriction Management</a> for details.</p></div>
 <div class="section">
 <h5><a name="XML_Import"></a>XML Import</h5>
-
 <ul>
-  
+
 <li>respects <tt>ImportBehavior</tt> for handling of principals instead of just performing best effort import</li>
-  
 <li>supports both <tt>Workspace</tt> and <tt>Session</tt> import</li>
 </ul></div></div>
 <div class="section">
 <h4><a name="Configuration"></a>Configuration</h4>
-
 <ul>
-  
+
 <li>The &#x201c;omit-default-permission&#x201d; configuration option present with the Jackrabbit&#x2019;s AccessControlProvider implementations is no longer supported with Oak.</li>
-  
 <li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
 </ul></div>
 <div class="section">
 <h4><a name="Important_Note"></a>Important Note</h4>
 <p>The following modification is most likely to have an effect on existing applications:</p>
-
 <ul>
-  
-<li><tt>AccessControlManager#hasPrivilege()</tt> and <tt>AccessControlManager#getPrivileges()</tt> will throw a  <tt>PathNotFoundException</tt> if the node for the specified path is not accessible. The Jackrabbit 2  implementation is wrong and we fixed that in OAK (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-886">OAK-886</a>).  If the new behaviour turns out to be a problem with existing applications we might consider  adding backward compatible behaviour.</li>
-</ul>
-<!-- hidden references --></div></div></div>
+
+<li><tt>AccessControlManager#hasPrivilege()</tt> and <tt>AccessControlManager#getPrivileges()</tt> will throw a <tt>PathNotFoundException</tt> if the node for the specified path is not accessible. The Jackrabbit 2 implementation is wrong and we fixed that in OAK (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-886">OAK-886</a>). If the new behaviour turns out to be a problem with existing applications we might consider adding backward compatible behaviour.</li>
+</ul><!-- hidden references --></div></div></div>
         </div>
       </div>
     </div>

Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html Mon Jul  9 08:53:17 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24 
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09 
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180524" />
+    <meta name="Date-Revision-yyyymmdd" content="20180709" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak &#x2013; Using the Access Control Management API</title>
     <link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+        <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 1.10-SNAPSHOT</li>
         </ul>
@@ -240,37 +240,34 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-  --><div class="section">
+  -->
+<div class="section">
 <h2><a name="Using_the_Access_Control_Management_API"></a>Using the Access Control Management API</h2>
 <div class="section">
 <h3><a name="Reading"></a>Reading</h3>
 <div class="section">
 <h4><a name="Privilege_Discovery"></a>Privilege Discovery</h4>
 <p>Discover/test privileges for the editing session:</p>
-
 <ul>
-  
+
 <li><tt>AccessControlManager</tt>
-  
 <ul>
-    
+
 <li><tt>hasPrivileges(String, Privilege[])</tt></li>
-    
 <li><tt>getPrivileges(String)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <p>Discover/test privileges for a set of principal that may differ from those associated with the reading subject. Note that this method requires editing session to be able to have <tt>READ_ACCESS_CONTROL</tt> permission on the node associated with the specified path.</p>
-
 <ul>
-  
+
 <li><tt>JackrabbitAccessControlManager</tt>
-  
 <ul>
-    
+
 <li><tt>hasPrivileges(String, Set&lt;Principal&gt;, Privilege[])</tt></li>
-    
 <li><tt>getPrivileges(String, Set&lt;Principal&gt;, Privilege[])</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <div class="section">
 <h5><a name="Note"></a>Note</h5>
@@ -278,123 +275,121 @@
 <p>See section <a href="../permission/permissionsandprivileges.html">Permissions vs Privileges</a> for an comprehensive overview on the differences between testing permissions on <tt>Session</tt> and privileges on <tt>AccessControlManager</tt>.</p></div></div>
 <div class="section">
 <h4><a name="Reading_Policies"></a>Reading Policies</h4>
-
 <ul>
-  
+
 <li>
+
 <p><tt>AccessControlManager</tt></p>
-  
 <ul>
-    
+
 <li><tt>getApplicablePolicies(String)</tt></li>
-    
 <li><tt>getPolicies(String)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>JackrabbitAccessControlManager</tt></p>
-  
 <ul>
-    
+
 <li><tt>getApplicablePolicies(Principal)</tt></li>
-    
 <li><tt>getPolicies(Principal)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <div class="section">
 <h5><a name="Examples"></a>Examples</h5>
 <div class="section">
 <h6><a name="Read_policies_bound_to_a_node"></a>Read policies bound to a node</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">AccessControlManager acMgr = session.getAccessControlManager();
+<div>
+<div>
+<pre class="source">AccessControlManager acMgr = session.getAccessControlManager();
 AccessControlPolicy[] policies = acMgr.getPolicies(&quot;/content&quot;);
-</pre></div></div></div>
+</pre></div></div>
+</div>
 <div class="section">
 <h6><a name="Read_policies_that_have_not_yet_been_bound_to_the_node"></a>Read policies that have not yet been bound to the node</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">AccessControlManager acMgr = session.getAccessControlManager();
+<div>
+<div>
+<pre class="source">AccessControlManager acMgr = session.getAccessControlManager();
 AccessControlPolicyIterator it = acMgr.getApplicablePolicies(&quot;/content&quot;);
-</pre></div></div></div></div></div>
+</pre></div></div>
+</div></div></div>
 <div class="section">
 <h4><a name="Reading_Policy_Content"></a>Reading Policy Content</h4>
-
 <ul>
-  
+
 <li>
+
 <p><tt>AccessControlList</tt></p>
-  
 <ul>
-    
+
 <li><tt>getAccessControlEntries()</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>JackrabbitAccessControlList</tt></p>
-  
 <ul>
-    
+
 <li><tt>getRestrictionNames()</tt></li>
-    
 <li><tt>getRestrictionType(String)</tt></li>
-    
 <li><tt>isEmpty()</tt></li>
-    
 <li><tt>size()</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>PrincipalSetPolicy</tt></p>
-  
 <ul>
-    
+
 <li><tt>getPrincipals()</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul></div>
 <div class="section">
 <h4><a name="Reading_Effective_Policies"></a>Reading Effective Policies</h4>
-
 <ul>
-  
-<li><tt>AccessControlManager</tt>
-  
+
+<li>
+
+<p><tt>AccessControlManager</tt></p>
 <ul>
-    
+
 <li><tt>getEffectivePolicies(String)</tt></li>
-  </ul></li>
 </ul>
+</li>
+<li>
 
+<p><tt>JackrabbitAccessControlManager</tt></p>
 <ul>
-  
-<li><tt>JackrabbitAccessControlManager</tt>
-  
-<ul>
-    
+
 <li><tt>getEffectivePolicies(Set&lt;Principal&gt;)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul></div></div>
 <div class="section">
 <h3><a name="Writing"></a>Writing</h3>
 <div class="section">
 <h4><a name="Adding_Policies"></a>Adding Policies</h4>
-
 <ul>
-  
+
 <li><tt>AccessControlManager</tt>
-  
 <ul>
-    
+
 <li><tt>setPolicy(String, AccessControlPolicy)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <div class="section">
 <h5><a name="Examples"></a>Examples</h5>
 <div class="section">
 <h6><a name="Bind_a_policy_to_a_node"></a>Bind a policy to a node</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">AccessControlPolicyIterator it = acMgr.getApplicablePolicies(&quot;/content&quot;);
+<div>
+<div>
+<pre class="source">AccessControlPolicyIterator it = acMgr.getApplicablePolicies(&quot;/content&quot;);
 while (it.hasNext()) {
     AccessControlPolicy policy = it.nextPolicy();
     if (policy instanceof NamedAccessControlPolicy &amp;&amp; &quot;myPolicy&quot;.equals((NamedAccessControlPolicy) policy).getName()) {
@@ -402,137 +397,124 @@ while (it.hasNext()) {
         session.save();
     }
 }
-</pre></div></div></div></div></div>
+</pre></div></div>
+</div></div></div>
 <div class="section">
 <h4><a name="Modifying_Policies"></a>Modifying Policies</h4>
 <p>Modification of policies is specific to the policy type. JCR/Jackrabbit API only define a single mutable type of policies: the access control list. Depending on the access control implementation there may be other mutable policies.</p>
-
 <ul>
-  
+
 <li>
+
 <p><tt>AccessControlList</tt></p>
-  
 <ul>
-    
+
 <li><tt>addAccessControlEntry(Principal, Privilege[])</tt></li>
-    
 <li><tt>removeAccessControlEntry(AccessControlEntry)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>JackrabbitAccessControlList</tt></p>
-  
 <ul>
-    
+
 <li><tt>addAccessControlEntry(Principal, Privilege[], boolean)</tt></li>
-    
 <li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map&lt;String, Value&gt;)</tt></li>
-    
 <li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map&lt;String, Value&gt;, Map&lt;String, Value[]&gt;)</tt></li>
-    
 <li><tt>orderBefore(AccessControlEntry, AccessControlEntry)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>PrincipalSetPolicy</tt></p>
-  
 <ul>
-    
+
 <li><tt>addPrincipals(Principal...)</tt></li>
-    
 <li><tt>removePrincipals(Principal...)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>AccessControlUtils</tt></p>
-  
 <ul>
-    
+
 <li><tt>getAccessControlList(Session, String)</tt></li>
-    
 <li><tt>getAccessControlList(AccessControlManager, String)</tt></li>
-    
 <li><tt>addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
-    
 <li><tt>addAccessControlEntry(Session, String, Principal, Privilege[], boolean)</tt></li>
-    
 <li><tt>grantAllToEveryone(Session, String)</tt></li>
-    
 <li><tt>denyAllToEveryone(Session, String)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <div class="section">
 <h5><a name="Retrieve_Principals"></a>Retrieve Principals</h5>
 <p>The default and recommended ways to obtain <tt>Principal</tt>s for access control management is through the principal management API:</p>
-
 <ul>
-  
+
 <li><tt>PrincipalManager</tt> (see section <a href="../principal.html">Principal Management</a>)
-  
 <ul>
-    
+
 <li><tt>getPrincipal(String)</tt></li>
-    
 <li><tt>getPrivilege(String)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <p>One way of representing principals in the repository is by the means of user management: If user management is supported in a given Oak repository (see <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java">OPTION_USER_MANAGEMENT_SUPPORTED</a> repository descriptor), principals associated with a given user/group can be obtained by calling:</p>
-
 <ul>
-  
+
 <li><tt>Authorizable</tt> (see section <a href="../user.html">User Management</a>)
-  
 <ul>
-    
+
 <li><tt>getPrincipal()</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <p>Note however, that this will only work for principals backed by a user/group. Principals provided by a different principal management implementation won&#x2019;t be accessible through user management.</p></div>
 <div class="section">
 <h5><a name="Retrieve_Privileges"></a>Retrieve Privileges</h5>
-
 <ul>
-  
+
 <li>
+
 <p><tt>PrivilegeManager</tt> (see section <a href="../privilege.html">Privilege Management</a>)</p>
-  
 <ul>
-    
+
 <li><tt>getRegisteredPrivileges()</tt></li>
-    
 <li><tt>getPrivilege(String)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>AccessControlManager</tt></p>
-  
 <ul>
-    
+
 <li><tt>getSupportedPrivileges(String)</tt></li>
-    
 <li><tt>privilegeFromName(String)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
+
 <p><tt>AccessControlUtils</tt></p>
-  
 <ul>
-    
+
 <li><tt>privilegesFromNames(Session session, String... privilegeNames)</tt></li>
-    
 <li><tt>privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)</tt></li>
-  </ul></li>
-  
+</ul>
+</li>
 <li>
-<p><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</p></li>
+
+<p><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</p>
+</li>
 </ul></div>
 <div class="section">
 <h5><a name="Examples"></a>Examples</h5>
 <div class="section">
 <h6><a name="Modify_an_AccessControlList"></a>Modify an AccessControlList</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = null;
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = null;
 // try if there is an acl that has been set before
 for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;)) {
     if (policy instanceof JackrabbitAccessControlList) {
@@ -549,12 +531,14 @@ if (acl != null) {
     acMgr.setPolicy(acl.getPath(), acl);
     session.save();
 }
-</pre></div></div></div>
+</pre></div></div>
+</div>
 <div class="section">
 <h6><a name="Create_or_Modify_an_AccessControlList"></a>Create or Modify an AccessControlList</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = null;
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = null;
 // try if there is an acl that has been set before
 for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;)) {
     if (policy instanceof JackrabbitAccessControlList) {
@@ -583,10 +567,12 @@ if (acl != null) {
     session.save();
 }
 </pre></div></div>
+
 <p>or alternatively use <tt>AccessControlUtils</tt>:</p>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, &quot;/content&quot;);
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, &quot;/content&quot;);
 if (acl != null) {
     PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
     Principal principal = principalManager.getPrincipal(&quot;jackrabbit&quot;);
@@ -596,32 +582,34 @@ if (acl != null) {
     acMgr.setPolicy(acl.getPath(), acl);
     session.save();
 }
-</pre></div></div></div></div></div>
+</pre></div></div>
+</div></div></div>
 <div class="section">
 <h4><a name="Removing_Policies"></a>Removing Policies</h4>
-
 <ul>
-  
+
 <li><tt>AccessControlManager</tt>
-  
 <ul>
-    
+
 <li><tt>removePolicy(String, AccessControlPolicy)</tt></li>
-  </ul></li>
+</ul>
+</li>
 </ul>
 <div class="section">
 <h5><a name="Examples"></a>Examples</h5>
 <div class="section">
 <h6><a name="Remove_a_policy"></a>Remove a policy</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;);
+<div>
+<div>
+<pre class="source">for (AccessControlPolicy policy : acMgr.getPolicies(&quot;/content&quot;);
     if (policy instanceof NamedAccessControlPolicy &amp;&amp; &quot;myPolicy&quot;.equals((NamedAccessControlPolicy) policy).getName()) {
         acMgr.removePolicy(&quot;/content&quot;, policy);
         session.save();
     }
 }
-</pre></div></div></div></div></div></div>
+</pre></div></div>
+</div></div></div></div>
 <div class="section">
 <h3><a name="Access_Control_on_Repository_Level"></a>Access Control on Repository Level</h3>
 <div class="section">
@@ -630,8 +618,9 @@ if (acl != null) {
 <div class="section">
 <h6><a name="Allow_a_Principal_to_Register_Namespaces"></a>Allow a Principal to Register Namespaces</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
 if (acl != null) {
     PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
     Principal principal = principalManager.getPrincipal(&quot;dinosaur&quot;);

Modified: jackrabbit/site/live/oak/docs/security/authentication.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/authentication.html?rev=1835390&r1=1835389&r2=1835390&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/authentication.html (original)
+++ jackrabbit/site/live/oak/docs/security/authentication.html Mon Jul  9 08:53:17 2018
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-05-24 
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-07-09 
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20180524" />
+    <meta name="Date-Revision-yyyymmdd" content="20180709" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Jackrabbit Oak &#x2013; Authentication</title>
     <link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -136,7 +136,7 @@
 
       <div id="breadcrumbs">
         <ul class="breadcrumb">
-        <li id="publishDate">Last Published: 2018-05-24<span class="divider">|</span>
+        <li id="publishDate">Last Published: 2018-07-09<span class="divider">|</span>
 </li>
           <li id="projectVersion">Version: 1.10-SNAPSHOT</li>
         </ul>
@@ -240,7 +240,8 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
---><div class="section">
+-->
+<div class="section">
 <h2><a name="Authentication"></a>Authentication</h2>
 <div class="section">
 <h3><a name="JAAS_Authentication_and_Login_Modules"></a>JAAS Authentication and Login Modules</h3>
@@ -251,97 +252,74 @@
 <h5><a name="Brief_recap_of_the_JAAS_authentication"></a>Brief recap of the JAAS authentication</h5>
 <p>The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/spi/LoginModule.html">javax.security.auth.spi.LoginModule</a>. The authentication process within the <tt>LoginModule</tt> proceeds in two distinct phases, login and commit phase:</p>
 <p><i>Phase 1: Login</i></p>
-
 <ol style="list-style-type: decimal">
-  
+
 <li>In the first phase, the <tt>LoginModule</tt>&#x2019;s <tt>login</tt> method gets invoked by the <tt>LoginContext</tt>&#x2019;s <tt>login</tt> method.</li>
-  
-<li>The <tt>login</tt> method for the <tt>LoginModule</tt> then performs the actual authentication (prompt for and verify a  password for example) and saves its authentication status as private state information.</li>
-  
-<li>Once finished, the <tt>LoginModule</tt>&#x2019;s login method either returns <tt>true</tt> (if it succeeded) or <tt>false</tt> (if it should  be ignored), or throws a <tt>LoginException</tt> to specify a failure. In the failure case, the <tt>LoginModule</tt> must not  retry the authentication or introduce delays. The responsibility of such tasks belongs to the application.  If the application attempts to retry the authentication, the <tt>LoginModule</tt>&#x2019;s <tt>login</tt> method will be called again.</li>
+<li>The <tt>login</tt> method for the <tt>LoginModule</tt> then performs the actual authentication (prompt for and verify a password for example) and saves its authentication status as private state information.</li>
+<li>Once finished, the <tt>LoginModule</tt>&#x2019;s login method either returns <tt>true</tt> (if it succeeded) or <tt>false</tt> (if it should be ignored), or throws a <tt>LoginException</tt> to specify a failure. In the failure case, the <tt>LoginModule</tt> must not retry the authentication or introduce delays. The responsibility of such tasks belongs to the application. If the application attempts to retry the authentication, the <tt>LoginModule</tt>&#x2019;s <tt>login</tt> method will be called again.</li>
 </ol>
 <p><i>Phase 2: Commit</i></p>
-
 <ol style="list-style-type: decimal">
-  
-<li>In the second phase, if the <tt>LoginContext</tt>&#x2019;s overall authentication succeeded (the relevant REQUIRED, REQUISITE,  SUFFICIENT and OPTIONAL LoginModules succeeded), then the <tt>commit</tt> method for the <tt>LoginModule</tt> gets invoked.</li>
-  
-<li>The <tt>commit</tt> method for a <tt>LoginModule</tt> checks its privately saved state to see if its own authentication  succeeded.</li>
-  
-<li>If the overall <tt>LoginContext</tt> authentication succeeded and the <tt>LoginModule</tt>&#x2019;s own authentication succeeded, then  the <tt>commit</tt> method associates the relevant Principals (authenticated identities) and Credentials (authentication  data such as cryptographic keys) with the Subject located within the <tt>LoginModule</tt>.</li>
-  
-<li>If the <tt>LoginContext</tt>&#x2019;s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL  LoginModules did not succeed), then the <tt>abort</tt> method for each <tt>LoginModule</tt> gets invoked. In this case, the  <tt>LoginModule</tt> removes/destroys any authentication state originally saved.</li>
+
+<li>In the second phase, if the <tt>LoginContext</tt>&#x2019;s overall authentication succeeded (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded), then the <tt>commit</tt> method for the <tt>LoginModule</tt> gets invoked.</li>
+<li>The <tt>commit</tt> method for a <tt>LoginModule</tt> checks its privately saved state to see if its own authentication succeeded.</li>
+<li>If the overall <tt>LoginContext</tt> authentication succeeded and the <tt>LoginModule</tt>&#x2019;s own authentication succeeded, then the <tt>commit</tt> method associates the relevant Principals (authenticated identities) and Credentials (authentication data such as cryptographic keys) with the Subject located within the <tt>LoginModule</tt>.</li>
+<li>If the <tt>LoginContext</tt>&#x2019;s overall authentication failed (the relevant REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules did not succeed), then the <tt>abort</tt> method for each <tt>LoginModule</tt> gets invoked. In this case, the <tt>LoginModule</tt> removes/destroys any authentication state originally saved.</li>
 </ol></div>
 <div class="section">
 <h5><a name="Login_module_execution_order"></a>Login module execution order</h5>
 <p>Very simply put, all the login modules that participate in JAAS authentication are configured in a list and can have flags indicating how to treat their behaviors on the <tt>login()</tt> calls.</p>
-<p>JAAS defines the following module flags:<br />(The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html">javax.security.auth.login.Configuration</a>)</p>
-
+<p>JAAS defines the following module flags:<br />
+(The following section is copied and adapted from the javadoc of <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html">javax.security.auth.login.Configuration</a>)</p>
 <ul>
-  
-<li><b>Required</b>: The LoginModule is required to succeed. If it succeeds or fails,  authentication still continues to proceed down the LoginModule list.</li>
-  
-<li><b>Requisite</b>: The LoginModule is required to succeed. If it succeeds, authentication  continues down the LoginModule list. If it fails, control immediately returns  to the application (authentication does not proceed down the LoginModule list).</li>
-  
-<li><b>Sufficient</b>: The LoginModule is not required to succeed. If it does succeed,  control immediately returns to the application (authentication does not proceed  down the LoginModule list). If it fails, authentication continues down the LoginModule list.</li>
-  
-<li><b>Optional</b>: The LoginModule is not required to succeed. If it succeeds or  fails, authentication still continues to proceed down the LoginModule list.</li>
+
+<li><b>Required</b>:  The LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</li>
+<li><b>Requisite</b>: The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).</li>
+<li><b>Sufficient</b>: The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.</li>
+<li><b>Optional</b>: The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.</li>
 </ul>
 <p>The overall authentication succeeds <b>only</b> if <b>all</b> Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.</p>
-<p><a name="jcr_api"></a></p></div></div></div>
-<div class="section">
-<h3><a name="JCR_API"></a>JCR API</h3>
+<a name="jcr_api"></a>
+### JCR API
+
 <p>Within the scope of JCR <tt>Repository.login</tt> is used to authenticate a given user. This method either takes a <tt>Credentials</tt> argument if the validation is performed by the repository itself or <tt>null</tt> in case the user has be pre-authenticated by an external system.</p>
 <p>Furthermore JCR defines two types of <tt>Credentials</tt> implementations:</p>
-
 <ul>
-  
+
 <li><a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/GuestCredentials.html">javax.jcr.GuestCredentials</a>: used to obtain a &#x201c;guest&#x201d;, &#x201c;public&#x201d; or &#x201c;anonymous&#x201d; session.</li>
-  
 <li><a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/SimpleCredentials.html">javax.jcr.SimpleCredentials</a>: used to login a user with a userId and password.</li>
 </ul>
 <p>The following variants exist for the repository login itself:</p>
-
 <ul>
-  
+
 <li><tt>Repository.login()</tt>: equivalent to passing <tt>null</tt> credentials and the default workspace name.</li>
-  
 <li><tt>Repository.login(Credentials credentials)</tt>: login with credentials to the default workspace.</li>
-  
 <li><tt>Repository.login(String workspace)</tt>: login with <tt>null</tt> credentials to the workspace with the specified name.</li>
-  
 <li><tt>Repository.login(Credentials credentials, String workspaceName)</tt></li>
-  
-<li><tt>JackrabbitRepository.login(Credentials credentials, String workspaceName, Map&lt;String, Object&gt; attributes)</tt>:  in addition allows to pass implementation specific session attributes.</li>
+<li><tt>JackrabbitRepository.login(Credentials credentials, String workspaceName, Map&lt;String, Object&gt; attributes)</tt>: in addition allows to pass implementation specific session attributes.</li>
 </ul>
 <p>See <a class="externalLink" href="http://www.day.com/specs/javax.jcr/javadocs/jcr-2.0/javax/jcr/Repository.html">javax.jcr.Repository</a> and <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java">org.apache.jackrabbit.api.JackrabbitRepository</a> for further details.</p>
-<p>In addition JCR defines <tt>Session.impersonate(Credentials)</tt> to impersonate another user or - as of JSR 333 - clone an existing session.</p>
-<p><a name="oak_api"></a></p></div>
-<div class="section">
-<h3><a name="Oak_API"></a>Oak API</h3>
-<p>The Oak API contains the following authentication related methods and interfaces</p>
+<p>In addition JCR defines <tt>Session.impersonate(Credentials)</tt> to impersonate another user or - as of JSR 333 -  clone an existing session.</p>
+<a name="oak_api"></a>
+### Oak API
 
+<p>The Oak API contains the following authentication related methods and interfaces</p>
 <ul>
-  
+
 <li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/api/AuthInfo.html">AuthInfo</a>: Immutable object created upon successful login providing information about the authenticated <tt>Subject.</tt></li>
-  
 <li><tt>ContentRepository.login(Credentials, String)</tt>: The Oak counterpart of the JCR login.</li>
-  
 <li><tt>ContentSession.getAuthInfo()</tt>: exposes the <tt>AuthInfo</tt> associated with the <tt>ContentSession</tt>.</li>
 </ul>
-<p><a name="api_extensions"></a></p></div>
-<div class="section">
-<h3><a name="API_Extension"></a>API Extension</h3>
+<a name="api_extensions"></a>
+### API Extension
+</div></div>
 <div class="section">
 <h4><a name="Oak_Authentication"></a>Oak Authentication</h4>
 <p>In the the package <tt>org.apache.jackrabbit.oak.spi.security.authentication</tt> Oak 1.0 defines some extensions points that allow for further customization of the authentication.</p>
-
 <ul>
-  
+
 <li><tt>LoginContextProvider</tt>: Configurable provider of the <tt>LoginContext</tt> (see below)</li>
-  
 <li><tt>LoginContext</tt>: Interface version of the JAAS LoginContext aimed to ease integration with non-JAAS components</li>
-  
 <li><tt>Authentication</tt>: Aimed to validate credentials during the first phase of the (JAAS) login process.</li>
 </ul>
 <p>In addition this package contains various utilities and base implementations. Most notably an abstract login module implementation (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.html">AbstractLoginModule</a>) as described below and a default implementation of the AuthInfo interface (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.html">AuthInfoImpl</a>).</p>
@@ -349,20 +327,18 @@
 <h5><a name="Abstract_Login_Module"></a>Abstract Login Module</h5>
 <p>This package also contains a abstract <tt>LoginModule</tt> implementation (<a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AbstractLoginModule.html">AbstractLoginModule</a>) providing common functionality. In particular it contains Oak specific methods that allow subclasses to retrieve the <tt>SecurityProvider</tt>, a <tt>Root</tt> and accesss to various security related interfaces (e.g. <tt>PrincipalManager</tt>).</p>
 <p>Subclasses are required to implement the following methods:</p>
-
 <ul>
-  
+
 <li><tt>getSupportedCredentials()</tt>: return a set of supported credential classes. See also section <a href="#supported_credentials">Supported Credentials</a></li>
-  
 <li><tt>login()</tt>: The login method defined by <tt>LoginModule</tt></li>
-  
 <li><tt>commit()</tt>: The commit method defined by <tt>LoginModule</tt></li>
 </ul>
 <div class="section">
 <h6><a name="Example:_Extending_AbstractLoginModule"></a>Example: Extending AbstractLoginModule</h6>
 
-<div class="source">
-<div class="source"><pre class="prettyprint">public class TestLoginModule extends AbstractLoginModule {
+<div>
+<div>
+<pre class="source">public class TestLoginModule extends AbstractLoginModule {
 
     private Credentials credentials;
     private String userId;
@@ -403,87 +379,70 @@
     }
 }
 </pre></div></div>
-<p><a name="supported_credentials"></a></p></div></div></div>
-<div class="section">
-<h4><a name="Supported_Credentials"></a>Supported Credentials</h4>
-<p>Since Oak 1.5.1 the extensions additionally contain a dedicated interface that eases the support for different <tt>Credentials</tt> in the package space <tt>org.apache.jackrabbit.oak.spi.security.authentication.credentials</tt>:</p>
+<a name="supported_credentials"></a>
+#### Supported Credentials
 
+<p>Since Oak 1.5.1 the extensions additionally contain a dedicated interface that eases the support for different <tt>Credentials</tt> in the package space <tt>org.apache.jackrabbit.oak.spi.security.authentication.credentials</tt>:</p>
 <ul>
-  
+
 <li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/CredentialsSupport.html">CredentialsSupport</a>: Interface definition exposing the set of supported <tt>Credentials</tt> classes and some common utility methods.</li>
-  
 <li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/credentials/SimpleCredentialsSupport.html">SimpleCredentialsSupport</a>: Default implementation for the widely used <tt>SimpleCredentials</tt></li>
 </ul>
-<p><a name="default_implementation"></a></p></div></div>
-<div class="section">
-<h3><a name="Oak_Authentication_Implementation"></a>Oak Authentication Implementation</h3>
+<a name="default_implementation"></a>
+### Oak Authentication Implementation
+
 <p>A description of the various requirements covered by Oak by default as well as the characteristics of the corresponding implementations can be found in section <a href="authentication/default.html">Authentication: Implementation Details</a>.</p>
 <p>See section <a href="authentication/differences.html">differences</a> for comprehensive list of differences wrt authentication between Jackrabbit 2.x and Oak.</p>
-<p><a name="configuration"></a></p></div>
-<div class="section">
-<h3><a name="Configuration"></a>Configuration</h3>
-<p>The configuration of the authentication setup is defined by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.html">AuthenticationConfiguration</a>. This interface provides the following method:</p>
+<a name="configuration"></a>
+### Configuration
 
+<p>The configuration of the authentication setup is defined by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/AuthenticationConfiguration.html">AuthenticationConfiguration</a>. This interface provides the following method:</p>
 <ul>
-  
+
 <li><tt>getLoginContextProvider()</tt>: provides the login contexts for the desired authentication mechanism.</li>
-</ul>
+</ul></div></div></div>
 <div class="section">
 <h4><a name="JAAS_Configuration_Utilities"></a>JAAS Configuration Utilities</h4>
 <p>There also exists a utility class that allows to obtain different <tt>javax.security.auth.login.Configuration</tt> for the most common setup [11]:</p>
-
 <ul>
-  
+
 <li><tt>ConfigurationUtil#getDefaultConfiguration</tt>: default OAK configuration supporting uid/pw login configures <tt>LoginModuleImpl</tt> only</li>
-  
 <li><tt>ConfigurationUtil#getJackrabbit2Configuration</tt>: backwards compatible configuration that provides the functionality covered by jackrabbit-core DefaultLoginModule, namely:
-  
 <ul>
-    
+
 <li><tt>GuestLoginModule</tt>: null login falls back to anonymous</li>
-    
 <li><tt>TokenLoginModule</tt>: covers token based authentication</li>
-    
 <li><tt>LoginModuleImpl</tt>: covering regular uid/pw login</li>
-  </ul></li>
 </ul>
-<p><a name="pluggability"></a></p></div></div>
-<div class="section">
-<h3><a name="Pluggability"></a>Pluggability</h3>
-<p>The default security setup as present with Oak 1.0 is able to provide custom implementation on various levels:</p>
+</li>
+</ul>
+<a name="pluggability"></a>
+### Pluggability
 
+<p>The default security setup as present with Oak 1.0 is able to provide custom implementation on various levels:</p>
 <ol style="list-style-type: decimal">
-  
-<li>The complete authentication setup can be changed by plugging a different  <tt>AuthenticationConfiguration</tt> implementations. In OSGi-base setup this is  achieved by making the configuration a service. In a non-OSGi-base setup the  custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
-  
-<li>Within the default authentication setup you replace or extend the set of  login modules and their individual settings. In an OSGi-base setup is achieved  by making the modules accessible to the framework and setting their execution  order accordingly. In a Non-OSGi setup this is specified in the <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS config</a>.</li>
+
+<li>The complete authentication setup can be changed by plugging a different <tt>AuthenticationConfiguration</tt> implementations. In OSGi-base setup this is achieved by making the configuration a service. In a non-OSGi-base setup the custom configuration must be exposed by the <tt>SecurityProvider</tt> implementation.</li>
+<li>Within the default authentication setup you replace or extend the set of login modules and their individual settings. In an OSGi-base setup is achieved by making the modules accessible to the framework and setting their execution order accordingly. In a Non-OSGi setup this is specified in the <a class="externalLink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS config</a>.</li>
 </ol>
-<p><a name="further_reading"></a></p></div>
-<div class="section">
-<h3><a name="Further_Reading"></a>Further Reading</h3>
+<a name="further_reading"></a>
+### Further Reading
 
 <ul>
-  
+
 <li><a href="authentication/default.html">Authentication: Implementation Details</a></li>
-  
 <li><a href="authentication/differences.html">Differences wrt Jackrabbit 2.x</a></li>
-  
 <li><a href="authentication/tokenmanagement.html">Token Authentication and Token Management</a></li>
-  
 <li><a href="authentication/externalloginmodule.html">External Authentication</a>
-  
 <ul>
-    
+
 <li><a href="authentication/usersync.html">User and Group Synchronization</a></li>
-    
 <li><a href="authentication/identitymanagement.html">Identity Management</a></li>
-    
 <li><a href="authentication/ldap.html">LDAP Integration</a></li>
-  </ul></li>
-  
-<li><a href="authentication/preauthentication.html">Pre-Authentication</a></li>
 </ul>
-<!-- references --></div></div>
+</li>
+<li><a href="authentication/preauthentication.html">Pre-Authentication</a></li>
+</ul><!-- references --></div></div></div>
         </div>
       </div>
     </div>



Mime
View raw message