Modified: jackrabbit/site/live/oak/docs/security/principal.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal.html?rev=1862534&r1=1862533&r2=1862534&view=diff ============================================================================== --- jackrabbit/site/live/oak/docs/security/principal.html (original) +++ jackrabbit/site/live/oak/docs/security/principal.html Thu Jul 4 07:02:09 2019 @@ -1,13 +1,13 @@ - + Jackrabbit Oak – Principal Management @@ -86,7 +86,16 @@
  • Solr Index
  • -
  • Security
  • +
  • Atomic Counter
  • Observation
  • @@ -142,7 +151,7 @@ +

    Oak Principal Management Implementation

    The default implementation of the principal management API basically corresponds to the default in Jackrabbit 2.x and is based on the user management implementation. Note however, that as of Oak only a single principal provider is exposed on the SPI level (used to be multiple principal providers with the LoginModule configuration in Jackrabbit 2.x). See the configuration section below for details.

    Modified: jackrabbit/site/live/oak/docs/security/principal/cache.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/principal/cache.html?rev=1862534&r1=1862533&r2=1862534&view=diff ============================================================================== --- jackrabbit/site/live/oak/docs/security/principal/cache.html (original) +++ jackrabbit/site/live/oak/docs/security/principal/cache.html Thu Jul 4 07:02:09 2019 @@ -1,13 +1,13 @@ - + Jackrabbit Oak – Caching Results of Principal Resolution @@ -51,7 +51,7 @@
  • Overview
  • The Node State Model
  • -
  • JCR API
  • +
  • JCR API
  • Jackrabbit API
  • Oak API
  • @@ -169,7 +169,6 @@
  • Document NodeStore
  • Configuration

    An administrator may enable password expiry and initial password change via the org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi configuration. By default both features are disabled.

    @@ -302,7 +336,7 @@
  • Maximum Password Age (maxPasswordAge) will only be enabled when a value greater 0 is set (expiration time in days).
  • Change Password On First Login (initialPasswordChange): When enabled, forces users to change their password upon first login.
  • -

    +

    How it works

    @@ -354,7 +388,7 @@

    Changing an Expired Password

    Oak supports changing a user’s expired password as part of the normal login process.

    -

    Consumers of the repository already specify javax.jcr.SimpleCredentials during login, as part of the normal authentication process. In order to change the password for an expired user, the login may be called with the affected user’s SimpleCredentials, while additionally providing the new password via a credentials attribute newPassword.

    +

    Consumers of the repository already specify javax.jcr.SimpleCredentials during login, as part of the normal authentication process. In order to change the password for an expired user, the login may be called with the affected user’s SimpleCredentials, while additionally providing the new password via a credentials attribute newPassword.

    After verifying the user’s credentials, before checking expiry, said attribute is then used by the Authentication implementation to change the user’s password.

    This way the user can change the password while the expiry check succeeds (password expired = false) and a session/login is provided at the same time.

    This method of changing password via the normal login call only works if a user’s password is in fact expired and cannot be used for regular password changes (attribute is ignored, use User#changePassword directly instead).

    @@ -363,13 +397,20 @@
    • “New password was found in password history.” or
    • -
    • "“New password is identical to the current password.”
    • +
    • “New password is identical to the current password.”

    XML Import

    When users are imported via the Oak JCR XML importer, the expiry relevant nodes and property are supported. If the XML specifies a rep:pw node and optionally a rep:passwordLastModified property, these are imported, irrespective of the password expiry or force initial password change being enabled in the configuration. If they’re enabled, the imported property will be used in the normal login process as described above. If not enabled, the imported property will have no effect.

    On the other hand, if the imported user already exists, potentially existing rep:passwordLastModified properties will be overwritten with the value from the import. If password expiry is enabled, this may cause passwords to expire earlier or later than anticipated, governed by the new value. Also, an import may create such a property where none previously existed, thus effectively cancelling the need to change the password on first login - if the feature is enabled.

    -

    Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.

    +

    Therefore customers using the importer in such fashion should be aware of the potential need to enable password expiry/force initial password change for the imported data to make sense, and/or the effect on already existing/overwritten data.

    +

    With the changes made in the light of OAK-8408 the following rules apply when importing a user without an extra rep:pw node:

    + Modified: jackrabbit/site/live/oak/docs/security/user/groupaction.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/user/groupaction.html?rev=1862534&r1=1862533&r2=1862534&view=diff ============================================================================== --- jackrabbit/site/live/oak/docs/security/user/groupaction.html (original) +++ jackrabbit/site/live/oak/docs/security/user/groupaction.html Thu Jul 4 07:02:09 2019 @@ -1,13 +1,13 @@ - + Jackrabbit Oak – Group Actions @@ -51,7 +51,7 @@
  • Overview
  • The Node State Model
  • -
  • JCR API
  • +
  • JCR API
  • Jackrabbit API
  • Oak API
  • @@ -169,7 +169,6 @@
  • Document NodeStore
  • -
  • Security
  • +
  • Atomic Counter
  • Observation
  • @@ -142,7 +151,7 @@

    Configuration

    An administrator may enable password history via the org.apache.jackrabbit.oak.security.user.UserConfigurationImpl OSGi configuration. By default the history is disabled (passwordHistorySize set to 0).

    @@ -286,7 +320,7 @@

    Setting the configuration option to a value greater than 0 enables password history and sets feature to remember the specified number of passwords for a user. Note, that the current implementation has a limit of at most 1000 passwords remembered in the history.

    -

    +

    How it works