Oak Documentation

JCR API

JCR itself doesn't come with a dedicated user management API. The only method related and ultimately used for user management tasks is Session.getUserID(). Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.

Jackrabbit API

The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user' package space:

• UserManager
• Authorizable
  • User
  • Group
• Impersonation
• QueryBuilder
  • Query

API Extensions

The Oak project introduces the following user management related public interfaces and classes:

• AuthorizableType: ease handling with the different authorizable types.
• AuthorizableAction and AuthorizableActionProvider: see Authorizable Actions for details.
• AuthorizableNodeName: see section Authorizable Node Name Generation.
• GroupAction (via AuthorizableActionProvider): see Group Actions for details.
• UserAuthenticationFactory: see sections pluggability and user authentication for additional details.
• DynamicMembershipService and DynamicMembershipProvider to reflect dynamic group membership. The new interfaces allow to extend the default behavior which is limited to everyone as described in Built-in Users and Special Groups. See User and Group Synchronization : Dynamic Membership for an example.

Utilities

org.apache.jackrabbit.oak.spi.security.user.*

• UserConstants : Constants (NOTE: OAK names/paths)
• UserIdCredentials : Simple credentials implementation that might be used for `User.getCredentials' without exposing pw information.

org.apache.jackrabbit.oak.spi.security.user.util.*

• PasswordUtil : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.
• UserUtil : Utilities related to general user management tasks.

Oak User Management Implementation

The behavior of the default user management implementation is described in section User Management: The Default Implementation.

Configuration

The Oak user management comes with a dedicated entry point called UserConfiguration. This class is responsible for passing configuration options to the implementation and provides the following two methods:

• getUserManager(Root, NamePathMapper): get a new UserManager instance
• getUserPrincipalProvider(Root, NamePathMapper): optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).

Pluggability

The default security setup as present with Oak 1.0 is able to have the default user management implementation replaced as follows:

The complete user management implementation can be changed by plugging a different UserConfiguration implementations. In OSGi-base setup this is achieved by making the configuration a service which must take precedence over the default. In a non-OSGi-base setup the custom configuration must be exposed by the SecurityProvider implementation.

Alternatively the default user management implementation can be extended and adjusted using various means. See the corresponding section for further details.

Further Reading

• Differences wrt Jackrabbit 2.x
• User Management : The Default Implementation
  • Group Membership
  • Authorizable Actions
  • Authorizable Node Name
  • Password Expiry and Force Initial Password Change
  • Password History
• Searching Users and Groups