JCR itself doesn't come with a dedicated user management API. The only method related and ultimately used for user management tasks is Session.getUserID()
. Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.
The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `org.apache.jackrabbit.api.security.user' package space:
UserManager
Authorizable
User
Group
Impersonation
QueryBuilder
Query
The Oak project introduces the following user management related public interfaces and classes:
AuthorizableType
: ease handling with the different authorizable types.AuthorizableAction
and AuthorizableActionProvider
: see Authorizable Actions for details.AuthorizableNodeName
: see section Authorizable Node Name Generation.GroupAction
(via AuthorizableActionProvider
): see Group Actions for details.UserAuthenticationFactory
: see sections pluggability and user authentication for additional details.org.apache.jackrabbit.oak.spi.security.user.*
UserConstants
: Constants (NOTE: OAK names/paths)UserIdCredentials
: Simple credentials implementation that might be used for `User.getCredentials' without exposing pw information.org.apache.jackrabbit.oak.spi.security.user.util.*
PasswordUtil
: Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.UserUtil
: Utilities related to general user management tasks.The behavior of the default user management implementation is described in section User Management: The Default Implementation.
The Oak user management comes with a dedicated entry point called UserConfiguration. This class is responsible for passing configuration options to the implementation and provides the following two methods:
getUserManager(Root, NamePathMapper)
: get a new UserManager
instancegetUserPrincipalProvider(Root, NamePathMapper)
: optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).The supported configuration options of the default implementation are described in the corresponding section.
The default security setup as present with Oak 1.0 is able to have the default user management implementation replaced as follows:
The complete user management implementation can be changed by plugging a different UserConfiguration
implementations. In OSGi-base setup this is achieved by making the configuration a service which must take precedence over the default. In a non-OSGi-base setup the custom configuration must be exposed by the SecurityProvider
implementation.
Alternatively the default user management implementation can be extended and adjusted using various means. See the corresponding section for further details.