As of Oak 1.0 Repository#login() and Repository#login(null, wspName) is no longer treated as guest login but as pre-authenticed as defined by JSR 283. In order to get backwards compatible behavior, Oak comes with a dedicated GuestLoginModule that can be added to the JAAS (or the corresponding OSGi) configuration.
With respect to guest login (aka anonymous login) the Oak content repository out of the box contains the following modifications:
Oak provides two different mechanisms to create pre-authentication that doesn’t involve the repositories internal authentication mechanism for credentials validation. See the corresponding section Pre-Authentication for details and examples.
As of OAK 1.0 the latest changes made to JSR 333 with respect to Session#impersonate have been adopted (JSR_333-27): Any attempt to impersonate the same session (self-impersonation) will succeed as long as the user is still valid.
The OAK implementation of Session#impersonate no longer uses SimpleCredentials to transport the original Subject but rather performs the login with dedicated ImpersonationCredentials.
This modification will not affect applications that used JCR API to impersonate a given session. However the following example which ‘manually’ builds impersonation credentials the way jackrabbit core was handling it will no longer work to impersonate an existing session:
org.apache.jackrabbit.core.SessionImpl sImpl = (SessionImpl) mySession; SimpleCredentials jrImpCreds = new SimpleCredentials("someUserId, new char[0]); creds.setAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE, sImpl.getSubject()); Session impersonated = sImpl.getRepository().login(jrImpCreds, sImpl.getWorkspace().getName());
Upon migration to Oak such implementation specific code should be refactored to use regular JCR API for impersonation:
// Note: build credentials depends on the auth setup ! Credentials impersonationCredentials = new SimpleCredentials("someUserId, new char[0]); Session impersonated = session.impersonate(impersonationCredentials);
In order to achieve impersonation on the Oak API directly:
ContentRepository contentRepo = ... ContentSession editingSession = ... AuthInfo impersonatorInfo = editingSession.getAuthInfo(); Credentials credentials = new SimpleCredentials("someUserId, new char[0]); ImpersonationCredentials impersonationCredentials = new ImpersonationCredentials(credentials, impersonatorInfo); ContentSession impersonated = contentRepo.login(impersonationCredentials, editingSession.getWorkspaceName());
The token based authentication has been completely refactor in Oak as described in section Token Management. The default implementation differs from Jackrabbit as follows
As far as the token based authentication itself is concerned the Oak implementation contains the following changes compared to Jackrabbit 2.x: