MODE-1107, MODE-1205 Added support for pluggable authorization and authentication Changed how the ModeShape JCR repository authentication and authorizes clients to no longer be entirely self-contained. Now, it is possible to configure each Repository instance with one or more customized authentication providers that are added to several built-in authentication providers for JAAS, anonymous (if configured), and HTTP Servlet. When Repository.login(...) is called, these providers are consulted in serial to authenticate the supplied credentials, and a Session is created if any provider successfully authenticates.
The ExecutionContext's SecurityContext is used to perform any authorization. Since the already-existing SecurityContext could only perform role-based permissions, a new AuthorizingSecurityContext interface was added to do path-based authorization, and is now used first if the ExecutionContext's security context is an AuthorizingSecurityContext implementation.
Therefore, each authenticator is responsible for creating an ExecutionContext that represents the user, including an appropriate (Authorizing)SecurityContext instance.
The AuthorizationProvider.authorize(...) method takes a Map<String,Object> parameter, allowing providers to add name-value pairs to this map when the supplied credentials are authenticated. ModeShape takes this map (populated only by the provider that successfully authenticates) and uses it as the Session's attributes. Thus, this technique allows each provider to place their own information in the Session attributes. Also updated the new Reference Guide section that talks about the AuthorizationProvider framework.
JcrRepository can be configured such that any user failing authentication will be authenticated as an anonymous user. The way JcrRepository was tracking this option was not clear, so it was changed to set up an AnonymousCredentials in these situations, and if the user fails authentication with their the AnonymousCredentials then we try to authenticate them anonymously (using the AnonymousCredentials). This was merely an implementation change, so no documentation changes were necessary.
Finally, it is possible to disable the JAAS AuthenticationProvider by specifying a zero-length value for the 'jaasLoginConfigName' option. This was also documented in the associated Reference Guide sections.
Again, out-of-the-box ModeShape works as it did before, except that SecurityContextCredentials are deprecated and authentication with them is DISABLED by default.