Moved repository master into its own directory

repository/docs/identity-provider/authentication/README.md

@@ -0,0 +1,165 @@
+## Authentication
+
+![Completeness Badge](https://img.shields.io/badge/Document_Level-In_Progress-yellow.svg?style=flat-square)
+
+### Purpose
+
+The purpose of this sub-component is to authenticate users.  
+***
+
+### Overview
+
+In order to use any service in Alfresco, a user must be authenticated.  
+
+Alfresco provides a default Authentication implementation that uses userid's and passwored
+ managed by Alfresco.  But, importantly, Alfresco also allows the customer
+to integrate with a number of external Authentication providers including
+* Active Directory
+* Kerberos
+* LDAP
+
+***
+
+### Artifacts and Guidance
+
+* Source Code Links:
+  * https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root/enterpriseprojects/repository/source/java/
+  * https://github.com/Alfresco/alfresco-data-model/tree/master/src/main/java/org/alfresco/repo/security/authentication
+* License: LGPL
+* Issue Tracker Link: https://issues.alfresco.com/jira/issues/?jql=project%3DREPO
+* Documentation Link: http://docs.alfresco.com/5.2/concepts/auth-intro.html
+* Contribution Model: Alfresco Open Source
+***
+
+
+### Prerequisite Knowledge
+
+* [Acegi](http://springinpractice.com/2008/02/26/acegi-overview)
+* [CAS](https://en.wikipedia.org/wiki/Central_Authentication_Service)
+* [JAAS](http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html)
+* [Kerberos](https://msdn.microsoft.com/en-us/library/bb742516.aspx)
+* [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
+***
+
+### Design
+
+#### Default Authentication
+
+In order to use any service in Alfresco, a user or client must be authenticated.  
+
+There is a default implementation provided that authenticates users based on a userid and password, where the userid's and passwords
+are stored in the Alfresco repository.
+
+#### Chaining
+
+Most production systems that use Alfresco will rely upon more secure approaches, so Alfresco also allows the
+customer to integrate a choice of existing authentication providers, including *Active Directory*, *Kerberos* and *LDAP*.  
+
+The implementation of each such Authorization provider is delivered as a separate Alfresco Subsystem.  
+The Subsystems are chained together as an ordered list of providers each of which, in turn, will be given
+a chance to authenticate the user, until the user is authenticated or there are no providers, in
+which case the authentication of the user fails.
+
+
+#### Component Model
+
+#### Data Model
+![Data Model](../resource/class/org.alfresco.repo.security.authentication.png)
+
+#### Data Dictionary
+
+#### Flows
+
+##### Login Flow
+
+##### Default Authentication Login Flow
+This flow starts when the Login Post request
+depicted in [Client Login](../../../share/share-app/resource/sequence/client-login-sequence.png) reaches the repository tier.
+![Default Authentication Login Flow](./resource/sequence/login-using-default-authentication.png)
+
+##### Default Authentication Logoff Flow
+![Note](https://img.shields.io/badge/Editor-TODO-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
+
+##### Kerberos Authentication Login Flow
+![Note](https://img.shields.io/badge/Editor-TODO-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
+
+#### Class Diagram
+![Authentication](../resource/class/org.alfresco.service.cmr.security.class.png)
+
+
+### APIs and Interfaces
+
+#### Java
+
+The sub-component provides a definition and implementation of the following
+Java interfaces.
+
+* **Authentication Service**
+**Note**: This service is part of the Public API
+  * authenticate using a user name and password
+  * authenticate using a ticket
+  * create, update and delete authentication information
+  * clear the current authentication
+  * invalidate a ticket
+  * get the username for who is currently authenticated
+  * get a ticket for subsequent re-authentication
+  * determine if the current user is 'the system user
+* **MutableAuthenticationService*
+
+In addition, there are a number of related interfaces that provide
+a way to manage users and groups and permissions
+![Note](https://img.shields.io/badge/Editor-Note-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
+*This information should probably move to the Identity sub-component after the content already there (future design thoughts)
+is relocated*
+
+* **Authority Service**  
+**Note**: This service is part of the Public API
+  * create authority identifiers
+  * query for authority identifiers
+  * delete authority identifiers
+  * organize authority identifiers into hierarchies
+  * query against authority identifiers hierarchies
+  * find all the authorties that apply to the current authenticated user
+  * determine if the current authenticated user has admin rights
+* **Ownable Service**  
+**Note**: This service is **not** part of the Public API
+  * determine the owner of a node;
+  * set the owner of a node;
+  * determine if a node has an owner
+  * allow the current user to take ownership of a node
+* **Person Service**  
+  **Note**: This service is part of the Public API
+  * obtain a reference to the Person node for a given user name
+  * determine if a person entry exists for a user
+  * create missing people entries, with default settings, on demand
+  * supply a list of mutable properties for each person
+  * create, delete and update personal information
+***
+#### REST
+
+The sub-component provides the following REST API
+* https://api-explorer.alfresco.com/api-explorer/#/authentication
+
+### Configuration
+***
+
+### Performance Considerations
+![Note](https://img.shields.io/badge/Editor-TODO-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
+Describe Caching of tickets
+As mentioned in the *Security Considerations* section, Bcrypt can be used to encrypt passwords.  Note that is
+is much slower than MD4 or SHA-256.
+***
+
+### Security Considerations
+***
+In the case of the default Authentication provider, Alfresco is responsible for storing
+userid's and passwords.   The passwords are stored as hashed values.  The default hashing
+algorithm used is MD4, but the customer can also elect to use more secure hashing algorithms
+include SHA-256 and Bcrypt.  The system property *system.preferred.password.encoding* is used
+to select which algorithm is used.  
+
+### Cloud Considerations
+
+![Note](https://img.shields.io/badge/Editor-TODO-yellow.svg?&style=flat-square?colorB=2196f3&style=flat-square)
+Describe OAuth2 for protection of Cloud REST API's.
+***

repository/docs/identity-provider/authentication/resource/sequence/login-using-default-authentication.puml

@@ -0,0 +1,117 @@
+@startuml
+
+Title: Default Authentication Login Flow
+
+participant "Repository\nContainer" as W
+participant "LoginPost\nbean" as LB
+participant "SubsystemChaining\nAuthenticationService" as SCAS
+participant "MutableAuthentication\nServiceImpl" as AS
+participant "Authentication\nComponentImpl" as AC
+participant "PersonServiceImpl" as PS
+participant "NodeService" as NS
+participant "Authentication\nContextImpl" as ACX
+participant "Authentication\nUtil" as AU
+participant "InMemoryTicketComponentImpl" as ITC
+participant "AuthorityServiceImpl" as AUS
+participant "RepositoryAuthenticatedUser" as RAU
+participant "RepositoryAuthenticationDao" as RAD
+participant "MD4PasswordEncoderImpl" as MPE
+participant "RepositoryAuthenticationProvider" as RAP
+participant "CompositePasswordEncoder" as CPE
+
+activate W
+W->LB: login request <username> <password>
+LB->LB: login <username> <password>
+LB->SCAS:authenticate <username> <password>
+note right of SCAS
+allowedUsers and maxUsers check
+end note
+SCAS->SCAS: preAuthenticationCheck
+note right of SCAS
+get list of usableAuthenticationServices
+and iterates over this list.  In
+this default case there is a single
+service 'alfrescoNtlm'
+end note
+SCAS->AS: authenticate\n<username> <password>
+AS->AC:clearCurrentSecurityContext
+AC->ACX:clearCurrentSecurityContext
+ACX->AU:clearCurrentSecurityContext
+AU->ACX: done
+ACX->AC: done
+AC->AS: done
+AS->ITC:clearCurrentTicket
+ITC->AS: done
+note right of AS
+allowedUsers and maxUsers check
+end note
+AS->AS: preAuthenticationCheck
+note right of AS
+Checks cache to detect
+Brute Force attack
+end note
+AS->AS: isUserProtected <username>
+AS->AC: authenticate\n<username> <password>
+AC->PS:getUserIdentifier <username>
+PS->PS:getPersonOrNullImpl
+PS->PS:looks for Person\nin Cache
+PS->NS:get properties of Person\nand checks if\nneeds to add to cache
+PS->AC: username
+note right of AC
+Checks for guest
+end note
+AC->AC:isGuestUserName
+AC->AC: authenticateImpl <username> <password>
+AC->AU: getUserTenant
+AU->AC: tenant
+group Retrying Transaction
+AC->RAD: loadUserByUsername <username>
+RAD->RAU: constructor <username> <hashedpassword>
+RAD->AC: user details
+AC->RAP: isPasswordCorrect\n(UsernamePasswordAuthenticationToken, user details)
+RAP->CPE: matches
+CPE->MPE:isPasswordValid
+MPE->MPE:encodeInternal
+MPE->MPE: true
+MPE->RAP: true
+RAP->AC: true
+AC->AUS: isAdminAuthority
+AUS->AC: false
+AC->PS:getPersonOrNullImpl
+PS->PS:looks for Person\nin Cache
+PS->NS:get properties of Person\nand checks if\nneeds to add to cache
+NS->PS: properties
+PS->AC: username
+end
+group setCurrentUser <username>
+AC->ACX: isSystemUserName <username>
+ACX->AC: false
+AC->AC: setUserDetails (role=<b>ROLE_AUTHENTICATED</b>)
+end
+note right of AC
+Increment numberSuccessfulAuthentications
+end note
+AC->AC: onAuthenticate
+AC->AS: succeeded
+AS->ITC: clearCurrentTicket
+ITC->AS: done
+AS->ITC: getCurrentTicket (auto create off)
+ITC->AS
+AS->AS: getNewTicket
+AS->AS: preAuthenticationCheck
+AS->ITC: getNewTicket
+AS->SCAS
+SCAS->LB
+note right of LB
+Put ticket into the model
+end note
+LB->AS: getCurrentTicket
+AS->LB: ticket
+LB->W: Login Request Response
+note right of W
+Authentication TICKET
+returned in model
+end note
+deactivate W
+
+@enduml