Index: oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/UserDelegator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/UserDelegator.java	(revision )
+++ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/UserDelegator.java	(revision )
@@ -0,0 +1,319 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.jackrabbit.oak.jcr.delegate;
+
+import static com.google.common.base.Preconditions.checkState;
+
+import java.security.Principal;
+import java.util.Iterator;
+
+import javax.annotation.Nullable;
+import javax.jcr.Credentials;
+import javax.jcr.RepositoryException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.Value;
+
+import com.google.common.base.Function;
+import com.google.common.collect.Iterators;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.Impersonation;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
+
+/**
+ * This implementation of {@code User} delegates back to a
+ * delegatee wrapping each call into a {@link SessionOperation} closure.
+ *
+ * @see SessionDelegate#perform(SessionOperation)
+ */
+public final class UserDelegator implements User {
+    private final SessionDelegate sessionDelegate;
+    private final User userDelegate;
+
+    private UserDelegator(SessionDelegate sessionDelegate, User userDelegate) {
+        checkState(!(userDelegate instanceof UserDelegator));
+        this.sessionDelegate = sessionDelegate;
+        this.userDelegate = userDelegate;
+    }
+
+    public static User wrap(SessionDelegate sessionDelegate, User user) {
+        if (user == null) {
+            return null;
+        } else {
+            return new UserDelegator(sessionDelegate, user);
+        }
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        return other.equals(this.userDelegate);
+    }
+
+    @Override
+    public int hashCode() {
+        return userDelegate.hashCode();
+    }
+
+    @Override
+    public String toString() {
+        return userDelegate.toString();
+    }
+
+    @Override
+    public boolean isAdmin() {
+        return sessionDelegate.safePerform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() {
+                return userDelegate.isAdmin();
+            }
+        });
+    }
+
+    @Override
+    public Credentials getCredentials() {
+        return sessionDelegate.safePerform(new SessionOperation<Credentials>() {
+            @Override
+            public Credentials perform() throws RepositoryException {
+                return userDelegate.getCredentials();
+            }
+        });
+    }
+
+    @Override
+    public Impersonation getImpersonation() {
+        return sessionDelegate.safePerform(new SessionOperation<Impersonation>() {
+            @Override
+            public Impersonation perform() throws RepositoryException {
+                Impersonation impersonation = userDelegate.getImpersonation();
+                return ImpersonationDelegator.wrap(sessionDelegate, impersonation);
+            }
+        });
+    }
+
+    @Override
+    public void changePassword(final String password) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                userDelegate.changePassword(password);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public void changePassword(final String password, final String oldPassword) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                userDelegate.changePassword(password, oldPassword);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public void disable(final String reason) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                userDelegate.disable(reason);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public boolean isDisabled() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return userDelegate.isDisabled();
+            }
+        });
+    }
+
+    @Override
+    public String getDisabledReason() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<String>() {
+            @Override
+            public String perform() throws RepositoryException {
+                return userDelegate.getDisabledReason();
+            }
+        });
+    }
+
+    @Override
+    public String getID() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<String>() {
+            @Override
+            public String perform() throws RepositoryException {
+                return userDelegate.getID();
+            }
+        });
+    }
+
+    @Override
+    public boolean isGroup() {
+        return sessionDelegate.safePerform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() {
+                return userDelegate.isGroup();
+            }
+        });
+    }
+
+    @Override
+    public Principal getPrincipal() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Principal>() {
+            @Override
+            public Principal perform() throws RepositoryException {
+                return userDelegate.getPrincipal();
+            }
+        });
+    }
+
+    @Override
+    public Iterator<Group> declaredMemberOf() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<Group>>() {
+            @Override
+            public Iterator<Group> perform() throws RepositoryException {
+                Iterator<Group> groups = userDelegate.declaredMemberOf();
+                return Iterators.transform(groups, new Function<Group, Group>() {
+                    @Nullable
+                    @Override
+                    public Group apply(@Nullable Group group) {
+                        return GroupDelegator.wrap(sessionDelegate, group);
+                    }
+                });
+            }
+        });
+    }
+
+    @Override
+    public Iterator<Group> memberOf() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<Group>>() {
+            @Override
+            public Iterator<Group> perform() throws RepositoryException {
+                Iterator<Group> groups = userDelegate.memberOf();
+                return Iterators.transform(groups, new Function<Group, Group>() {
+                    @Nullable
+                    @Override
+                    public Group apply(@Nullable Group group) {
+                        return GroupDelegator.wrap(sessionDelegate, group);
+                    }
+                });
+            }
+        });
+    }
+
+    @Override
+    public void remove() throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                userDelegate.remove();
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public Iterator<String> getPropertyNames() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<String>>() {
+            @Override
+            public Iterator<String> perform() throws RepositoryException {
+                return userDelegate.getPropertyNames();
+            }
+        });
+    }
+
+    @Override
+    public Iterator<String> getPropertyNames(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<String>>() {
+            @Override
+            public Iterator<String> perform() throws RepositoryException {
+                return userDelegate.getPropertyNames(relPath);
+            }
+        });
+    }
+
+    @Override
+    public boolean hasProperty(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return userDelegate.hasProperty(relPath);
+            }
+        });
+    }
+
+    @Override
+    public void setProperty(final String relPath, final Value value) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                userDelegate.setProperty(relPath, value);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public void setProperty(final String relPath, final Value[] value) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                userDelegate.setProperty(relPath, value);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public Value[] getProperty(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Value[]>() {
+            @Override
+            public Value[] perform() throws RepositoryException {
+                return userDelegate.getProperty(relPath);
+            }
+        });
+    }
+
+    @Override
+    public boolean removeProperty(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return userDelegate.removeProperty(relPath);
+            }
+        });
+    }
+
+    @Override
+    public String getPath() throws UnsupportedRepositoryOperationException, RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<String>() {
+            @Override
+            public String perform() throws RepositoryException {
+                return userDelegate.getPath();
+            }
+        });
+    }
+}
Index: oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/ImpersonationDelegator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/ImpersonationDelegator.java	(revision )
+++ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/ImpersonationDelegator.java	(revision )
@@ -0,0 +1,96 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.jackrabbit.oak.jcr.delegate;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import java.security.Principal;
+
+import javax.jcr.RepositoryException;
+import javax.security.auth.Subject;
+
+import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
+import org.apache.jackrabbit.api.security.user.Impersonation;
+import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
+
+/**
+ * This implementation of {@code Impersonation} delegates back to a
+ * delegatee wrapping each call into a {@link SessionOperation} closure.
+ *
+ * @see SessionDelegate#perform(SessionOperation)
+ */
+public class ImpersonationDelegator implements Impersonation {
+    private final SessionDelegate sessionDelegate;
+    private final Impersonation impersonationDelegate;
+
+    private ImpersonationDelegator(SessionDelegate sessionDelegate, Impersonation impersonationDelegate) {
+        checkArgument(!(impersonationDelegate instanceof ImpersonationDelegator));
+        this.sessionDelegate = sessionDelegate;
+        this.impersonationDelegate = impersonationDelegate;
+    }
+
+    public static Impersonation wrap(SessionDelegate sessionDelegate, Impersonation impersonation) {
+        if (impersonation == null) {
+            return null;
+        } else {
+            return new ImpersonationDelegator(sessionDelegate, impersonation);
+        }
+    }
+
+    @Override
+    public PrincipalIterator getImpersonators() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<PrincipalIterator>() {
+            @Override
+            public PrincipalIterator perform() throws RepositoryException {
+                return impersonationDelegate.getImpersonators();
+            }
+        });
+    }
+
+    @Override
+    public boolean grantImpersonation(final Principal principal) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return impersonationDelegate.grantImpersonation(principal);
+            }
+        });
+    }
+
+    @Override
+    public boolean revokeImpersonation(final Principal principal) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return impersonationDelegate.revokeImpersonation(principal);
+            }
+        });
+    }
+
+    @Override
+    public boolean allows(final Subject subject) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return impersonationDelegate.allows(subject);
+            }
+        });
+    }
+}
Index: oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/AuthorizableDelegator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/AuthorizableDelegator.java	(revision )
+++ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/AuthorizableDelegator.java	(revision )
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.jackrabbit.oak.jcr.delegate;
+
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.api.security.user.User;
+
+/**
+ * Utility class for creating the correct delegator instance (either
+ * {@link GroupDelegator} or {@link UserDelegator} for a given
+ * {@link Authorizable}.
+ */
+public final class AuthorizableDelegator {
+    private AuthorizableDelegator() {}
+
+    public static Authorizable wrap(SessionDelegate sessionDelegate, Authorizable authorizable) {
+        if (authorizable == null) {
+            return null;
+        } else if (authorizable.isGroup()) {
+            return GroupDelegator.wrap(sessionDelegate, (Group) authorizable);
+        } else {
+            return UserDelegator.wrap(sessionDelegate, (User) authorizable);
+        }
+    }
+
+}
Index: oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/UserManagerDelegator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/UserManagerDelegator.java	(date 1387204380000)
+++ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/UserManagerDelegator.java	(revision )
@@ -19,12 +19,17 @@
 
 package org.apache.jackrabbit.oak.jcr.delegate;
 
+import static com.google.common.base.Preconditions.checkState;
+
 import java.security.Principal;
 import java.util.Iterator;
 
+import javax.annotation.Nullable;
 import javax.jcr.RepositoryException;
 import javax.jcr.UnsupportedRepositoryOperationException;
 
+import com.google.common.base.Function;
+import com.google.common.collect.Iterators;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
 import org.apache.jackrabbit.api.security.user.Group;
@@ -40,12 +45,13 @@
  * @see SessionDelegate#perform(org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation)
  */
 public class UserManagerDelegator implements UserManager {
-    private final UserManager userManagerDelegate;
     private final SessionDelegate sessionDelegate;
+    private final UserManager userManagerDelegate;
 
     public UserManagerDelegator(final SessionDelegate sessionDelegate, UserManager userManagerDelegate) {
-        this.userManagerDelegate = userManagerDelegate;
+        checkState(!(userManagerDelegate instanceof UserManagerDelegator));
         this.sessionDelegate = sessionDelegate;
+        this.userManagerDelegate = userManagerDelegate;
     }
 
     @Override
@@ -53,7 +59,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Authorizable>(sessionDelegate) {
             @Override
             public Authorizable perform() throws RepositoryException {
-                return userManagerDelegate.getAuthorizable(id);
+                Authorizable authorizable = userManagerDelegate.getAuthorizable(id);
+                return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
             }
         });
     }
@@ -63,7 +70,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Authorizable>(sessionDelegate) {
             @Override
             public Authorizable perform() throws RepositoryException {
-                return userManagerDelegate.getAuthorizable(principal);
+                Authorizable authorizable = userManagerDelegate.getAuthorizable(principal);
+                return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
             }
         });
     }
@@ -73,7 +81,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Authorizable>(sessionDelegate) {
             @Override
             public Authorizable perform() throws RepositoryException {
-                return userManagerDelegate.getAuthorizableByPath(path);
+                Authorizable authorizable = userManagerDelegate.getAuthorizableByPath(path);
+                return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
             }
         });
     }
@@ -83,37 +92,59 @@
         return sessionDelegate.perform(new UserManagerOperation<Iterator<Authorizable>>(sessionDelegate) {
             @Override
             public Iterator<Authorizable> perform() throws RepositoryException {
-                return userManagerDelegate.findAuthorizables(relPath, value);
+                Iterator<Authorizable> authorizables = userManagerDelegate.findAuthorizables(relPath, value);
+                return Iterators.transform(authorizables, new Function<Authorizable, Authorizable>() {
+                    @Nullable
+                    @Override
+                    public Authorizable apply(Authorizable authorizable) {
+                        return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
-            }
-        });
-    }
+                    }
+                });
+            }
+        });
+    }
 
     @Override
     public Iterator<Authorizable> findAuthorizables(final String relPath, final String value, final int searchType) throws RepositoryException {
         return sessionDelegate.perform(new UserManagerOperation<Iterator<Authorizable>>(sessionDelegate) {
             @Override
             public Iterator<Authorizable> perform() throws RepositoryException {
-                return userManagerDelegate.findAuthorizables(relPath, value, searchType);
+                Iterator<Authorizable> authorizables = userManagerDelegate.findAuthorizables(relPath, value, searchType);
+                return Iterators.transform(authorizables, new Function<Authorizable, Authorizable>() {
+                    @Nullable
+                    @Override
+                    public Authorizable apply(Authorizable authorizable) {
+                        return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
-            }
-        });
-    }
+                    }
+                });
+            }
+        });
+    }
 
     @Override
     public Iterator<Authorizable> findAuthorizables(final Query query) throws RepositoryException {
         return sessionDelegate.perform(new UserManagerOperation<Iterator<Authorizable>>(sessionDelegate) {
             @Override
             public Iterator<Authorizable> perform() throws RepositoryException {
-                return userManagerDelegate.findAuthorizables(query);
+                Iterator<Authorizable> authorizables = userManagerDelegate.findAuthorizables(query);
+                return Iterators.transform(authorizables, new Function<Authorizable, Authorizable>() {
+                    @Nullable
+                    @Override
+                    public Authorizable apply(Authorizable authorizable) {
+                        return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
-            }
-        });
-    }
+                    }
+                });
+            }
+        });
+    }
 
     @Override
     public User createUser(final String userID, final String password) throws AuthorizableExistsException, RepositoryException {
         return sessionDelegate.perform(new UserManagerOperation<User>(sessionDelegate) {
             @Override
             public User perform() throws RepositoryException {
-                return userManagerDelegate.createUser(userID, password);
+                User user = userManagerDelegate.createUser(userID, password);
+                return UserDelegator.wrap(sessionDelegate, user);
             }
         });
     }
@@ -123,7 +154,8 @@
         return sessionDelegate.perform(new UserManagerOperation<User>(sessionDelegate) {
             @Override
             public User perform() throws RepositoryException {
-                return userManagerDelegate.createUser(userID, password, principal, intermediatePath);
+                User user = userManagerDelegate.createUser(userID, password, principal, intermediatePath);
+                return UserDelegator.wrap(sessionDelegate, user);
             }
         });
     }
@@ -133,7 +165,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Group>(sessionDelegate) {
             @Override
             public Group perform() throws RepositoryException {
-                return userManagerDelegate.createGroup(groupID);
+                Group group = userManagerDelegate.createGroup(groupID);
+                return GroupDelegator.wrap(sessionDelegate, group);
             }
         });
     }
@@ -143,7 +176,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Group>(sessionDelegate) {
             @Override
             public Group perform() throws RepositoryException {
-                return userManagerDelegate.createGroup(principal);
+                Group group = userManagerDelegate.createGroup(principal);
+                return GroupDelegator.wrap(sessionDelegate, group);
             }
         });
     }
@@ -153,7 +187,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Group>(sessionDelegate) {
             @Override
             public Group perform() throws RepositoryException {
-                return userManagerDelegate.createGroup(principal, intermediatePath);
+                Group group = userManagerDelegate.createGroup(principal, intermediatePath);
+                return GroupDelegator.wrap(sessionDelegate, group);
             }
         });
     }
@@ -163,7 +198,8 @@
         return sessionDelegate.perform(new UserManagerOperation<Group>(sessionDelegate) {
             @Override
             public Group perform() throws RepositoryException {
-                return userManagerDelegate.createGroup(groupID, principal, intermediatePath);
+                Group group = userManagerDelegate.createGroup(groupID, principal, intermediatePath);
+                return GroupDelegator.wrap(sessionDelegate, group);
             }
         });
     }
Index: oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/GroupDelegator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/GroupDelegator.java	(revision )
+++ oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/delegate/GroupDelegator.java	(revision )
@@ -0,0 +1,307 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.jackrabbit.oak.jcr.delegate;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import java.security.Principal;
+import java.util.Iterator;
+
+import javax.annotation.Nullable;
+import javax.jcr.RepositoryException;
+import javax.jcr.UnsupportedRepositoryOperationException;
+import javax.jcr.Value;
+
+import com.google.common.base.Function;
+import com.google.common.collect.Iterators;
+import org.apache.jackrabbit.api.security.user.Authorizable;
+import org.apache.jackrabbit.api.security.user.Group;
+import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
+
+/**
+ * This implementation of {@code Group} delegates back to a
+ * delegatee wrapping each call into a {@link SessionOperation} closure.
+ *
+ * @see SessionDelegate#perform(SessionOperation)
+ */
+public final class GroupDelegator implements Group {
+    private final SessionDelegate sessionDelegate;
+    private final Group groupDelegate;
+
+    private GroupDelegator(SessionDelegate sessionDelegate, Group groupDelegate) {
+        checkArgument(!(groupDelegate instanceof GroupDelegator));
+        this.sessionDelegate = sessionDelegate;
+        this.groupDelegate = groupDelegate;
+    }
+
+    public static Group wrap(SessionDelegate sessionDelegate, Group group) {
+        if (group == null) {
+            return null;
+        } else {
+            return new GroupDelegator(sessionDelegate, group);
+        }
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        return other.equals(this.groupDelegate);
+    }
+
+    @Override
+    public int hashCode() {
+        return groupDelegate.hashCode();
+    }
+
+    @Override
+    public String toString() {
+        return groupDelegate.toString();
+    }
+
+    @Override
+    public Iterator<Authorizable> getDeclaredMembers() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<Authorizable>>() {
+            @Override
+            public Iterator<Authorizable> perform() throws RepositoryException {
+                Iterator<Authorizable> authorizables = groupDelegate.getDeclaredMembers();
+                return Iterators.transform(authorizables, new Function<Authorizable, Authorizable>() {
+                    @Nullable
+                    @Override
+                    public Authorizable apply(@Nullable Authorizable authorizable) {
+                        return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
+                    }
+                });
+            }
+        });
+    }
+
+    @Override
+    public Iterator<Authorizable> getMembers() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<Authorizable>>() {
+            @Override
+            public Iterator<Authorizable> perform() throws RepositoryException {
+                Iterator<Authorizable> authorizables = groupDelegate.getMembers();
+                return Iterators.transform(authorizables, new Function<Authorizable, Authorizable>() {
+                    @Nullable
+                    @Override
+                    public Authorizable apply(@Nullable Authorizable authorizable) {
+                        return AuthorizableDelegator.wrap(sessionDelegate, authorizable);
+                    }
+                });
+            }
+        });
+    }
+
+    @Override
+    public boolean isDeclaredMember(final Authorizable authorizable) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return groupDelegate.isDeclaredMember(authorizable);
+            }
+        });
+    }
+
+    @Override
+    public boolean isMember(final Authorizable authorizable) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return groupDelegate.isMember(authorizable);
+            }
+        });
+    }
+
+    @Override
+    public boolean addMember(final Authorizable authorizable) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return groupDelegate.addMember(authorizable);
+            }
+        });
+    }
+
+    @Override
+    public boolean removeMember(final Authorizable authorizable) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return groupDelegate.removeMember(authorizable);
+            }
+        });
+    }
+
+    @Override
+    public String getID() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<String>() {
+            @Override
+            public String perform() throws RepositoryException {
+                return groupDelegate.getID();
+            }
+        });
+    }
+
+    @Override
+    public boolean isGroup() {
+        return sessionDelegate.safePerform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() {
+                return groupDelegate.isGroup();
+            }
+        });
+    }
+
+    @Override
+    public Principal getPrincipal() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Principal>() {
+            @Override
+            public Principal perform() throws RepositoryException {
+                return groupDelegate.getPrincipal();
+            }
+        });
+    }
+
+    @Override
+    public Iterator<Group> declaredMemberOf() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<Group>>() {
+            @Override
+            public Iterator<Group> perform() throws RepositoryException {
+                Iterator<Group> groups = groupDelegate.declaredMemberOf();
+                return Iterators.transform(groups, new Function<Group, Group>() {
+                    @Nullable
+                    @Override
+                    public Group apply(@Nullable Group group) {
+                        return new GroupDelegator(sessionDelegate, group);
+                    }
+                });
+            }
+        });
+    }
+
+    @Override
+    public Iterator<Group> memberOf() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<Group>>() {
+            @Override
+            public Iterator<Group> perform() throws RepositoryException {
+                Iterator<Group> groups = groupDelegate.memberOf();
+                return Iterators.transform(groups, new Function<Group, Group>() {
+                    @Nullable
+                    @Override
+                    public Group apply(@Nullable Group group) {
+                        return new GroupDelegator(sessionDelegate, group);
+                    }
+                });
+            }
+        });
+    }
+
+    @Override
+    public void remove() throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                groupDelegate.remove();
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public Iterator<String> getPropertyNames() throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<String>>() {
+            @Override
+            public Iterator<String> perform() throws RepositoryException {
+                return groupDelegate.getPropertyNames();
+            }
+        });
+    }
+
+    @Override
+    public Iterator<String> getPropertyNames(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Iterator<String>>() {
+            @Override
+            public Iterator<String> perform() throws RepositoryException {
+                return groupDelegate.getPropertyNames(relPath);
+            }
+        });
+    }
+
+    @Override
+    public boolean hasProperty(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return groupDelegate.hasProperty(relPath);
+            }
+        });
+    }
+
+    @Override
+    public void setProperty(final String relPath, final Value value) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                groupDelegate.setProperty(relPath, value);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public void setProperty(final String relPath, final Value[] value) throws RepositoryException {
+        sessionDelegate.perform(new SessionOperation<Void>() {
+            @Override
+            public Void perform() throws RepositoryException {
+                groupDelegate.setProperty(relPath, value);
+                return null;
+            }
+        });
+    }
+
+    @Override
+    public Value[] getProperty(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Value[]>() {
+            @Override
+            public Value[] perform() throws RepositoryException {
+                return groupDelegate.getProperty(relPath);
+            }
+        });
+    }
+
+    @Override
+    public boolean removeProperty(final String relPath) throws RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<Boolean>() {
+            @Override
+            public Boolean perform() throws RepositoryException {
+                return groupDelegate.removeProperty(relPath);
+            }
+        });
+    }
+
+    @Override
+    public String getPath() throws UnsupportedRepositoryOperationException, RepositoryException {
+        return sessionDelegate.perform(new SessionOperation<String>() {
+            @Override
+            public String perform() throws RepositoryException {
+                return groupDelegate.getPath();
+            }
+        });
+    }
+}
Index: oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java	(date 1387204380000)
+++ oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/AuthorizableImpl.java	(revision )
@@ -16,8 +16,11 @@
  */
 package org.apache.jackrabbit.oak.security.user;
 
+import static org.apache.jackrabbit.oak.api.Type.STRING;
+
 import java.util.Collections;
 import java.util.Iterator;
+
 import javax.annotation.Nonnull;
 import javax.jcr.RepositoryException;
 import javax.jcr.Value;
@@ -36,8 +39,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static org.apache.jackrabbit.oak.api.Type.STRING;
-
 /**
  * Base class for {@code User} and {@code Group} implementations.
  */
@@ -161,6 +162,8 @@
         if (obj instanceof AuthorizableImpl) {
             AuthorizableImpl otherAuth = (AuthorizableImpl) obj;
             return isGroup() == otherAuth.isGroup() && id.equals(otherAuth.id) && userManager.equals(otherAuth.userManager);
+        } else if (obj instanceof Authorizable) {
+            return obj.equals(this);
         }
         return false;
     }
\ No newline at end of file