apache · kwin · Apr 28, 2021 · Apr 28, 2021 · Apr 28, 2021 · Apr 28, 2021
diff --git a/oak-doc/src/site/markdown/differences.md b/oak-doc/src/site/markdown/differences.md
@@ -15,6 +15,8 @@
    limitations under the License.
   -->
 
+<!-- MACRO{toc} -->
+
 Backward compatibility
 ======================
 
@@ -316,6 +318,19 @@ Node Name Length Limit
 
 With the document storage backend (MongoDB, RDBMS), there is currently 
 a limit of 150 UTF-8 bytes on the length of the node names.
-See also OAK-2644.
+See also [OAK-2644](https://issues.apache.org/jira/browse/OAK-2644).
+
+Session Attributes
+------------------
+
+Oak exposes the following attributes via [`Session.getAttribute(...)`][1] and [`Session.getAttributeNames()`][2].
+
+Attribute Name | Attribute Value Type | Description
+--- | --- | ---
+`oak.refresh-interval` | `Long` | The session refresh interval in seconds.
+`oak.relaxed-locking` | `Boolean` | Whether relaxed locking behaviour is enabled for the session. See [OAK-1329](https://issues.apache.org/jira/browse/OAK-1329).
+`oak.bound-principals` | `Set<Principal>` | The principals associated with the JCR session. See [OAK-9415](https://issues.apache.org/jira/browse/OAK-9415)
 
 [0]: https://docs.adobe.com/content/docs/en/spec/jsr170/javadocs/jcr-2.0/javax/jcr/Session.html#setNamespacePrefix(java.lang.String,%20java.lang.String)
+[1]: https://docs.adobe.com/content/docs/en/spec/jsr170/javadocs/jcr-2.0/javax/jcr/Session.html#getAttribute(java.lang.String)
+[2]: https://docs.adobe.com/content/docs/en/spec/jsr170/javadocs/jcr-2.0/javax/jcr/Session.html#getAttributeNames()
diff --git a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/repository/RepositoryImpl.java b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/repository/RepositoryImpl.java
@@ -93,6 +93,13 @@ public class RepositoryImpl implements JackrabbitRepository {
      */
     public static final String RELAXED_LOCKING = "oak.relaxed-locking";
 
+    /**
+     * Name of the session attribute exposing the associated principals
+     *
+     * @see <a href="https://issues.apache.org/jira/browse/OAK-9415">OAK-9415</a>
+     */
+    public static final String BOUND_PRINCIPALS = "oak.bound-principals";
+
     /**
      * logger instance
      */

diff --git a/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java b/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java
@@ -61,6 +61,7 @@
 import org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate;
 import org.apache.jackrabbit.oak.jcr.delegate.PropertyDelegate;
 import org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate;
+import org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl;
 import org.apache.jackrabbit.oak.jcr.security.AccessManager;
 import org.apache.jackrabbit.oak.jcr.session.operation.SessionOperation;
 import org.apache.jackrabbit.oak.jcr.xml.ImportHandler;
@@ -248,11 +249,15 @@ public String getUserID() {
     public String[] getAttributeNames() {
         Set<String> names = newTreeSet(sessionContext.getAttributes().keySet());
         Collections.addAll(names, sd.getAuthInfo().getAttributeNames());
+        names.add(RepositoryImpl.BOUND_PRINCIPALS);
         return names.toArray(new String[names.size()]);
     }
 
     @Override
     public Object getAttribute(String name) {
+        if (RepositoryImpl.BOUND_PRINCIPALS.equals(name)) {
+            return sd.getAuthInfo().getPrincipals();
+        }
         Object attribute = sd.getAuthInfo().getAttribute(name);
         if (attribute == null) {
             attribute = sessionContext.getAttributes().get(name);