Hi All,
I want to create Group first and then User and then i want to add user to group using getServiceResourceResolver(map) or loginService("datawrite",null).
I tried following code and i'm getting exception at the time of session save (adminSession.save()):
public void addGroupUser(SlingHttpServletRequest request) { log.info("----------------------------------------> addGroupUser"); String groupName = request.getParameter("groupName"); String userName = request.getParameter("userName"); String password = request.getParameter("password"); Session adminSession = null; ResourceResolver adminResolver = null; try { Map<String, Object> authInfoParam = new HashMap<String, Object>(); authInfoParam.put(ResourceResolverFactory.SUBSERVICE, "datawrite"); adminResolver = resolverFactory.getServiceResourceResolver(authInfoParam); //adminResolver = resolverFactory.getAdministrativeResourceResolver(null); //deprecated method adminSession = slingRepository.loginService("datawrite", null); log.info("----------------------------------------> Session user id = {}",adminSession.getUserID()); // Create UserManager Object final UserManager userManager = AccessControlUtil.getUserManager(adminSession); // Create a Group Group group= null; if (userManager.getAuthorizable(groupName) == null) { //adminResolver.refresh(); group = userManager.createGroup(groupName,new SimplePrincipal(groupName),"/home/groups/test"); ValueFactory valueFactory = adminSession.getValueFactory(); Value groupNameValue = valueFactory.createValue(groupName, PropertyType.STRING); group.setProperty("./profile/givenName", groupNameValue); //adminResolver.commit(); log.info("----------------------------------------> {} Group successfully created.",group.getID()); } else { log.info("----------------------------------------> Group already exist.."); } // Create a User User user = null; if (userManager.getAuthorizable(userName) == null) { //adminResolver.refresh(); user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test"); ValueFactory valueFactory = adminSession.getValueFactory(); Value firstNameValue = valueFactory.createValue("Arpit", PropertyType.STRING); user.setProperty("./profile/givenName", firstNameValue); Value lastNameValue = valueFactory.createValue("Bora", PropertyType.STRING); user.setProperty("./profile/familyName", lastNameValue); Value emailValue = valueFactory.createValue("arpit.p.bora@gmail.com", PropertyType.STRING); user.setProperty("./profile/email", emailValue); //adminResolver.commit(); log.info("----------------------------------------> {} User successfully created.",user.getID()); } else { log.info("----------------------------------------> User already exist.."); } // Add Users to Group Group addUserToGroup = (Group)(userManager.getAuthorizable(groupName)); addUserToGroup.addMember(userManager.getAuthorizable(userName));adminSession.save();}catch (Exception e) { log.info("----------------------------------------> Not able to perform User Management.."); log.info("----------------------------------------> Exception.." + e.getMessage()); } finally { if (adminSession != null && adminSession.isLive()) { adminSession.logout(); } if (adminResolver != null) adminResolver.close(); } }
Exception log is :
javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274) at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416) ... Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212) at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32) at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108) ...
I have "datawrite" service mapping with system user in “Apache Sling Service User Mapper Service” which is configurable in the OSGI configuration admin interface.
Please provide your suggestion and answers.
Thanks,
Arpit Bora
Solved! Go to Solution.
I figured this out - code works - its a permission issue. Add datawrite to the administrators group:
This way - the OAK exception does not occur and the system user can create users.
We are going to release an article on this by the end of the week.
Hi
It seems that it is a permission issue. User/Group might not have sufficient permissions on this activity.
Try with:-
authInfo.put(ResourceResolverFactory.SUBSERVICE, "Workflow-service");
change "datawrite" to "Workflow-service"
Thanks and Regards
Kautuk Sahni
Views
Replies
Total Likes
Thanks for your suggesion Kautuk Sahni, I changed "datawrite" to "Workflow-service".
Now im getting following exception at the time of group creation [ group = userManager.createGroup(groupName,new SimplePrincipal(groupName),PATH_HOME_GROUPS); ]:
javax.jcr.AccessDeniedException: Missing permission to create intermediate authorizable folders. at org.apache.jackrabbit.oak.security.user.UserProvider.createFolderNodes(UserProvider.java:309) at org.apache.jackrabbit.oak.security.user.UserProvider.createAuthorizableNode(UserProvider.java:257) at org.apache.jackrabbit.oak.security.user.UserProvider.createGroup(UserProvider.java:190) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createGroup(UserManagerImpl.java:214) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createGroup(UserManagerImpl.java:193) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$11.perform(UserManagerDelegator.java:201) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$11.perform(UserManagerDelegator.java:197) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator.createGroup(UserManagerDelegator.java:197) ...
Views
Replies
Total Likes
We are going to update the AEM community article for this use case to 6.1/6.2.
Views
Replies
Total Likes
Try giving your datawrite user permissions to modify the JCR - this is what seems to be happening. The code works for admin.
Views
Replies
Total Likes
I figured this out - code works - its a permission issue. Add datawrite to the administrators group:
This way - the OAK exception does not occur and the system user can create users.
We are going to release an article on this by the end of the week.
smacdonald2008 wrote...
I figured this out - code works - its a permission issue. Add datawrite to the administrators group:
This way - the OAK exception does not occur and the system user can create users.
We are going to release an article on this by the end of the week.
Thanks for spending your valuable time, Your solution works for me "Group and User created successfully in AEM 6.2/6.1. :)
Views
Replies
Total Likes
Group and User created successfully now but at the time of aem login (http://localhost:4502) using new userName and password i'm getting page "File not found" with message "A custom errorhandler for 404 responses".
When i'm giving read or all permission from Security console (http://localhost:4502/useradmin) manually by checking Read column or All check boxes for my newly created user then i'm able for login.
Now my question is How to give programattically permission for new user for login ?
Views
Replies
Total Likes
Views
Like
Replies
Views
Likes
Replies