Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AccessDeniedException when creating Group and User in aem6.2 (6.1) programattically?

Avatar

Level 3

Hi All,

I want to create Group first and then User and then i want to add user to group using getServiceResourceResolver(map) or loginService("datawrite",null).

I tried following code and i'm getting exception at the time of session save (adminSession.save()):

public void addGroupUser(SlingHttpServletRequest request) { log.info("----------------------------------------> addGroupUser"); String groupName = request.getParameter("groupName"); String userName = request.getParameter("userName"); String password = request.getParameter("password"); Session adminSession = null; ResourceResolver adminResolver = null; try { Map<String, Object> authInfoParam = new HashMap<String, Object>(); authInfoParam.put(ResourceResolverFactory.SUBSERVICE, "datawrite"); adminResolver = resolverFactory.getServiceResourceResolver(authInfoParam); //adminResolver = resolverFactory.getAdministrativeResourceResolver(null); //deprecated method adminSession = slingRepository.loginService("datawrite", null); log.info("----------------------------------------> Session user id = {}",adminSession.getUserID()); // Create UserManager Object final UserManager userManager = AccessControlUtil.getUserManager(adminSession); // Create a Group Group group= null; if (userManager.getAuthorizable(groupName) == null) { //adminResolver.refresh(); group = userManager.createGroup(groupName,new SimplePrincipal(groupName),"/home/groups/test"); ValueFactory valueFactory = adminSession.getValueFactory(); Value groupNameValue = valueFactory.createValue(groupName, PropertyType.STRING); group.setProperty("./profile/givenName", groupNameValue); //adminResolver.commit(); log.info("----------------------------------------> {} Group successfully created.",group.getID()); } else { log.info("----------------------------------------> Group already exist.."); } // Create a User User user = null; if (userManager.getAuthorizable(userName) == null) { //adminResolver.refresh(); user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test"); ValueFactory valueFactory = adminSession.getValueFactory(); Value firstNameValue = valueFactory.createValue("Arpit", PropertyType.STRING); user.setProperty("./profile/givenName", firstNameValue); Value lastNameValue = valueFactory.createValue("Bora", PropertyType.STRING); user.setProperty("./profile/familyName", lastNameValue); Value emailValue = valueFactory.createValue("arpit.p.bora@gmail.com", PropertyType.STRING); user.setProperty("./profile/email", emailValue); //adminResolver.commit(); log.info("----------------------------------------> {} User successfully created.",user.getID()); } else { log.info("----------------------------------------> User already exist.."); } // Add Users to Group Group addUserToGroup = (Group)(userManager.getAuthorizable(groupName)); addUserToGroup.addMember(userManager.getAuthorizable(userName));adminSession.save();}catch (Exception e) { log.info("----------------------------------------> Not able to perform User Management.."); log.info("----------------------------------------> Exception.." + e.getMessage()); } finally { if (adminSession != null && adminSession.isLive()) { adminSession.logout(); } if (adminResolver != null) adminResolver.close(); } }

Exception log is :

javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274) at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416) ... Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212) at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32) at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108) ...

I have "datawrite" service mapping with system user in “Apache Sling Service User Mapper Service” which is configurable in the OSGI configuration admin interface.

Please provide your suggestion and answers.

Thanks,

Arpit Bora

1 Accepted Solution

Avatar

Correct answer by
Level 10

I figured this out - code works - its a permission issue. Add datawrite to the administrators group:

This way - the OAK exception does not occur and the system user can create users. 

We are going to release an article on this by the end of the week. 

View solution in original post

7 Replies

Avatar

Administrator

Hi 

It seems that it is a permission issue. User/Group might not have sufficient permissions on this activity.

Try with:-

 authInfo.put(ResourceResolverFactory.SUBSERVICE, "Workflow-service");

change "datawrite" to "Workflow-service"

Thanks and Regards

Kautuk Sahni



Kautuk Sahni

Avatar

Level 3

Thanks for your suggesion Kautuk Sahni, I changed "datawrite" to "Workflow-service".
Now im getting following exception at the time of group creation [ group = userManager.createGroup(groupName,new SimplePrincipal(groupName),PATH_HOME_GROUPS); ]:

javax.jcr.AccessDeniedException: Missing permission to create intermediate authorizable folders. at org.apache.jackrabbit.oak.security.user.UserProvider.createFolderNodes(UserProvider.java:309) at org.apache.jackrabbit.oak.security.user.UserProvider.createAuthorizableNode(UserProvider.java:257) at org.apache.jackrabbit.oak.security.user.UserProvider.createGroup(UserProvider.java:190) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createGroup(UserManagerImpl.java:214) at org.apache.jackrabbit.oak.security.user.UserManagerImpl.createGroup(UserManagerImpl.java:193) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$11.perform(UserManagerDelegator.java:201) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator$11.perform(UserManagerDelegator.java:197) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:208) at org.apache.jackrabbit.oak.jcr.delegate.UserManagerDelegator.createGroup(UserManagerDelegator.java:197) ...

Avatar

Level 10

We are going to update the AEM community article for this use case to 6.1/6.2. 

Avatar

Level 10

Try giving your datawrite user permissions to modify the JCR - this is what seems to be happening. The code works for admin. 

Avatar

Correct answer by
Level 10

I figured this out - code works - its a permission issue. Add datawrite to the administrators group:

This way - the OAK exception does not occur and the system user can create users. 

We are going to release an article on this by the end of the week. 

Avatar

Level 3

smacdonald2008 wrote...

I figured this out - code works - its a permission issue. Add datawrite to the administrators group:

This way - the OAK exception does not occur and the system user can create users. 

We are going to release an article on this by the end of the week. 

 

Thanks for spending your valuable time, Your solution works for me "Group and User created successfully in AEM 6.2/6.1. :)

Avatar

Level 3

Group and User created successfully now but at the time of aem login (http://localhost:4502) using new userName and password i'm getting page "File not found" with message "A custom errorhandler for 404 responses".

When i'm giving read or all permission from Security console (http://localhost:4502/useradmin) manually by checking Read column or All check boxes for my newly created user then i'm able for login.



Now my question is How to give programattically permission for new user for login ?