AccessDeniedException when creating Group and User in aem6.2 (6.1) programattically?

Hi All,

I want to create Group first and then User and then i want to add user to group using getServiceResourceResolver(map) or loginService("datawrite",null).

I tried following code and i'm getting exception at the time of session save (adminSession.save()):

public void addGroupUser(SlingHttpServletRequest request) { log.info("----------------------------------------> addGroupUser"); String groupName = request.getParameter("groupName"); String userName = request.getParameter("userName"); String password = request.getParameter("password"); Session adminSession = null; ResourceResolver adminResolver = null; try { Map<String, Object> authInfoParam = new HashMap<String, Object>(); authInfoParam.put(ResourceResolverFactory.SUBSERVICE, "datawrite"); adminResolver = resolverFactory.getServiceResourceResolver(authInfoParam); //adminResolver = resolverFactory.getAdministrativeResourceResolver(null); //deprecated method adminSession = slingRepository.loginService("datawrite", null); log.info("----------------------------------------> Session user id = {}",adminSession.getUserID()); // Create UserManager Object final UserManager userManager = AccessControlUtil.getUserManager(adminSession); // Create a Group Group group= null; if (userManager.getAuthorizable(groupName) == null) { //adminResolver.refresh(); group = userManager.createGroup(groupName,new SimplePrincipal(groupName),"/home/groups/test"); ValueFactory valueFactory = adminSession.getValueFactory(); Value groupNameValue = valueFactory.createValue(groupName, PropertyType.STRING); group.setProperty("./profile/givenName", groupNameValue); //adminResolver.commit(); log.info("----------------------------------------> {} Group successfully created.",group.getID()); } else { log.info("----------------------------------------> Group already exist.."); } // Create a User User user = null; if (userManager.getAuthorizable(userName) == null) { //adminResolver.refresh(); user=userManager.createUser(userName, password,new SimplePrincipal(userName),"/home/users/test"); ValueFactory valueFactory = adminSession.getValueFactory(); Value firstNameValue = valueFactory.createValue("Arpit", PropertyType.STRING); user.setProperty("./profile/givenName", firstNameValue); Value lastNameValue = valueFactory.createValue("Bora", PropertyType.STRING); user.setProperty("./profile/familyName", lastNameValue); Value emailValue = valueFactory.createValue("arpit.p.bora@gmail.com", PropertyType.STRING); user.setProperty("./profile/email", emailValue); //adminResolver.commit(); log.info("----------------------------------------> {} User successfully created.",user.getID()); } else { log.info("----------------------------------------> User already exist.."); } // Add Users to Group Group addUserToGroup = (Group)(userManager.getAuthorizable(groupName)); addUserToGroup.addMember(userManager.getAuthorizable(userName));adminSession.save();}catch (Exception e) { log.info("----------------------------------------> Not able to perform User Management.."); log.info("----------------------------------------> Exception.." + e.getMessage()); } finally { if (adminSession != null && adminSession.isLive()) { adminSession.logout(); } if (adminResolver != null) adminResolver.close(); } }

Exception log is :

javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274) at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416) ... Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:212) at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:150) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:104) at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32) at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeAdded(CompositeEditor.java:108) ...

I have "datawrite" service mapping with system user in “Apache Sling Service User Mapper Service” which is configurable in the OSGI configuration admin interface.

Please provide your suggestion and answers.

Thanks,

Arpit Bora