Expand my Community achievements bar.


AEM 6.3.3 | Error while saving using session.save()


Level 7

Hi All,

I'm using Service User Mapper configuration as well as using the corresponding code for the same.

Also, provided the full permission to my system user.

Still i'm getting Access Denied.

javax.jcr.AccessDeniedException: OakAccess0000: Access denied

at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231)

at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212)

at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670)

at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)

at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:419)

at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:274)

at org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:416)

at com.adobe.granite.repository.impl.CRX3SessionImpl.save(CRX3SessionImpl.java:208)

1 Accepted Solution


Correct answer by
Employee Advisor

Looks like your serviceUser does not have permissions to create users; make sure that the service user has permissions to create and modify nodes below /home/users.

0 Replies


Community Advisor

What kind of node are you trying to save ?


Level 7


I have created user via createuser method (i.e. UserManager ("The Adobe AEM Quickstart and Web Application.") ).

then setting user properties.


Community Advisor

Does that mean even the system user creation is done programmatically here ? If so , did you use createUser method or createSystemUser ?


Level 7


I have implemented Registration functionality which is Servlet that gets data from form.

Based, on that data i createUser via code taking session via systemuser.


Community Advisor

Can you provide the code snippet which is throwing the error ? I will try it in my local and let you know if I am also facing the issue , if so will try to figure out a solution. Also please let us know the AEM version


Level 7


I'm using AEM 6.3 SP3.

Sample code written in OSGI R6:

import java.io.IOException;

import java.rmi.ServerException;

import org.osgi.service.component.annotations.Reference;

import org.osgi.service.component.annotations.Component;

import org.apache.sling.api.SlingHttpServletRequest;

import org.apache.sling.api.SlingHttpServletResponse;

import org.apache.sling.api.resource.ResourceResolver;

import org.apache.sling.api.resource.ResourceResolverFactory;

import org.apache.sling.auth.core.spi.AuthenticationInfo;

import org.apache.sling.commons.json.JSONException;

import org.apache.sling.commons.json.JSONObject;

import org.apache.sling.jcr.api.SlingRepository;

import org.apache.sling.jcr.base.util.AccessControlUtil;

import org.apache.sling.settings.SlingSettingsService;

import org.apache.jackrabbit.api.security.user.UserManager;

import org.apache.jackrabbit.api.security.user.User;

import org.apache.jackrabbit.api.security.user.Group;

import javax.jcr.ValueFactory;

import org.osgi.framework.ServiceRegistration;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import javax.jcr.RepositoryException;

import javax.jcr.Session;

import javax.jcr.Value;

import javax.servlet.Servlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import com.adobe.cq.sightly.WCMResourceOptions;

import com.adobe.granite.security.user.UserProperties;

import com.day.crx.security.token.TokenCookie;

import com.day.crx.security.token.TokenUtil;

import org.apache.jackrabbit.api.security.user.Authorizable;


immediate = true,






public class RegistrationServlet extends

org.apache.sling.api.servlets.SlingAllMethodsServlet {

public static boolean successFlag = false;

private static final long serialVersionUID = 2598426539166789515L;

private static final Logger LOGGER = LoggerFactory


private static final String AEM_REGN_EXCEPTION = "REGN001";


private SlingRepository repository;


private UserService userService;


private SlingSettingsService slingSettings;


private ResourceResolverFactory resolverFactory;

public void bindRepository(SlingRepository repository) {

this.repository = repository;



protected void doPost(SlingHttpServletRequest request,

SlingHttpServletResponse response) throws ServerException,

IOException {

boolean success = false;

String returnMsg = "";

String returnCode = "";

JSONObject jsonObject = new JSONObject();

Session adminSession = null;

ResourceResolver resolver = null;

String redirectReg = "";

try {

try {

LOGGER.error("RegnServlet : Registration Request Received for Params+"

+ request.getParameter("firstName")

+ ",userName->"

+ request.getParameter("userName"));

String firstName = request.getParameter("firstName");

String lastName = request.getParameter("lastName");

String userName = request.getParameter("userName");

String password = request.getParameter("password");

String countryCode = request.getParameter("countryCode");

String countryName = request.getParameter("countryName");

Boolean termConditions=Boolean.valueOf(termCondition);

resolver = getResourceResolver(resolverFactory, "dataWriter");

adminSession = resolver.adaptTo(Session.class);

UserManager userManager = AccessControlUtil.getUserManager(adminSession);

User user = (User) userManager.getAuthorizable(userName);

if (userService.userExists(userName, adminSession)) {

throw new Exception("User already exists, Please Login");


user = userManager.createUser(userName, password,

new SimplePrincipal(userName),


ValueFactory valueFactory = adminSession.getValueFactory();

Value emailValue = valueFactory.createValue(userName);

Value userType = valueFactory.createValue("external");

Value givenName = valueFactory.createValue("test");

Value familyName = valueFactory.createValue("test2"));

user.setProperty("./profile/givenName", givenName);

user.setProperty("./profile/familyName", familyName);

user.setProperty("profile/" + UserProperties.EMAIL,


user.setProperty("profile/userType", userType);


AuthenticationInfo authnInfo = null;

try {

LOGGER.info("RegnServlet :   create token and return");

authnInfo = TokenUtil.createCredentials(request,

response, repository, userName, true);

} catch (RepositoryException e) {


"RegnServlet : Repository error authenticating user: {} ~> {}",

userName, e);

} finally {

LOGGER.info("RegnServlet : In Finally");


if (authnInfo != null) {

redirectReg = loginSucceeded(request, response,

authnInfo, adminSession, resObj);

LOGGER.info("redirectReg" + redirectReg);


success = true;

}  catch (RepositoryException e) {

returnMsg = e.getMessage();


LOGGER.error("RegnServlet : error", e);

} catch (Exception e) {

returnMsg = "Please try later";


LOGGER.error("AEM server error",




if (success) {


try {

jsonObject.put("successReg", redirectReg);

} catch (JSONException e) {

LOGGER.warn("RegnServlet Unable to write success json");




} else {

// Error response


try {

jsonObject.put("errorCode", returnCode);

jsonObject.put("errorDetail", returnMsg);

} catch (JSONException e) {

LOGGER.warn("RegnServlet Unable to write error json");







private String loginSucceeded(HttpServletRequest request,

HttpServletResponse response, AuthenticationInfo authInfo, Session adminSession, Response resObj) {

TokenCookie tokenCookie = TokenCookie.fromRequest(request);

if (tokenCookie != null) {

TokenCookie.setCookie(response, "register-token",

tokenCookie.toString(), 63072000, "/",

request.getServerName(), true, false);


String resource = "/en.html";

return resource;


public void includeResource(SlingHttpServletResponse customResponse,

String script,

String dispatcherOptions,

String resourceType,

WCMResourceOptions wcmResourceOptions){


public ResourceResolver getResourceResolver(final ResourceResolverFactory resolverFactory,

final String subServiceName) throws LoginException {

final Map<String, Object> param = new HashMap<>();

param.put(ResourceResolverFactory.SUBSERVICE, subServiceName);

return resolverFactory.getServiceResourceResolver(param);




Correct answer by
Employee Advisor

Looks like your serviceUser does not have permissions to create users; make sure that the service user has permissions to create and modify nodes below /home/users.


Level 7

Jörg Hoh​,

I have given full permission to my system user:1683402_pastedImage_1.png


Employee Advisor

That's strange. But the only explanation for this exception are insufficient permissions of the service owning that session. Just to eliminate all other reasons, can you temporarily switch to an admin user and try that?



Level 7


Are you saying yo use login.adminstrative() method.


Level 10

Exactly - try that call and you will see it working. It looks like a permission issue as Joerg mentions


Level 10

Here is a Persist use case in 6.4 with a video. As you can see, when we submit a new employee - the data is persisted.

Scott's Digital Community: Persisting Adobe Experience Manager 6.4 JCR data using a Custom Form Acti...


Level 10

You can use similar logic for AEM 6.3.3. Just use Maven Arch 12 for a 6.3 project.

page footer