Adobe Experience Manager Sites & More

Greg_Fullard · 6/22/20

Hoping someone on here can help me out of a conundrum.

We are trying to remove all Admin sessions from our application, but are stuck with a few due to JCR Access Denied exceptions. Specifically, when we try to create AEM groups or users with a service user we get an Access Denied exception. Here is a piece of code written to isolate the problem:

private void testUserCreation2() {
  String groupName = "TestingGroup1";
  Session session = null;
  ResourceResolver resourceResolver = null;
  String createdGroupName = null;
  try {
      Map<String, Object> param = new HashMap<String, Object>();
      param.put(ResourceResolverFactory.SUBSERVICE, "userManagementService");
      resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);
      session = resourceResolver.adaptTo(Session.class);

      // Create UserManager Object
      final UserManager userManager = AccessControlUtil.getUserManager(session);

      // Create a Group
      LOGGER.info("Attempting to create group: "+groupName+" with user "+session.getUserID());
      if (userManager.getAuthorizable(groupName) == null) {

          Group createdGroup = userManager.createGroup(new Principal() {
          
            @Override
            public String getName() {
              return groupName;
            }
          }, "/home/groups/testing");
          
          createdGroupName = createdGroup.getPath();
          session.save();

          LOGGER.info("Group successfully created: "+createdGroupName);
      } else {
          LOGGER.info("Group already exists");
      }
  } catch (Exception e) {
      LOGGER.error("Error while attempting to create group.",e);
  } finally {
      if (session != null && session.isLive()) {
          session.logout();
      }
      if (resourceResolver != null)
          resourceResolver.close();
  }      
}

Notice that I'm using a subservice name titled userManagementService, which maps to a user titled fwi-admin-user. Since fwi-admin-user is a service user, I cannot add it to the administrators group (This seems to be a design limitation on AEM). However, I have confirmed that the user has full permissions to the entire repository via the useradmin UI.

Unfortunately, I still get the following error when I invoke this code:

2020-06-22 17:46:56.017 INFO [za.co.someplace.forms.core.servlets.IntegrationTestServlet] Attempting to create group: TestingGroup1 with user fwi-admin-user 2020-06-22 17:46:56.025 ERROR [za.co.someplace.forms.core.servlets.IntegrationTestServlet] Error while attempting to create group. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:670) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:496)

Is this an AEM bug, or am I doing something wrong here?

Thanks in advance

arunpatidar · 6/22/20

Your service user should be part of user-administrators group or administrator group to do user management task.