Examples of org.apache.jackrabbit.core.security.user.UserManagerImpl

• org.apache.jackrabbit.core.security.user.UserManagerImpl
  Default implementation of the UserManager interface with the following characteristics:

  • Users and Groups are stored in the repository as JCR nodes.
  • Users are created below {@link UserConstants#USERS_PATH},
    Groups are created below {@link UserConstants#GROUPS_PATH} (unless otherwise configured).
  • The Id of an authorizable is stored in the jcr:uuid property (md5 hash).
  • In order to structure the users and groups tree and avoid creating a flat hierarchy, additional hierarchy nodes of type "rep:AuthorizableFolder" are introduced using
    • the specified intermediate path passed to the create methods
    • or some built-in logic if the intermediate path is missing.

  The built-in logic applies the following rules:

  • The names of the hierarchy folders is determined from ID of the authorizable to be created, consisting of the leading N chars where N is the relative depth starting from the node at {@link #getUsersPath()}or {@link #getGroupsPath()}.
  • By default 2 levels (depth == 2) are created.
  • Parent nodes are expected to consist of folder structure only.
  • If the ID contains invalid JCR chars that would prevent the creation of a Node with that name, the names of authorizable node and the intermediate hierarchy nodes are {@link Text#escapeIllegalJcrChars(String) escaped}.

  Examples: Creating an non-existing user with ID 'aSmith' without specifying an intermediate path would result in the following structure:

   + rep:security            [nt:unstructured] + rep:authorizables     [rep:AuthorizableFolder] + rep:users           [rep:AuthorizableFolder] + a                 [rep:AuthorizableFolder] + aS              [rep:AuthorizableFolder] + aSmith        [rep:User] 

  Creating a non-existing user with ID 'aSmith' specifying an intermediate path 'some/tree' would result in the following structure:

   + rep:security            [nt:unstructured] + rep:authorizables     [rep:AuthorizableFolder] + rep:users           [rep:AuthorizableFolder] + some              [rep:AuthorizableFolder] + tree            [rep:AuthorizableFolder] + aSmith        [rep:User] 

  This UserManager is able to handle the following configuration options:

  • {@link #PARAM_USERS_PATH}: Defines where user nodes are created. If missing set to {@link #USERS_PATH}.
  • {@link #PARAM_GROUPS_PATH}. Defines where group nodes are created. If missing set to {@link #GROUPS_PATH}.
  • {@link #PARAM_COMPATIBLE_JR16}: If the param is present and its value is true looking up authorizables by ID will use the NodeResolver if not found otherwise.
    If the parameter is missing (or false) users and groups created with a Jackrabbit repository < v2.0 will not be found any more.
    By default this option is disabled.
  • {@link #PARAM_DEFAULT_DEPTH}: Parameter used to change the number of levels that are used by default to store authorizable nodes.
    The value is expected to be a positive integer greater than zero. The default number of levels is 2.
  • {@link #PARAM_AUTO_EXPAND_TREE}: If this parameter is present and its value is true, the trees containing user and group nodes will automatically created additional hierarchy levels if the number of nodes on a given level exceeds the maximal allowed {@link #PARAM_AUTO_EXPAND_SIZE size}.
    By default this option is disabled.
  • {@link #PARAM_AUTO_EXPAND_SIZE}: This parameter only takes effect if {@link #PARAM_AUTO_EXPAND_TREE} is enabled.
    The value is expected to bea positive long greater than zero. The default value is 1000.

            log.debug("No anonymousID defined in LoginModule/JAAS config -> using default.");
            anonymousId = SecurityConstants.ANONYMOUS_ID;
        }

        // create the system userManager and make sure the system-users exist.
        systemUserManager = new UserManagerImpl(securitySession, adminId);
        createSystemUsers(systemUserManager, adminId, anonymousId);

        // init default ac-provider-factory
        acProviderFactory = new AccessControlProviderFactoryImpl();
        acProviderFactory.init(securitySession);

        } else if (session instanceof SessionImpl) {
            String workspaceName = securitySession.getWorkspace().getName();
            try {
                SessionImpl sImpl = (SessionImpl) session;
                SessionImpl s = (SessionImpl) sImpl.createSession(workspaceName);
                return new UserManagerImpl(s, adminId);
            } catch (NoSuchWorkspaceException e) {
                throw new AccessControlException("Cannot build UserManager for " + session.getUserID(), e);
            }
        } else {
            throw new RepositoryException("Internal error: SessionImpl expected.");

            return systemUserManager;
        } else if (session instanceof SessionImpl) {
            String workspaceName = systemSession.getWorkspace().getName();
            try {
                SessionImpl sImpl = (SessionImpl) session;
                UserManagerImpl uMgr;
                if (workspaceName.equals(sImpl.getWorkspace().getName())) {
                    uMgr = createUserManager(sImpl);
                } else {
                    SessionImpl s = (SessionImpl) sImpl.createSession(workspaceName);
                    uMgr = createUserManager(s);

        // since users are stored in and retrieved from a dedicated workspace
        // only the system session assigned with that workspace will get the
        // system user manager (special implementation that asserts the existance
        // of the admin user).
        UserManagerImpl um;
        if (umc != null) {
            Class<?>[] paramTypes = new Class[] { SessionImpl.class, String.class, Properties.class };
            um = (UserManagerImpl) umc.getUserManager(UserManagerImpl.class, paramTypes, (SessionImpl) session, adminId, params);
            // TODO: should we make sure the implementation doesn't allow
            // TODO: to change the autosave behavior? since the user manager
            // TODO: writes to a separate workspace this would cause troubles.
        } else {
            um = new UserManagerImpl(session, adminId, params);
        }
        return um;
    }

     * @throws RepositoryException
     */
    @Override
    protected UserManagerImpl createUserManager(SessionImpl session) throws RepositoryException {
        UserManagerConfig umc = getConfig().getUserManagerConfig();
        UserManagerImpl umgr;
        // in contrast to the DefaultSecurityManager users are not retrieved
        // from a dedicated workspace: the system session of each workspace must
        // get a system user manager that asserts the existence of the admin user.
        if (umc != null) {
            Class<?>[] paramTypes = new Class[] {
                    SessionImpl.class,
                    String.class,
                    Properties.class,
                    MembershipCache.class};
            umgr = (UserPerWorkspaceUserManager) umc.getUserManager(UserPerWorkspaceUserManager.class,
                    paramTypes, session, adminId, umc.getParameters(), getMembershipCache(session));
        } else {
            umgr = new UserPerWorkspaceUserManager(session, adminId, null, getMembershipCache(session));
        }

        if (umc != null && !(session instanceof SystemSession)) {
            AuthorizableAction[] actions = umc.getAuthorizableActions();
            umgr.setAuthorizableActions(actions);
        }
        return umgr;
    }

    Properties tenantProperties = new Properties();
    tenantProperties.put( UserManagerImpl.PARAM_USERS_PATH, UserManagerImpl.USERS_PATH
        + theTenant.getRootFolderAbsolutePath() );
    tenantProperties.put( UserManagerImpl.PARAM_GROUPS_PATH, UserManagerImpl.GROUPS_PATH
        + theTenant.getRootFolderAbsolutePath() );
    return new UserManagerImpl( (SessionImpl) session, session.getUserID(), tenantProperties );
  }

            if (clName != null && !(UserManagerImpl.class.getName().equals(clName) || clName.length() == 0)) {
                log.warn("Unsupported custom UserManager implementation: '" + clName + "' -> Ignored.");
            }
            config = umc.getParameters();
        }
        return new UserManagerImpl(session, adminId, config);
    }

            return systemUserManager;
        } else if (session instanceof SessionImpl) {
            String workspaceName = securitySession.getWorkspace().getName();
            try {
                SessionImpl sImpl = (SessionImpl) session;
                UserManagerImpl uMgr;
                if (workspaceName.equals(sImpl.getWorkspace().getName())) {
                    uMgr = createUserManager(sImpl);
                } else {
                    SessionImpl s = (SessionImpl) sImpl.createSession(workspaceName);
                    uMgr = createUserManager(s);

            return systemUserManager;
        } else if (session instanceof SessionImpl) {
            String workspaceName = systemSession.getWorkspace().getName();
            try {
                SessionImpl sImpl = (SessionImpl) session;
                UserManagerImpl uMgr;
                if (workspaceName.equals(sImpl.getWorkspace().getName())) {
                    uMgr = createUserManager(sImpl);
                } else {
                    SessionImpl s = (SessionImpl) sImpl.createSession(workspaceName);
                    uMgr = createUserManager(s);

        // since users are stored in and retrieved from a dedicated workspace
        // only the system session assigned with that workspace will get the
        // system user manager (special implementation that asserts the existence
        // of the admin user).
        UserManagerImpl um;
        if (umc != null) {
            Class<?>[] paramTypes = new Class[] {
                    SessionImpl.class,
                    String.class,
                    Properties.class,
                    MembershipCache.class};
            um = (UserManagerImpl) umc.getUserManager(UserManagerImpl.class,
                    paramTypes, session, adminId, params, getMembershipCache(session));
            // TODO: should we make sure the implementation doesn't allow
            // TODO: to change the autosave behavior? since the user manager
            // TODO: writes to a separate workspace this would cause troubles.
        } else {
            um = new UserManagerImpl(session, adminId, params, getMembershipCache(session));
        }

        if (umc != null && !(session instanceof SystemSession)) {
            AuthorizableAction[] actions = umc.getAuthorizableActions();
            um.setAuthorizableActions(actions);
        }
        return um;
    }