This is an old version of the Sling website, see the site conversion page for more info.
Apache

Documentation
Getting Started
The Sling Engine
Development
Bundles
Tutorials & How-Tos
Configuration
API docs
Wiki
FAQ

Project info
Downloads
License
Contributing
News
Links
Project Information
Issue Tracker
Browse Source Repository
Security

Sponsorship
Thanks
Become a Sponsor
Buy Stuff

Apache Sling Website > Apache Sling > Documentation > Bundles > Managing users and groups (jackrabbit.usermanager)

Managing users and groups

The jackrabbit-usermanager bundle delivers a REST interface to create, update and delete users and groups in the JCR. After installing the jackrabbit-usermanager bundle all REST services are exposed under the path /system/userManager.

List users

To list existing users a GET request to the /system/userManager/user resource can be posted. Depending on the configuration of the Default GET Servlet and/or the availability of a Servlet or Script handling the sling/users resource type, a result may be delivered.

Example with curl and the default JSON rendering:

$ curl http://localhost:8080/system/userManager/user.tidy.1.json
{
  "admin": {
    "memberOf": [],
    "declaredMemberOf": []
  },
  "anonymous": {
    "memberOf": [],
    "declaredMemberOf": []
  }
}

Get user

since version 2.0.8
The properties of a single user can be retrieved by sending a GET request to the user's resource at /system/userManager/user/username where username would be replaced with the name of the user. Depending on the configuration of the Default GET Servlet and/or the availability of a Servlet or Script handling the sling/user resource type, a result may be delivered.

Example with curl and the default JSON rendering:

$ curl http://localhost:8080/system/userManager/user/admin.tidy.1.json
{
    "memberOf": [],
    "declaredMemberOf": []
}

If a non-existing user is requested a 404/NOT FOUND status is sent back.

Create user

To create a new user POST a request to /system/userManager/user.create.<html or json>. The following parameters are available:

parameter name
required
description
:name
yes
The name of the new user
pwd
yes
The password of the new user
pwdConfirm
yes
The password of the new user (confirming the value of pwd)
<anyproperty>
optional
Additional parameters will be stored as node properties in the JCR

Responses:

200 Success, a redirect is sent to the users resource locator with HTML (or JSON) describing status.
500
Failure, including user already exists. HTML (or JSON) explains failure.

Example with curl:

curl -F:name=myuser -Fpwd=password -FpwdConfirm=password -Fanyproperty1=value1 \
    http://localhost:8080/system/userManager/user.create.html

Update user

To update an existing user POST a request to /system/userManager/user/username.update.<html or json>. You can NOT update the username or the password (see Change Password below) only the additional properties are updateable through this URL. The following parameters are available:

parameter name
required
description
:disabled
optional
(since version 2.1.1) If true, disables the user to block further login attempts. If false, enables a disabled user.
:disabledReason
optional
Specifies the reason why a user has been disabled.
<anyproperty>
optional
Additional parameters will be stored/updated as node properties in the JCR
<anyproperty@Delete>
optional
Properties with @Delete at the end of the name will be deleted in the JCR

Responses:

200 Success, a redirect is sent to the users resource locator with HTML (or JSON) describing status.
404
User was not found
500
Failure

Example

curl -Fanyproperty1@Delete -Fproperty2=value2 \
    http://localhost:8080/system/userManager/user/myuser.update.html

Change password

To change a password of an existing user POST a request to /system/userManager/user/username.changePassword.<html or json>. NOTE: since version 2.1.1, the oldPwd is optional if the current user is a user administrator. The following parameters are available:

parameter name
required
description
oldPwd
required
Old password
newPwd
required
New password
newPwdConfrm
required
New password (confirming the password of newPwd

Responses:

200 Success, sent with no body.
404
User was not found
500
Failure. HTML (or JSON) explains failure.

Example

curl -FoldPwd=oldpassword -FnewPwd=newpassword =FnewPwdConfirm=newpassword \
    http://localhost:8080/system/userManager/user/myuser.changePassword.html

Delete user

To delete an existing user POST a request to /system/userManager/user/username.delete.<html or json>. The following parameters are available:

parameter name
required
description
:applyTo
optional
An array of relative resource references to users to be deleted. If this parameter is present, the username from the URL is ignored and all listed users are removed.

Responses:

200 Success, sent with no body.
404
User(s) was/were not found
500
Failure. HTML (or JSON) explains failure.

Example

curl -Fgo=1 http://localhost:8080/system/userManager/user/myuser.delete.html

List groups

To list existing groups a GET request to the /system/userManager/group resource can be sent. Depending on the configuration of the Default GET Servlet and/or the availability of a Servlet or Script handling the sling/groups resource type, a result may be delivered.

Example with curl and the default JSON rendering:

$ curl http://localhost:8080/system/userManager/group.tidy.1.json
{
  "UserAdmin": {
    "members": [],
    "declaredMembers": [],
    "memberOf": [],
    "declaredMemberOf": []
  },
  "GroupAdmin": {
    "members": [],
    "declaredMembers": [],
    "memberOf": [],
    "declaredMemberOf": []
   },
  "administrators": {
    "members": [],
    "declaredMembers": [],
    "memberOf": [],
    "declaredMemberOf": []
}
}

Get group

The properties of a single group can be retrieved by sending a GET request to the group's resource at /system/userManager/group/groupname where groupname would be replaced with the name of the group. Depending on the configuration of the Default GET Servlet and/or the availability of a Servlet or Script handling the sling/group resource type, a result may be delivered.

Example with curl and the default JSON rendering:

$ curl http://localhost:8080/system/userManager/group/administrators.tidy.1.json
{
    "members": [],
    "declaredMembers": [],
    "memberOf": [],
    "declaredMemberOf": []
}

If a non-existing group is requested a 404/NOT FOUND status is sent back.

Create group

To create a new group POST a request to /system/userManager/group.create.<html or json>. The following parameters are available:

parameter name
required
description
:name
yes
The name of the new group
<anyproperty>
optional
Additional parameters will be stored as node properties in the JCR

Responses:

200 Success, a redirect is sent to the group resource locator with HTML (or JSON) describing status.
500
Failure, including group already exists. HTML (or JSON) explains failure.

Example with curl:

curl -F:name=mygroup -Fanyproperty1=value1 \
    http://localhost:8080/system/userManager/group.create.html

Update group

To update an existing group POST a request to /system/userManager/group/groupname.update.<html or json>. You can NOT update the name of the group only the additional properties are updateable. The following parameters are available:

parameter name
required
description
:member
optional
user(s) (name or URI) to add to the group as a member. Can also be an array of users.
:member@Delete
optional
user(s) (name or URI) to remove from the group. Can also be an array of users.
<anyproperty>
optional
Additional parameters will be stored/updated as node properties in the JCR
<anyproperty@Delete>
optional
Properties with @Delete at the end of the name will be deleted in the JCR

Responses:

200 Success, a redirect is sent to the groups resource locator with HTML (or JSON) describing status.
404
Group was not found
500
Failure

Example

curl \-Fanyproperty1@Delete \-Fproperty2=value2 -F ":member=/system/userManager/user/myuser" \
    http://localhost:8080/system/userManager/group/mygroup.update.html

Delete group

To delete an existing group POST a request to /system/userManager/group/groupname.delete.<html or json>. The following parameters are available:

parameter name
required
description
:applyTo
optional
An array of relative resource references to groups to be deleted. If this parameter is present, the name of the group from the URL is ignored and all listed groups are removed.

Responses:

200 Success, sent with no body.
404
Group(s) was/were not found
500
Failure. HTML (or JSON) explains failure.

Example

curl -Fgo=1 http://localhost:8080/system/userManager/group/mygroup.delete.html

Automated Tests

The launchpad/testing module contains test classes for various operations of the jackrabbit-usermanager. Such tests run as part of our continuous integration process, to demonstrate and verify the behavior of the various operations, in a way that's guaranteed to be in sync with the actual Sling core code. If you have an idea for additional tests, make sure to let us know!

Permissions checking from scripts

Since Version 2.0.6

When developing scripts that will perform user or group updates, you may want to know what actions the current user is provisioned to do. This information can be used to conditionally render parts of your page differently based on the user rights.

The jackrabbit.usermanager bundle provides a service (AuthorizablePrivilegesInfo) you can utilize to do help with this permission checking.

The AuthorizablePrivilegesInfo provides methods for checking the following actions

Method Description
canAddUser(jcrSession) Checks if the current user may add new users
canAddGroup(jcrSession) Checks if the current user may add new groups
canUpdateProperties(jcrSession, principalId) Checks if the current user may update the properties of the specified principal
canRemove(jcrSession, principalId) Checks if the current user may remove the specified user or group
canUpdateGroupMembers(jcrSession, groupId) Checks if the current user may modify the membership of the specified group

Example:

<%
    // lookup the service
    var privilegesInfo = sling.getService(Packages.org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo);

    if (privilegesInfo.canAddUser(currentSession)) {
        //TODO: render the UI that allows the user to add a user here
    }

    if (privilegesInfo.canAddGroup(currentSession)) {
        //TODO: render the UI that allows the user to add a group here
    }

    if (privilegesInfo.canUpdateProperties(currentSession, "someUserId")) {
        //TODO: render the UI that allows the user to update the properties of the user here
    }

    if (privilegesInfo.canRemove(currentSession, "someUserId")) {
        //TODO: render the UI that allows the user to remove the user here
    }

    if (privilegesInfo.canUpdateGroupMembers(currentSession, "GroupName")) {
        //TODO: draw your UI that allows the user to update the group memebership here
    }
%>

Sample User Interface Implementation

Since Version 2.1.1

A sample implementation of ui pages for user/group management is provided @ http://svn.apache.org/viewvc/sling/trunk/samples/usermanager-ui/

Last modified by edn on 2011-05-05 23:29:36.0
Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.