Fork me on GitHub

User Management


JCR itself doesn’t come with a dedicated user management API. The only method related and ultimately used for user management tasks is Session.getUserID(). Therefore an API for user and group management has been defined as part of the extensions present with Jackrabbit API.

Jackrabbit API

The Jackrabbit API provides the user management related extensions that are missing in JCR. The relevant interfaces are defined in the `’ package space:

  • UserManager
  • Authorizable
    • User
    • Group
  • Impersonation
  • QueryBuilder
    • Query

API Extensions

The Oak project introduces the following user management related public interfaces and classes:


  • UserConstants : Constants (NOTE: OAK names/paths)
  • UserIdCredentials : Simple credentials implementation that might be used for `User.getCredentials’ without exposing pw information.*

  • PasswordUtil : Utilities for password generation. This utility corresponds to the internal jackrabbit utility. As of OAK it also supports Password-Based Key Derivation Function 2 (PBKDF2) function for password generation.
  • UserUtil : Utilities related to general user management tasks.

Oak User Management Implementation

The behavior of the default user management implementation is described in section User Management: The Default Implementation.


The Oak user management comes with a dedicated entry point called UserConfiguration. This class is responsible for passing configuration options to the implementation and provides the following two methods:

  • getUserManager(Root, NamePathMapper): get a new UserManager instance
  • getUserPrincipalProvider(Root, NamePathMapper): optional method that allows for optimized principal look-up from user/group accounts (since Oak 1.3.4).

Configuration Parameters

The supported configuration options of the default implementation are described in the corresponding section.


The default security setup as present with Oak 1.0 is able to have the default user management implementation replaced as follows:

The complete user management implementation can be changed by plugging a different UserConfiguration implementations. In OSGi-base setup this is achieved by making the configuration a service which must take precedence over the default. In a non-OSGi-base setup the custom configuration must be exposed by the SecurityProvider implementation.

Alternatively the default user management implementation can be extended and adjusted using various means. See the corresponding section for further details.