Users
User Configuration
Users are stored in the repository under path /hippo:configuration/hippo:users as children of hipposys:userfolders nodes. The user folders can also contain nested user folders. This can be useful if the number of users gets very large, like a hunderd or more. Then the users can be split up in sub folders for example by using their first letter.
A user in the repository is represented by a single node. The node name is the username.
Users can be managed by the CMS or synchronized with an external source like LDAP. For users that are managed from the CMS the hipposys:user node type is used. For externally managed users the hipposys:externaluser type can be used. The hipposys:securityprovider property specifies which security provider manages the user. For CMS managed users the provider is internal.
If a user is marked as a system user the user is not allowed to login to the CMS and the console. A user can be made a system user by setting the property hipposys:system to true. System users also are protected and hidden from the CMS setup management UI.
To disable a user the property hipposys:active can be set to false. A disabled user can not login to the repository. The hipposys:password property contains the password of the user. The password can be stored in plain text, which is discouraged, or prefixed with the encryption between two dollar signs. By default the CMS uses SHA-256, for example: $SHA-256$dGeytXwnqAU=$NqCe6sJcM4qAwV8166GdueUVA/TSyidpAI3Evn+y/hc=.
Node type definitions
hipposys:user
[hipposys:user] > nt:base - hipposys:securityprovider (string) = 'internal' mandatory autocreated - hipposys:active (boolean) = true mandatory autocreated - hipposys:system (boolean) - hipposys:password (string) - hipposys:passkey (string) - hipposys:lastlogin (date) - hipposys:firstname (string) - hipposys:lastname (string) - hipposys:email (string) - hipposys:previouspasswords (string) multiple - hipposys:passwordlastmodified (date) - hipposys:userroles (string) multiple
|
Name |
Type |
Required |
Description |
|---|---|---|---|
|
node name |
String |
yes |
The username |
| hipposys:securityprovider | String | yes | default 'internal'. Mandatory property indicating which security provider to use. |
|
hipposys:active |
Boolean |
yes |
Can be used to (temporary) disable the user.A user MUST have hipposys:active set to true to be able to login. |
|
hipposys:system |
Boolean |
no |
Can be used to indicate that the user is a system user. |
|
hipposys:password |
String |
no |
The hipposys:password can be stored in plain text or with a hash. A hash has the following form: $<hash algorithm>$<salt>$<hash> For example the password "admin" could result in the following hash: $SHA-256$HIlytXwnqSU=$NqCi2sJoM4qAwQ8136GYueUVA/TSyidpAI3Evn+y/hc= The hashing algorithm can be any algorithm supported by MessageDigest like MD5, SHA-1 and SHA-256. The password utility class " PasswordHelper" can be used to generate hashes with the static method PasswordHelper.getHash(String password). |
| hipposys:passkey | String | no |
hipposys:passkey is in general not present, but in case it is present and its value is jvm://, the user can be accessed as a JVM enabled user. Typically HST site users are JVM enabled. |
|
hipposys:firstname |
String |
no |
user's first name |
|
hipposys:lastname |
String |
no |
user's last name |
|
hipposys:email |
String |
no |
user's email |
| hipposys:userroles | String | no | The set of userroles assigned to the user |
hipposys:externaluser
[hipposys:externaluser] > hipposys:user - hipposys:lastsync (date) - * (string)
hipposys:userfolder
[hipposys:userfolder] > nt:base + * (hipposys:user) = hipposys:user + * (hipposys:userfolder) = hipposys:userfolder
Example user configuration
/hippo:configuration: /hippo:users: /admin: jcr:primaryType: hipposys:user hipposys:securityprovider: internal hipposys:password: secret hipposys:active: true /myuser: jcr:primaryType: hipposys:user hipposys:securityprovider: internal hipposys:password: secret hipposys:active: true hipposys:firstname: John hipposys:lastname: Doe hipposys:email: [email protected]
Default provided users
| name | userroles | system | jvm enabled | description |
| admin | xm.default-user.system-admin xm.repository-browser.user |
no | no | the default administrator, has all privileges, NOT member of the admin group |
| author | no | no | example author user only provided for and in development mode, member of the author group | |
| editor | no | no | example editor user only provided for and in development mode, member of the editor group | |
| workflowuser | xm.repository.admin | yes | no | used internally by the CMS workflow |
| liveuser | xm.live-documents.reader | yes | yes | used internally by the delivery tier to read live document variants |
|
previewuser |
xm.preview-documents.reader | yes | yes | used internally by the delivery tier to read preview document variants |
| sitewriter | xm.form.writer | yes | yes | used internally by the delivery tier to write to /formdata nodes, or to invoke workflow on documents if given more authorization |
| configuser | xm.repository.reader | yes | yes | used internally by the delivery tier to read amongst others the HST configuration node |
| frontend-system-user | xm.frontend-config.reader | yes | yes | used internally by the CMS and Console to read the default (minimal) frontend configuration for not-yet-logged-in users |
| hippo-relevance | xm.default-user.webmaster | yes | yes | used internally by the relevance feature |
| ping-user | yes | yes | user internally by the Repository ping service (servlet) |