Page tree
Skip to end of metadata
Go to start of metadata

Types of users


Type

Example

Users

People who work on site content such as authors, editors and publishers.

System users

Administrative accounts with permissions to configure Magnolia, install new modules and create new templates, for example.

Public users

End users or visitors of the site. They can be registered through the Public User Registration (PUR) module . Registering visitors allows you to provide them with personalized content such as members-only sections of the site, newsletters and mailing lists.

Editing user preferences

A logged-in user can set one's own preferences by clicking the Edit user profile action in the top right corner.

The action opens a dialog whose User profile tab allows changing the user's password, full name and email address:

Use the dialog's Preferences tab to edit the user's language and the time zone.

Setting the user time zone

Every user can set one's own preferred time zone. Open the user preferences dialog, click the Preferences tab and set the time zone accordingly.

Magnolia continues to record events such as page creation using the host server time. The recorded time is converted and displayed in the user's preferred time zone.


Organizing users

In Magnolia, users are organized as follows:

  • Users can have both roles and groups.
  • Groups can have groups and roles.
  • Roles can have only Access Control Lists (ACLs). 

Permissions are defined in the ACL . Users inherit permissions from the roles and groups assigned to them.

In a small site you can manage users and groups in Magnolia. On a larger site (hundreds of users), it is better to manage users and groups in an enterprise-grade user management infrastructure such as Microsoft Active Directory. You would define roles and ACLs in Magnolia but manage users and groups in the external system.

Get a list of all permissions assigned to a user or group in the Tools tab of the Security app.

Editing user permissions

Every user known to Magnolia is granted a set of permissions defined by roles. You can either assign roles directly to a user, or assign a user to a group that itself grants a set of roles (see organizing users above).

Use the Security app to edit the permissions. The app is available in the Set up group of the AdminCentral and by default the superuser role is required to access it.

The Security app provides subapps to edit the users (system users and public users), groups and roles. Select the user you want to edit and double-click it or use the Edit user action. The Edit user action is available in the following subapps: Users, System users and Public users.

The dialog where you can edit user details has three tabs:

  • User info: Use this tab to edit the user's name and full name, the password, the email address, and the language, a property editable also in the user preferences dialog. You can use the tab to enable or disable a user account.
  • Groups: On this tab you can assign the user to existing groups:
  • Roles: On this tab you can grant roles to the user.

Automatic lockout

Automatic lockout is a security precaution that prevents users from accessing Magnolia after a number of failed login attempts.

By default, the lockout is triggered, and the account is automatically disabled by a minimum of N+1 failed login attempts. The number of failed attempts is configurable. When a non-existent username is entered lockout does not occur as the account does not exist. The lockout applies to system users and admin users but does not affect public users. After lockout, an administrator can re-enable the user account by checking the Enabled box in the user profile. When a lockout occurs, this checkbox is cleared.

The number of failed login attempts N that will trigger lockout is configurable using the property maxFailedLoginAttempts at Configuration > /server/security/userManagers/system and /admin. Different values may be set for Users and Systems Users.

Node name

Value

 server


 security


 userManagers


 system


 class

info.magnolia.cms.security.SystemUserManager

 lockTimePeriod

0

 maxFailedLoginAttempts

5

 realmName

system

 admin


 class

info.magnolia.cms.security.MgnlUserManager

 lockTimePeriod

0

 maxFailedLoginAttempts

5

 realmName

admin

Properties:

allowCrossRealmDuplicateNames

optional , default is false

Allows duplicate usernames in different realms. Only applicable to admin realm.

class

required

A class that implements the UserManager interface.

Implementations:

  • info.magnolia.cms.security.MgnlUserManager manages users stored in Magnolia.
  • info.magnolia.cms.security.ExternalUserManager manages JAAS users.
  • info.magnolia.cms.security.HierarchicalUserManager is a variation of MgnlUserManager that stores users hierarchically using the structure /<path>/<first letter of username>/<first two letters of username> such as /public/j/js/jsmith .
  • info.magnolia.cms.security.DelegatingUserManagerretrieves the user's ACLs.
  • info.magnolia.cms.security.SystemUserManager manages system users such as anonymous and superuser .
disableCache

optional , default is false

Allows to disable caching if set to true .

realmName

required

Realm name corresponding to JAAS login configuration.

allowPartialResults

optional, default is false

Indicates what methods are used to deal with the PartialResultException exception thrown by the LDAP service provider (c.f. java.naming.referral property).

  • true uses the hasMoreElements() and nextElement() methods.
  • false uses the hasMore() and next() methods.

connectionFactory

optional

A subnode which allows to specify a custom connectionFactory .

class

The class that implements the connectionFactory .

The default class used is info.magnolia.jaas.sp.ldap.connection.DefaultConnectionFactory .

Two additional implementations are available:

  • info.magnolia.jaas.sp.ldap.connection.JavaBeanBasedConnectionFactory
    This implementation supports defining properties securityPrincipal and securityCredentials . For usage please see Apache's Generic JavaBean Resources.
  • info.magnolia.jaas.sp.ldap.connection.JNDIResourceConnectionFactory
    This is a JNDI resource based factory. It can be used with com.sun.jndi.ldap.LdapCtxFactory or with info.magnolia.jaas.sp.ldap.connection.jndiresources.MagnoliaLdapContextFactory. For usage please see Apache's Adding Custom Resource Factories.

envPropertiesPredicate

optional

A subnode which specifies the envPropertiesPredicate .

If not defined explicitly then the predicate accepts anything within the following namespaces:

  • java.naming.*  (except credentials and principal)

  • com.sun.jndi.ldap.*

class

The class that implements the envPropertiesPredicate .

The default class is info.magnolia.jaas.sp.ldap.connection.EnvPropertiesDefaultPredicate .

passwordDecoder

optional

A subnode which defines the decoding method of the admin password used by the connectionFactory .

(warning) The decoder is available only with the DefaultConnectionFactory and JavaBeanBasedConnectionFactory connection classes. However, you can also write your own password decoder.

class

The decoder is available in three implementations:

  • info.magnolia.jaas.sp.ldap.connection.password.NoOpPasswordDecoder
    This implementation returns a password without any decoding.
  • info.magnolia.jaas.sp.ldap.connection.password.ActivationKeyBasedPasswordDecoder
    This implementation uses the same set of keys as activation. To gain an encoded password, use the SecurityUtil.encrypt("password") method.
  • info.magnolia.jaas.sp.ldap.connection.password.PasswordManagerBasedPasswordDecoder
    This implementation loads the admin's LDAP password from the Password Manager module.

pageSize

optional, default is 500

Specifies the number of objects to be returned in a single search result.