If you are unable to login to Magnolia CMS after startup and suspect the cause to be recent changes to security configurations, use the RescueSecuritySupport Java class to reset the security configurations. The procedure below will solve most common configuration problems, but does not work in all situations. This solution is suitable, for example where a typo or the inclusion of a node under the incorrect parent, is the source of the problem. It will not work if you have, for example inadvertently removed all users.

  1. Stop Magnolia CMS.
  2. Add following line to the magnolia.properties file, located at, for example <apache-tomcat>/webapps/magnoliaAuthor/WEB-INF/config/default.

  3. Start Magnolia CMS.
  4. Login using the default superuser username and password (superuser/superuser).
  5. Fix the configuration.
  6. Stop Magnolia CMS.
  7. Remove the line inserted in 2. above from the magnolia.properties file.
  8. Start Magnolia CMS.
  9. Make a backup.


  1. While you might expect that the superuser would get full permissions with this rescue tool he actually won't (tested 5.4.4). The superuser role is read from the roles workspace and used.

    It might be a good idea to change the returned RoleManager in a way that it gives at least permissions to security, config and website workspaces.

    1. That sounds like a regression. I implemented and tested it (long time ago tbh) and it looked like superuser had full permissions. Will look into it.

      1. maybe I misinterpreted my debugging results. I kind got lost in the forest of classes involved in authorisation (wink), but thanks for double checking

    2. Okay, I looked into this and found out that we actually have a different problem. The RescueUser has powers on all workspaces but the user one due to a ClassCastException
      I filed an issue   MAGNOLIA-6617 - Getting issue details... STATUS