Package org.nuxeo.ecm.platform.usermanager

Class UserManagerImpl

java.lang.Object

org.nuxeo.ecm.platform.usermanager.UserManagerImpl

All Implemented Interfaces:

Serializable, AdministratorGroupsProvider, MultiTenantUserManager, UserManager, Authenticator, EventListener

Direct Known Subclasses:

UserManagerWithComputedGroups

public class UserManagerImpl
extends Object
implements UserManager, MultiTenantUserManager, AdministratorGroupsProvider

Standard implementation of the Nuxeo UserManager.

See Also:

• Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from interface org.nuxeo.ecm.platform.usermanager.UserManager

UserManager.MatchType

Field Summary

Fields

Modifier and Type	Field	Description
protected List<String>	administratorGroups
protected List<String>	administratorIds
static final String	ANCESTOR_GROUPS_PROPERTY_KEY	Key for the ancestor group names of a group in a core event context.
protected VirtualUser	anonymousUser
protected final CacheService	cacheService
static final String	DEFAULT_ANONYMOUS_USER_ID
protected String	defaultGroup
protected String	digestAuthDirectory
protected String	digestAuthRealm
protected final DirectoryService	dirService
protected Boolean	disableDefaultAdministratorsGroup
static final String	GROUPCHANGED_EVENT_ID	Used by JaasCacheFlusher.
protected GroupConfig	groupConfig
static final String	GROUPCREATED_EVENT_ID
static final String	GROUPDELETED_EVENT_ID
protected String	groupDirectoryName
protected String	groupIdField
protected String	groupLabelField
protected String	groupListingMode
protected String	groupMembersField
static final String	GROUPMODIFIED_EVENT_ID
protected String	groupParentGroupsField
protected String	groupSchemaName
protected Map<String,UserManager.MatchType>	groupSearchFields
protected String	groupSortField
protected String	groupSubGroupsField
static final String	ID_PROPERTY_KEY	Key for the id of a user or a group in a core event context.
static final String	INVALIDATE_ALL_PRINCIPALS_EVENT_ID
static final String	INVALIDATE_PRINCIPAL_EVENT_ID
UserMultiTenantManagement	multiTenantManagement
protected Cache	principalCache
protected static final String	SEARCH_ESCAPE_COMPAT_PARAM
static final String	USER_GROUP_CATEGORY	Possible value for the DocumentEventContext.CATEGORY_PROPERTY_KEY key of a core event context.
static final String	USER_HAS_PARTIAL_CONTENT
static final String	USERCHANGED_EVENT_ID	Used by JaasCacheFlusher.
protected UserConfig	userConfig	A structure used to inject field name configuration of users schema into a NuxeoPrincipalImpl instance.
static final String	USERCREATED_EVENT_ID
static final String	USERDELETED_EVENT_ID
protected String	userDirectoryName
protected String	userEmailField
protected String	userIdField
protected String	userListingMode
static final String	USERMANAGER_TOPIC
static final String	USERMODIFIED_EVENT_ID
protected Pattern	userPasswordPattern
protected String	userSchemaName
protected Map<String,UserManager.MatchType>	userSearchFields
protected String	userSortField
static final String	VIRTUAL_FIELD_FILTER_PREFIX
protected final Map<String,VirtualUserDescriptor>	virtualUsers

Constructor Summary

Constructors

Constructor	Description
UserManagerImpl()

Method Summary

Modifier and Type	Method	Description
protected void	appendSubgroups(String groupId, Set<String> groups, DocumentModel context)
Boolean	areGroupsReadOnly()	Returns true is users referential is read only (ie : LDAP) -> can not add users -> can not delete users.
Boolean	areUsersReadOnly()	Returns true is groups referential is read only (ie : LDAP) -> can not add groups -> can not delete groups.
Principal	authenticate(String name, String password)	Get a principal object for the given username if the username / password pair is valid, otherwise returns null.
protected void	checkGrouId(DocumentModel groupModel)
protected void	checkGroupsExistence(DocumentModel userModel, String schema, DocumentModel context)
protected void	checkPasswordValidity(DocumentModel userModel)
protected void	checkUserId(DocumentModel userModel)
boolean	checkUsernamePassword(String username, String password)	Check the password for the given username.
protected Map<String,Serializable>	cloneMap(Map<String,Serializable> map)
protected HashSet<String>	cloneSet(Set<String> set)
DocumentModel	createGroup(DocumentModel groupModel)	Creates a group from given model
DocumentModel	createGroup(DocumentModel groupModel, DocumentModel context)	Creates a group from given model with the given context.
DocumentModel	createUser(DocumentModel userModel)	Creates user from given model.
DocumentModel	createUser(DocumentModel userModel, DocumentModel context)	Creates user from given model into the given context document.
void	deleteGroup(String groupId)	Deletes group with given id.
void	deleteGroup(String groupId, DocumentModel context)	Deletes group with given id with the given context.
void	deleteGroup(DocumentModel groupModel)	Deletes group represented by given model.
void	deleteGroup(DocumentModel groupModel, DocumentModel context)	Deletes group represented by given model with the given context.
void	deleteUser(String userId)	Deletes user with given id.
void	deleteUser(String userId, DocumentModel context)	Deletes user with given id into the given context document.
void	deleteUser(DocumentModel userModel)	Deletes user represented by given model.
void	deleteUser(DocumentModel userModel, DocumentModel context)	Deletes user represented by given model into the given context document.
static String	encodeDigestAuthPassword(String username, String realm, String password)
List<String>	getAdministratorsGroups()	Returns the list of administrators groups.
List<String>	getAncestorGroups(String groupId)	Returns the ancestor groups of the group with the given id.
String	getAnonymousUserId()	Gets the anonymous user id.
DocumentModel	getBareGroupModel()	Returns a bare group model.
DocumentModel	getBareUserModel()	Returns a bare user model.
String	getDefaultGroup()
List<String>	getDescendantGroups(String groupId)	Returns the descendant groups of the group with the given id.
String	getDigestAuthDirectory()	Gets the Digest Auth directory.
protected DocumentModel	getDigestAuthModel()	Deprecated, for removal: This API element is subject to removal in a future version. since 2025.9, not used anymore
String	getDigestAuthRealm()	Gets the Digest Auth realm.
protected Map<String,String>	getDirectorySortMap(String descriptorSortField, String fallBackField)
NuxeoGroup	getGroup(String groupName)	Returns the nuxeo group with given name or null if it does not exist.
protected NuxeoGroup	getGroup(String groupName, DocumentModel context)
GroupConfig	getGroupConfig()	Returns the contributed GroupConfig.
protected Directory	getGroupDirectory()
String	getGroupDirectoryName()	Gets the group directory name.
protected String	getGroupId(DocumentModel groupModel)
String	getGroupIdField()	Returns the group directory id field.
List<String>	getGroupIds()	Returns the list of all groups ids.
List<String>	getGroupIds(DocumentModel context)	Returns the list of all groups ids with the given context. if the Document Context have a directory local configuration, the service try to open the user directory with directory suffix set into the local configuration
String	getGroupLabelField()	Returns the group label field.
String	getGroupListingMode()
String	getGroupMembersField()	Gets the group members field.
DocumentModel	getGroupModel(String groupName)	Return the group document model with this id or null if group does not exist.
DocumentModel	getGroupModel(String groupIdValue, DocumentModel context)	Return the group document model with this id concatenated with the directory local config (if not null) or null if group does not exist.
protected OrderByExpr	getGroupOrderBy()
String	getGroupParentGroupsField()	Gets the group parent-groups field.
String	getGroupSchemaName()	Returns the group directory schema name.
Set<String>	getGroupSearchFields()	Gets the group search fields.
List<String>	getGroupsInGroup(String parentId)	Returns the list of groups that belong to this group.
List<String>	getGroupsInGroup(String parentId, DocumentModel context)	Returns the list of groups that belong to this group with the given context.
protected Map<String,String>	getGroupSortMap()
String	getGroupSubGroupsField()	Gets the group sub-groups field.
protected List<String>	getLeafPermissions(String perm)
NuxeoPrincipal	getPrincipal(String username, boolean fetchReferences)	Retrieves the principal with the given username or null if it does not exist.
NuxeoPrincipal	getPrincipal(String username, DocumentModel context)	Retrieves the principal with the given username or null if it does not exist into the given context document.
protected NuxeoPrincipal	getPrincipal(String username, DocumentModel context, boolean fetchReferences)
protected NuxeoPrincipal	getPrincipalUsingCache(String username)
protected QueryBuilder	getQueryForPattern(String pattern, String dirName, Map<String,UserManager.MatchType> searchFields, OrderByExpr orderBy)
List<String>	getTopLevelGroups()	Returns the list of groups that are not members of other groups.
List<String>	getTopLevelGroups(DocumentModel context)	Returns the list of groups that are not members of other groups with the given context.
protected static TransientDataStore	getTransientDataStore()
UserConfig	getUserConfig()	Returns the contributed UserConfig.
protected Directory	getUserDirectory()
String	getUserDirectoryName()	Gets the user directory name.
String	getUserEmailField()	Gets the user email field.
protected String	getUserId(DocumentModel userModel)
String	getUserIdField()	Returns the user directory id field.
List<String>	getUserIds()	Returns the list of all user ids.
List<String>	getUserIds(DocumentModel context)	Returns the list of all user ids into the given context document.
String	getUserListingMode()
DocumentModel	getUserModel(String userName)	Returns the document model representing user with given id or null if it does not exist.
DocumentModel	getUserModel(String userName, DocumentModel context)	Returns the document model representing user with given id or null if it does not exist into the given context document.
protected DocumentModel	getUserModel(String userName, DocumentModel context, boolean fetchReferences)
protected OrderByExpr	getUserOrderBy()
Pattern	getUserPasswordPattern()
String	getUserSchemaName()	Returns the user directory schema name.
Set<String>	getUserSearchFields()	Gets the user search fields, the fields to use when a principal search is done.
String[]	getUsersForPermission(String perm, ACP acp)	For an ACP, get the list of user that has a permission.
String[]	getUsersForPermission(String perm, ACP acp, DocumentModel context)	For an ACP, get the list of user that has a permission into the given context.
List<String>	getUsersInGroup(String groupId)	Returns the list of users that belong to this group.
List<String>	getUsersInGroup(String groupId, DocumentModel context)	Returns the list of users that belong to this group into the given context
List<String>	getUsersInGroupAndSubGroups(String groupId)	Get users from a group and its subgroups.
List<String>	getUsersInGroupAndSubGroups(String groupId, DocumentModel context)	Get users from a group and its subgroups into the given context
String	getUserSortField()
protected Map<String,String>	getUserSortMap()
void	handleEvent(Event event)	An event was received.
protected void	invalidateAllPrincipals()
protected void	invalidatePrincipal(String userName)
protected boolean	isAnonymousMatching(Map<String,Serializable> filter, Set<String> fulltext)
protected boolean	isAnonymousMatching(QueryBuilder queryBuilder, Directory dir)
protected NuxeoPrincipal	makeAnonymousPrincipal()
protected NuxeoGroup	makeGroup(DocumentModel groupEntry)
protected NuxeoPrincipal	makePrincipal(DocumentModel userEntry)
protected NuxeoPrincipal	makePrincipal(DocumentModel userEntry, boolean anonymous, boolean isTransient, List<String> groups)	Deprecated, for removal: This API element is subject to removal in a future version. since 2025.8, the transient flag is deduced from the userId whether it is starting with transient/
protected NuxeoPrincipal	makePrincipal(DocumentModel userEntry, boolean anonymous, List<String> groups)
protected NuxeoPrincipal	makeTransientPrincipal(String username)
protected DocumentModel	makeTransientUserEntry(String username, Map<String,Serializable> properties)
protected NuxeoPrincipal	makeVirtualPrincipal(VirtualUser user)
protected DocumentModel	makeVirtualUserEntry(String id, VirtualUser user)
protected void	notifyCore(String userOrGroupId, String eventId)
protected void	notifyCore(String userOrGroupId, String eventId, List<String> ancestorGroupIds)
void	notifyGroupChanged(String groupName, String eventId, List<String> ancestorGroupNames)	Notifies that the given group has changed with the given event: At the runtime level so that the JaasCacheFlusher listener can make sure the principal cache is reset. At the core level, passing the groupName as the "id" property of the fired event.
protected void	notifyRuntime(String userOrGroupName, String eventId)
void	notifyUserChanged(String userName, String eventId)	Notifies that the given user has changed with the given event: At the runtime level so that the JaasCacheFlusher listener can make sure the principal cache is reset. At the core level, passing the userName as the "id" property of the fired event.
protected void	populateAncestorGroups(String groupId, List<String> ancestorGroups)
protected void	populateDescendantGroups(String groupId, List<String> descendantGroups)
protected DocumentModelList	queryWithVirtualEntries(Session session, QueryBuilder queryBuilder, List<DocumentModel> virtualEntries)	Executes a query then adds virtual entries (already supposed to match the query).
protected void	removeVirtualFilters(Map<String,Serializable> filter)
DocumentModelList	searchGroups(String pattern)	Search matching groups through their defined search fields
DocumentModelList	searchGroups(String pattern, DocumentModel context)	Search matching groups through their defined search fields into the given context document.
DocumentModelList	searchGroups(Map<String,Serializable> filter, Set<String> fulltext)	Returns groups matching given criteria.
DocumentModelList	searchGroups(Map<String,Serializable> filter, Set<String> fulltext, DocumentModel context)	Returns groups matching given criteria with the given context. if the Document Context have a directory local configuration, the service try to open the user directory with directory suffix set into the local configuration
DocumentModelList	searchGroups(QueryBuilder queryBuilder)	Returns groups matching the given query.
DocumentModelList	searchGroups(QueryBuilder queryBuilder, DocumentModel context)	Returns groups matching the given query, within the given context.
List<NuxeoPrincipal>	searchPrincipals(String pattern)
DocumentModelList	searchUsers(String pattern)	Returns users matching given pattern
DocumentModelList	searchUsers(String pattern, DocumentModel context)	Returns users matching given pattern with the given context. if the Document Context have a directory local configuration, the service try to open the directory with directory suffix set into the local configuration
DocumentModelList	searchUsers(Map<String,Serializable> filter, Set<String> fulltext)	Returns users matching given criteria.
DocumentModelList	searchUsers(Map<String,Serializable> filter, Set<String> fulltext, Map<String,String> orderBy, DocumentModel context)	MULTI-TENANT-IMPLEMENTATION
DocumentModelList	searchUsers(Map<String,Serializable> filter, Set<String> fulltext, DocumentModel context)	Returns users matching given criteria and with the given context. if the Document Context have a directory local configuration, the service try to open the user directory with directory suffix set into the local configuration
DocumentModelList	searchUsers(QueryBuilder queryBuilder)	Returns users matching the given query.
DocumentModelList	searchUsers(QueryBuilder queryBuilder, DocumentModel context)	Returns users matching the given query, within the given context.
void	setConfiguration(UserManagerDescriptor descriptor)	Sets the given configuration on the service.
protected void	setGroupDirectoryName(String groupDirectoryName)
protected void	setUserDirectoryName(String userDirectoryName)
protected void	setVirtualUsers(Map<String,VirtualUserDescriptor> virtualUsers)
protected void	syncDigestAuthPassword(String username, String password)
void	updateGroup(DocumentModel groupModel)	Updates group represented by given model.
void	updateGroup(DocumentModel groupModel, DocumentModel context)	Updates group represented by given model with the given context.
void	updateUser(DocumentModel userModel)	Updates user represented by given model.
void	updateUser(DocumentModel userModel, DocumentModel context)	Updates user represented by given model into the given context document.
protected boolean	useCache()
protected boolean	useSearchEscapeCompat()
boolean	validatePassword(String password)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.nuxeo.ecm.platform.usermanager.UserManager

getPrincipal, notifyGroupChanged

Field Details

SEARCH_ESCAPE_COMPAT_PARAM

protected static final String SEARCH_ESCAPE_COMPAT_PARAM

Since:

11.1

See Also:

• Constant Field Values

USERMANAGER_TOPIC

public static final String USERMANAGER_TOPIC

See Also:

• Constant Field Values

USERCHANGED_EVENT_ID

public static final String USERCHANGED_EVENT_ID

Used by JaasCacheFlusher.

See Also:

• Constant Field Values

USERCREATED_EVENT_ID

public static final String USERCREATED_EVENT_ID

See Also:

• Constant Field Values

USERDELETED_EVENT_ID

public static final String USERDELETED_EVENT_ID

See Also:

• Constant Field Values

USERMODIFIED_EVENT_ID

public static final String USERMODIFIED_EVENT_ID

See Also:

• Constant Field Values

GROUPCHANGED_EVENT_ID

public static final String GROUPCHANGED_EVENT_ID

Used by JaasCacheFlusher.

See Also:

• Constant Field Values

GROUPCREATED_EVENT_ID

public static final String GROUPCREATED_EVENT_ID

See Also:

• Constant Field Values

GROUPDELETED_EVENT_ID

public static final String GROUPDELETED_EVENT_ID

See Also:

• Constant Field Values

GROUPMODIFIED_EVENT_ID

public static final String GROUPMODIFIED_EVENT_ID

See Also:

• Constant Field Values

DEFAULT_ANONYMOUS_USER_ID

public static final String DEFAULT_ANONYMOUS_USER_ID

See Also:

• Constant Field Values

VIRTUAL_FIELD_FILTER_PREFIX

public static final String VIRTUAL_FIELD_FILTER_PREFIX

See Also:

• Constant Field Values

INVALIDATE_PRINCIPAL_EVENT_ID

public static final String INVALIDATE_PRINCIPAL_EVENT_ID

See Also:

• Constant Field Values

INVALIDATE_ALL_PRINCIPALS_EVENT_ID

public static final String INVALIDATE_ALL_PRINCIPALS_EVENT_ID

See Also:

• Constant Field Values

USER_GROUP_CATEGORY

public static final String USER_GROUP_CATEGORY

Possible value for the DocumentEventContext.CATEGORY_PROPERTY_KEY key of a core event context.

Since:

9.2

See Also:

• Constant Field Values

ID_PROPERTY_KEY

public static final String ID_PROPERTY_KEY

Key for the id of a user or a group in a core event context.

Since:

9.2

See Also:

• Constant Field Values

ANCESTOR_GROUPS_PROPERTY_KEY

public static final String ANCESTOR_GROUPS_PROPERTY_KEY

Key for the ancestor group names of a group in a core event context.

Since:

9.2

See Also:

• Constant Field Values

USER_HAS_PARTIAL_CONTENT

public static final String USER_HAS_PARTIAL_CONTENT

Since:

11.4

See Also:

• Constant Field Values

dirService

protected final DirectoryService dirService

cacheService

protected final CacheService cacheService

principalCache

protected Cache principalCache

multiTenantManagement

public UserMultiTenantManagement multiTenantManagement

userConfig

protected UserConfig userConfig

A structure used to inject field name configuration of users schema into a NuxeoPrincipalImpl instance. TODO not all fields inside are configurable for now - they will use default values

groupConfig

protected GroupConfig groupConfig

Since:

9.3

userDirectoryName

protected String userDirectoryName

userSchemaName

protected String userSchemaName

userIdField

protected String userIdField

userEmailField

protected String userEmailField

userSearchFields

protected Map<String,UserManager.MatchType> userSearchFields

groupDirectoryName

protected String groupDirectoryName

groupSchemaName

protected String groupSchemaName

groupIdField

protected String groupIdField

groupLabelField

protected String groupLabelField

groupMembersField

protected String groupMembersField

groupSubGroupsField

protected String groupSubGroupsField

groupParentGroupsField

protected String groupParentGroupsField

groupSortField

protected String groupSortField

groupSearchFields

protected Map<String,UserManager.MatchType> groupSearchFields

defaultGroup

protected String defaultGroup

administratorIds

protected List<String> administratorIds

administratorGroups

protected List<String> administratorGroups

disableDefaultAdministratorsGroup

protected Boolean disableDefaultAdministratorsGroup

userSortField

protected String userSortField

userListingMode

protected String userListingMode

groupListingMode

protected String groupListingMode

userPasswordPattern

protected Pattern userPasswordPattern

anonymousUser

protected VirtualUser anonymousUser

digestAuthDirectory

protected String digestAuthDirectory

digestAuthRealm

protected String digestAuthRealm

virtualUsers

protected final Map<String,VirtualUserDescriptor> virtualUsers

Constructor Details

UserManagerImpl

public UserManagerImpl()

Method Details

setConfiguration

public void setConfiguration(UserManagerDescriptor descriptor)

Description copied from interface: UserManager

Sets the given configuration on the service.

Specified by:

setConfiguration in interface UserManager

Parameters:

descriptor - the descriptor as parsed from xml, merged from the previous one if it exists.

setUserDirectoryName

protected void setUserDirectoryName(String userDirectoryName)

getUserDirectory

protected Directory getUserDirectory()

getUserDirectoryName

public String getUserDirectoryName()

Description copied from interface: UserManager

Gets the user directory name.

Specified by:

getUserDirectoryName in interface UserManager

Returns:

the user directory name.

getUserIdField

public String getUserIdField()

Description copied from interface: UserManager

Returns the user directory id field.

Specified by:

getUserIdField in interface UserManager

getUserSchemaName

public String getUserSchemaName()

Description copied from interface: UserManager

Returns the user directory schema name.

Specified by:

getUserSchemaName in interface UserManager

getUserEmailField

public String getUserEmailField()

Description copied from interface: UserManager

Gets the user email field.

Specified by:

getUserEmailField in interface UserManager

Returns:

the user email field.

getUserSearchFields

public Set<String> getUserSearchFields()

Description copied from interface: UserManager

Gets the user search fields, the fields to use when a principal search is done.

Specified by:

getUserSearchFields in interface UserManager

Returns:

the search fields.

getGroupSearchFields

public Set<String> getGroupSearchFields()

Description copied from interface: UserManager

Gets the group search fields.

Specified by:

getGroupSearchFields in interface UserManager

setGroupDirectoryName

protected void setGroupDirectoryName(String groupDirectoryName)

getGroupDirectory

protected Directory getGroupDirectory()

getGroupDirectoryName

public String getGroupDirectoryName()

Description copied from interface: UserManager

Gets the group directory name.

Specified by:

getGroupDirectoryName in interface UserManager

Returns:

the group directory name.

getGroupIdField

public String getGroupIdField()

Description copied from interface: UserManager

Returns the group directory id field.

Specified by:

getGroupIdField in interface UserManager

getGroupLabelField

public String getGroupLabelField()

Description copied from interface: UserManager

Returns the group label field.

Specified by:

getGroupLabelField in interface UserManager

getGroupSchemaName

public String getGroupSchemaName()

Description copied from interface: UserManager

Returns the group directory schema name.

Specified by:

getGroupSchemaName in interface UserManager

getGroupMembersField

public String getGroupMembersField()

Description copied from interface: UserManager

Gets the group members field.

Specified by:

getGroupMembersField in interface UserManager

Returns:

the group members field.

getGroupSubGroupsField

public String getGroupSubGroupsField()

Description copied from interface: UserManager

Gets the group sub-groups field.

Specified by:

getGroupSubGroupsField in interface UserManager

Returns:

the sub-groups field.

getGroupParentGroupsField

public String getGroupParentGroupsField()

Description copied from interface: UserManager

Gets the group parent-groups field.

Specified by:

getGroupParentGroupsField in interface UserManager

Returns:

the parent-groups field.

getUserListingMode

public String getUserListingMode()

Specified by:

getUserListingMode in interface UserManager

getGroupListingMode

public String getGroupListingMode()

Specified by:

getGroupListingMode in interface UserManager

getDefaultGroup

public String getDefaultGroup()

Specified by:

getDefaultGroup in interface UserManager

getUserPasswordPattern

public Pattern getUserPasswordPattern()

Specified by:

getUserPasswordPattern in interface UserManager

getAnonymousUserId

public String getAnonymousUserId()

Description copied from interface: UserManager

Gets the anonymous user id.

Specified by:

getAnonymousUserId in interface UserManager

Returns:

the anonymous user id, or the default one if none is defined.

setVirtualUsers

protected void setVirtualUsers(Map<String,VirtualUserDescriptor> virtualUsers)

checkUsernamePassword

public boolean checkUsernamePassword(String username,
 String password)

Description copied from interface: Authenticator

Check the password for the given username. Returns true if the username / password pair match, false otherwise.

Specified by:

checkUsernamePassword in interface Authenticator

Specified by:

checkUsernamePassword in interface UserManager

Parameters:

username - the username

password - the password to check

Returns:

true is valid, false otherwise

syncDigestAuthPassword

protected void syncDigestAuthPassword(String username,
 String password)

getDigestAuthModel

@Deprecated(since="2025.0",
            forRemoval=true)
protected DocumentModel getDigestAuthModel()

Deprecated, for removal: This API element is subject to removal in a future version.

since 2025.9, not used anymore

encodeDigestAuthPassword

public static String encodeDigestAuthPassword(String username,
 String realm,
 String password)

getDigestAuthDirectory

public String getDigestAuthDirectory()

Description copied from interface: UserManager

Gets the Digest Auth directory.

Specified by:

getDigestAuthDirectory in interface UserManager

getDigestAuthRealm

public String getDigestAuthRealm()

Description copied from interface: UserManager

Gets the Digest Auth realm.

Specified by:

getDigestAuthRealm in interface UserManager

validatePassword

public boolean validatePassword(String password)

Specified by:

validatePassword in interface UserManager

makeAnonymousPrincipal

protected NuxeoPrincipal makeAnonymousPrincipal()

makeVirtualPrincipal

protected NuxeoPrincipal makeVirtualPrincipal(VirtualUser user)

makeTransientPrincipal

protected NuxeoPrincipal makeTransientPrincipal(String username)

makeVirtualUserEntry

protected DocumentModel makeVirtualUserEntry(String id,
 VirtualUser user)

makeTransientUserEntry

protected DocumentModel makeTransientUserEntry(String username,
 Map<String,Serializable> properties)

makePrincipal

protected NuxeoPrincipal makePrincipal(DocumentModel userEntry)

makePrincipal

protected NuxeoPrincipal makePrincipal(DocumentModel userEntry,
 boolean anonymous,
 List<String> groups)

makePrincipal

@Deprecated(since="2025.8",
            forRemoval=true)
protected NuxeoPrincipal makePrincipal(DocumentModel userEntry,
 boolean anonymous,
 boolean isTransient,
 List<String> groups)

Deprecated, for removal: This API element is subject to removal in a future version.

since 2025.8, the transient flag is deduced from the userId whether it is starting with transient/

useCache

protected boolean useCache()

getPrincipal

public NuxeoPrincipal getPrincipal(String username,
 boolean fetchReferences)

Description copied from interface: UserManager

Retrieves the principal with the given username or null if it does not exist.

Can build principals for anonymous and virtual users as well as for users defined in the users directory.

Specified by:

getPrincipal in interface UserManager

Parameters:

username - is the name of the entry in the user directory

fetchReferences - controls if the references (groups) of the user will be fetched

getPrincipalUsingCache

protected NuxeoPrincipal getPrincipalUsingCache(String username)

getUserModel

public DocumentModel getUserModel(String userName)

Description copied from interface: UserManager

Returns the document model representing user with given id or null if it does not exist.

Specified by:

getUserModel in interface UserManager

getBareUserModel

public DocumentModel getBareUserModel()

Description copied from interface: UserManager

Returns a bare user model.

Can be used for user creation/search screens.

Specified by:

getBareUserModel in interface UserManager

getGroup

public NuxeoGroup getGroup(String groupName)

Description copied from interface: UserManager

Returns the nuxeo group with given name or null if it does not exist.

Specified by:

getGroup in interface UserManager

getGroup

protected NuxeoGroup getGroup(String groupName,
 DocumentModel context)

getGroupModel

public DocumentModel getGroupModel(String groupName)

Description copied from interface: UserManager

Return the group document model with this id or null if group does not exist.

Specified by:

getGroupModel in interface UserManager

Parameters:

groupName - the group identifier

makeGroup

protected NuxeoGroup makeGroup(DocumentModel groupEntry)

getTopLevelGroups

public List<String> getTopLevelGroups()

Description copied from interface: UserManager

Returns the list of groups that are not members of other groups.

Specified by:

getTopLevelGroups in interface UserManager

getGroupsInGroup

public List<String> getGroupsInGroup(String parentId)

Description copied from interface: UserManager

Returns the list of groups that belong to this group.

Specified by:

getGroupsInGroup in interface UserManager

Parameters:

parentId - the name of the parent group.

getUsersInGroup

public List<String> getUsersInGroup(String groupId)

Description copied from interface: UserManager

Returns the list of users that belong to this group.

Specified by:

getUsersInGroup in interface UserManager

Parameters:

groupId - ID of the group

getUsersInGroupAndSubGroups

public List<String> getUsersInGroupAndSubGroups(String groupId)

Description copied from interface: UserManager

Get users from a group and its subgroups.

Specified by:

getUsersInGroupAndSubGroups in interface UserManager

Parameters:

groupId - ID of the group

appendSubgroups

protected void appendSubgroups(String groupId,
 Set<String> groups,
 DocumentModel context)

isAnonymousMatching

protected boolean isAnonymousMatching(Map<String,Serializable> filter,
 Set<String> fulltext)

isAnonymousMatching

protected boolean isAnonymousMatching(QueryBuilder queryBuilder,
 Directory dir)

searchPrincipals

public List<NuxeoPrincipal> searchPrincipals(String pattern)

Specified by:

searchPrincipals in interface UserManager

searchGroups

public DocumentModelList searchGroups(String pattern)

Description copied from interface: UserManager

Search matching groups through their defined search fields

Specified by:

searchGroups in interface UserManager

getUserSortField

public String getUserSortField()

Specified by:

getUserSortField in interface UserManager

getUserSortMap

protected Map<String,String> getUserSortMap()

getUserOrderBy

protected OrderByExpr getUserOrderBy()

getGroupSortMap

protected Map<String,String> getGroupSortMap()

getGroupOrderBy

protected OrderByExpr getGroupOrderBy()

getDirectorySortMap

protected Map<String,String> getDirectorySortMap(String descriptorSortField,
 String fallBackField)

notifyCore

protected void notifyCore(String userOrGroupId,
 String eventId)

Since:

8.2

notifyCore

protected void notifyCore(String userOrGroupId,
 String eventId,
 List<String> ancestorGroupIds)

Since:

9.2

notifyRuntime

protected void notifyRuntime(String userOrGroupName,
 String eventId)

notifyUserChanged

public void notifyUserChanged(String userName,
 String eventId)

Description copied from interface: UserManager

Notifies that the given user has changed with the given event:

• At the runtime level so that the JaasCacheFlusher listener can make sure the principal cache is reset.
• At the core level, passing the userName as the "id" property of the fired event.

Specified by:

notifyUserChanged in interface UserManager

invalidatePrincipal

protected void invalidatePrincipal(String userName)

notifyGroupChanged

public void notifyGroupChanged(String groupName,
 String eventId,
 List<String> ancestorGroupNames)

Description copied from interface: UserManager

Notifies that the given group has changed with the given event:

• At the runtime level so that the JaasCacheFlusher listener can make sure the principal cache is reset.
• At the core level, passing the groupName as the "id" property of the fired event.

The ancestorGroupNames list must contain the ancestor groups of the given group. It can be computed by calling UserManager.getAncestorGroups(String). It will be passed as the "ancestorGroups" property of the fired core event.

Specified by:

notifyGroupChanged in interface UserManager

invalidateAllPrincipals

protected void invalidateAllPrincipals()

areGroupsReadOnly

public Boolean areGroupsReadOnly()

Description copied from interface: UserManager

Returns true is users referential is read only (ie : LDAP) -> can not add users -> can not delete users.

Specified by:

areGroupsReadOnly in interface MultiTenantUserManager

Specified by:

areGroupsReadOnly in interface UserManager

areUsersReadOnly

public Boolean areUsersReadOnly()

Description copied from interface: UserManager

Returns true is groups referential is read only (ie : LDAP) -> can not add groups -> can not delete groups.

Specified by:

areUsersReadOnly in interface MultiTenantUserManager

Specified by:

areUsersReadOnly in interface UserManager

checkGrouId

protected void checkGrouId(DocumentModel groupModel)

getGroupId

protected String getGroupId(DocumentModel groupModel)

checkUserId

protected void checkUserId(DocumentModel userModel)

getUserId

protected String getUserId(DocumentModel userModel)

createGroup

public DocumentModel createGroup(DocumentModel groupModel)

Description copied from interface: UserManager

Creates a group from given model

Specified by:

createGroup in interface UserManager

Returns:

the created group model

createUser

public DocumentModel createUser(DocumentModel userModel)

Description copied from interface: UserManager

Creates user from given model.

Specified by:

createUser in interface UserManager

deleteGroup

public void deleteGroup(String groupId)

Description copied from interface: UserManager

Deletes group with given id.

Specified by:

deleteGroup in interface UserManager

deleteGroup

public void deleteGroup(DocumentModel groupModel)

Description copied from interface: UserManager

Deletes group represented by given model.

Specified by:

deleteGroup in interface UserManager

deleteUser

public void deleteUser(String userId)

Description copied from interface: UserManager

Deletes user with given id.

Specified by:

deleteUser in interface UserManager

deleteUser

public void deleteUser(DocumentModel userModel)

Description copied from interface: UserManager

Deletes user represented by given model.

Specified by:

deleteUser in interface UserManager

getGroupIds

public List<String> getGroupIds()

Description copied from interface: UserManager

Returns the list of all groups ids.

Specified by:

getGroupIds in interface UserManager

getUserIds

public List<String> getUserIds()

Description copied from interface: UserManager

Returns the list of all user ids.

Specified by:

getUserIds in interface UserManager

removeVirtualFilters

protected void removeVirtualFilters(Map<String,Serializable> filter)

getQueryForPattern

protected QueryBuilder getQueryForPattern(String pattern,
 String dirName,
 Map<String,UserManager.MatchType> searchFields,
 OrderByExpr orderBy)

searchGroups

public DocumentModelList searchGroups(Map<String,Serializable> filter,
 Set<String> fulltext)

Description copied from interface: UserManager

Returns groups matching given criteria.

Specified by:

searchGroups in interface UserManager

Parameters:

filter - filter with field names as keys

fulltext - field names used for fulltext match

searchGroups

public DocumentModelList searchGroups(QueryBuilder queryBuilder)

Description copied from interface: UserManager

Returns groups matching the given query.

Specified by:

searchGroups in interface UserManager

Parameters:

queryBuilder - the query to use, including limit, offset, ordering and countTotal

searchUsers

public DocumentModelList searchUsers(String pattern)

Description copied from interface: UserManager

Returns users matching given pattern

Pattern is used to fill a filter and fulltext map according to users search fields configuration. Search is performed on each of these fields (OR).

Specified by:

searchUsers in interface UserManager

searchUsers

public DocumentModelList searchUsers(Map<String,Serializable> filter,
 Set<String> fulltext)

Description copied from interface: UserManager

Returns users matching given criteria.

Specified by:

searchUsers in interface UserManager

Parameters:

filter - filter with field names as keys

fulltext - field names used for fulltext match

searchUsers

public DocumentModelList searchUsers(QueryBuilder queryBuilder)

Description copied from interface: UserManager

Returns users matching the given query.

Specified by:

searchUsers in interface UserManager

Parameters:

queryBuilder - the query to use, including limit, offset, ordering and countTotal

updateGroup

public void updateGroup(DocumentModel groupModel)

Description copied from interface: UserManager

Updates group represented by given model.

Specified by:

updateGroup in interface UserManager

updateUser

public void updateUser(DocumentModel userModel)

Description copied from interface: UserManager

Updates user represented by given model.

Specified by:

updateUser in interface UserManager

getBareGroupModel

public DocumentModel getBareGroupModel()

Description copied from interface: UserManager

Returns a bare group model.

Can be used for group creation/search screens.

Specified by:

getBareGroupModel in interface UserManager

getAdministratorsGroups

public List<String> getAdministratorsGroups()

Description copied from interface: UserManager

Returns the list of administrators groups.

Specified by:

getAdministratorsGroups in interface AdministratorGroupsProvider

Specified by:

getAdministratorsGroups in interface UserManager

getLeafPermissions

protected List<String> getLeafPermissions(String perm)

getUsersForPermission

public String[] getUsersForPermission(String perm,
 ACP acp)

Description copied from interface: UserManager

For an ACP, get the list of user that has a permission. This method should be use with care as it can cause performance issues while getting the list of users.

Specified by:

getUsersForPermission in interface UserManager

Parameters:

perm - the permission

acp - The access control policy of the document

Returns:

the array of user ids

authenticate

public Principal authenticate(String name,
 String password)

Description copied from interface: Authenticator

Get a principal object for the given username if the username / password pair is valid, otherwise returns null.

This method is doing the authentication of the given username / password pair and returns the corresponding principal object if authentication succeeded otherwise returns null.

Specified by:

authenticate in interface Authenticator

Returns:

the authenticated principal if authentication succeded otherwise null

searchUsers

public DocumentModelList searchUsers(Map<String,Serializable> filter,
 Set<String> fulltext,
 Map<String,String> orderBy,
 DocumentModel context)

MULTI-TENANT-IMPLEMENTATION

getUsersInGroup

public List<String> getUsersInGroup(String groupId,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns the list of users that belong to this group into the given context

Specified by:

getUsersInGroup in interface MultiTenantUserManager

Parameters:

groupId - ID of the group

searchUsers

public DocumentModelList searchUsers(String pattern,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns users matching given pattern with the given context. if the Document Context have a directory local configuration, the service try to open the directory with directory suffix set into the local configuration

Pattern is used to fill a filter and fulltext map according to users search fields configuration. Search is performed on each of these fields (OR).

Specified by:

searchUsers in interface MultiTenantUserManager

searchUsers

public DocumentModelList searchUsers(QueryBuilder queryBuilder,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns users matching the given query, within the given context.

Specified by:

searchUsers in interface MultiTenantUserManager

Parameters:

queryBuilder - the query to use, including limit, offset, ordering and countTotal

context - the context for the tenant, or null

queryWithVirtualEntries

protected DocumentModelList queryWithVirtualEntries(Session session,
 QueryBuilder queryBuilder,
 List<DocumentModel> virtualEntries)

Executes a query then adds virtual entries (already supposed to match the query). Then does limit/offset/order/countTotal.

Since:

10.3

searchUsers

public DocumentModelList searchUsers(Map<String,Serializable> filter,
 Set<String> fulltext,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns users matching given criteria and with the given context. if the Document Context have a directory local configuration, the service try to open the user directory with directory suffix set into the local configuration

Specified by:

searchUsers in interface MultiTenantUserManager

Parameters:

filter - filter with field names as keys

fulltext - field names used for fulltext match

getGroupIds

public List<String> getGroupIds(DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns the list of all groups ids with the given context. if the Document Context have a directory local configuration, the service try to open the user directory with directory suffix set into the local configuration

Specified by:

getGroupIds in interface MultiTenantUserManager

searchGroups

public DocumentModelList searchGroups(Map<String,Serializable> filter,
 Set<String> fulltext,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns groups matching given criteria with the given context. if the Document Context have a directory local configuration, the service try to open the user directory with directory suffix set into the local configuration

Specified by:

searchGroups in interface MultiTenantUserManager

Parameters:

filter - filter with field names as keys

fulltext - field names used for fulltext match

searchGroups

public DocumentModelList searchGroups(QueryBuilder queryBuilder,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns groups matching the given query, within the given context.

Specified by:

searchGroups in interface MultiTenantUserManager

Parameters:

queryBuilder - the query to use, including limit, offset, ordering and countTotal

context - the context for the tenant, or null

createGroup

public DocumentModel createGroup(DocumentModel groupModel,
 DocumentModel context)
                          throws GroupAlreadyExistsException

Description copied from interface: MultiTenantUserManager

Creates a group from given model with the given context. If the Document Context have a directory local configuration, the service will append at the end of the groupname the directory suffix set into the local configuration of the context document.

Specified by:

createGroup in interface MultiTenantUserManager

Returns:

the created group model

Throws:

GroupAlreadyExistsException

getGroupModel

public DocumentModel getGroupModel(String groupIdValue,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Return the group document model with this id concatenated with the directory local config (if not null) or null if group does not exist.

Specified by:

getGroupModel in interface MultiTenantUserManager

Parameters:

groupIdValue - the group identifier

getUserModel

public DocumentModel getUserModel(String userName,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns the document model representing user with given id or null if it does not exist into the given context document. The context document must be contained into the tenant.

Specified by:

getUserModel in interface MultiTenantUserManager

getUserModel

protected DocumentModel getUserModel(String userName,
 DocumentModel context,
 boolean fetchReferences)

cloneMap

protected Map<String,Serializable> cloneMap(Map<String,Serializable> map)

cloneSet

protected HashSet<String> cloneSet(Set<String> set)

getPrincipal

public NuxeoPrincipal getPrincipal(String username,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Retrieves the principal with the given username or null if it does not exist into the given context document. The context document must be contained into the tenant

Can build principals for anonymous and virtual users as well as for users defined in the users directory.

Specified by:

getPrincipal in interface MultiTenantUserManager

getPrincipal

protected NuxeoPrincipal getPrincipal(String username,
 DocumentModel context,
 boolean fetchReferences)

searchGroups

public DocumentModelList searchGroups(String pattern,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Search matching groups through their defined search fields into the given context document. The context document must be contained into the tenant.

Specified by:

searchGroups in interface MultiTenantUserManager

getUserIds

public List<String> getUserIds(DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns the list of all user ids into the given context document. The context document must be contained into the tenant.

Specified by:

getUserIds in interface MultiTenantUserManager

createUser

public DocumentModel createUser(DocumentModel userModel,
 DocumentModel context)
                         throws UserAlreadyExistsException

Description copied from interface: MultiTenantUserManager

Creates user from given model into the given context document. The context document must be contained into the tenant.

Specified by:

createUser in interface MultiTenantUserManager

Throws:

UserAlreadyExistsException

checkGroupsExistence

protected void checkGroupsExistence(DocumentModel userModel,
 String schema,
 DocumentModel context)

checkPasswordValidity

protected void checkPasswordValidity(DocumentModel userModel)
                              throws InvalidPasswordException

Throws:

InvalidPasswordException

updateUser

public void updateUser(DocumentModel userModel,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Updates user represented by given model into the given context document. The context document must be contained into the tenant.

Specified by:

updateUser in interface MultiTenantUserManager

useSearchEscapeCompat

protected boolean useSearchEscapeCompat()

deleteUser

public void deleteUser(DocumentModel userModel,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Deletes user represented by given model into the given context document. The context document must be contained into the tenant.

Specified by:

deleteUser in interface MultiTenantUserManager

deleteUser

public void deleteUser(String userId,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Deletes user with given id into the given context document. The context document must be contained into the tenant.

Specified by:

deleteUser in interface MultiTenantUserManager

updateGroup

public void updateGroup(DocumentModel groupModel,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Updates group represented by given model with the given context. If the Document Context have a directory local configuration, the service will append at the end of the groupname the directory suffix set into the local configuration of the context document.

Specified by:

updateGroup in interface MultiTenantUserManager

deleteGroup

public void deleteGroup(DocumentModel groupModel,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Deletes group represented by given model with the given context. If the Document Context have a directory local configuration, the service will append at the end of the groupname the directory suffix set into the local configuration of the context document.

Specified by:

deleteGroup in interface MultiTenantUserManager

deleteGroup

public void deleteGroup(String groupId,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Deletes group with given id with the given context. If the Document Context have a directory local configuration, the service will append at the end of the groupname the directory suffix set into the local configuration of the context document.

Specified by:

deleteGroup in interface MultiTenantUserManager

getGroupsInGroup

public List<String> getGroupsInGroup(String parentId,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns the list of groups that belong to this group with the given context. If the Document Context have a directory local configuration, the service will append at the end of the groupname the directory suffix set into the local configuration of the context document.

Specified by:

getGroupsInGroup in interface MultiTenantUserManager

Parameters:

parentId - the name of the parent group.

getTopLevelGroups

public List<String> getTopLevelGroups(DocumentModel context)

Description copied from interface: MultiTenantUserManager

Returns the list of groups that are not members of other groups with the given context.

Specified by:

getTopLevelGroups in interface MultiTenantUserManager

getUsersInGroupAndSubGroups

public List<String> getUsersInGroupAndSubGroups(String groupId,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

Get users from a group and its subgroups into the given context

Specified by:

getUsersInGroupAndSubGroups in interface MultiTenantUserManager

Parameters:

groupId - ID of the group

getUsersForPermission

public String[] getUsersForPermission(String perm,
 ACP acp,
 DocumentModel context)

Description copied from interface: MultiTenantUserManager

For an ACP, get the list of user that has a permission into the given context. This method should be use with care as it can cause performance issues while getting the list of users.

Specified by:

getUsersForPermission in interface MultiTenantUserManager

Parameters:

perm - the permission

acp - The access control policy of the document

Returns:

the list of user ids

getAncestorGroups

public List<String> getAncestorGroups(String groupId)

Description copied from interface: UserManager

Returns the ancestor groups of the group with the given id.

Specified by:

getAncestorGroups in interface UserManager

populateAncestorGroups

protected void populateAncestorGroups(String groupId,
 List<String> ancestorGroups)

getDescendantGroups

public List<String> getDescendantGroups(String groupId)

Description copied from interface: UserManager

Returns the descendant groups of the group with the given id.

Specified by:

getDescendantGroups in interface UserManager

populateDescendantGroups

protected void populateDescendantGroups(String groupId,
 List<String> descendantGroups)

getUserConfig

public UserConfig getUserConfig()

Description copied from interface: UserManager

Returns the contributed UserConfig.

Specified by:

getUserConfig in interface UserManager

getGroupConfig

public GroupConfig getGroupConfig()

Description copied from interface: UserManager

Returns the contributed GroupConfig.

Specified by:

getGroupConfig in interface UserManager

handleEvent

public void handleEvent(Event event)

Description copied from interface: EventListener

An event was received.

Specified by:

handleEvent in interface EventListener

getTransientDataStore

protected static TransientDataStore getTransientDataStore()