Content moved

A copy of the content of this page has been moved to JAAS security setup page in the main Magnolia documentation and will be maintained there.

Tutorial that provides a brief introduction to Java Authentication and Authorization Service (JAAS) based on a dual module approach.


Magnolia CMS uses Java Authentication and Authorization Service. JAAS creates two distinct processes:

  • Username and password request
  • Authentication and authorization

Although it is possible to use other servlets, the default engine is Tomcat. Configuration is done in WEB-INF/config/jaas.config:

magnolia {info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;};

The default configuration uses two classes:

  • one for user login and password authentication, and
  • one for authorization of user and password.

Each of these classes extends

$webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") AbstractLoginModule
. You can use this framework to implement your own login logic.

Login Procedure

The following (simplified) login procedure assumes you have two JAAS modules configured:

  •  When a user logs in to Magnolia CMS, all configured JAAS modules try to authenticate the user by calling the login() method.

  • The method throws an LoginException if the login fails authentication. Since

    $webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") AbstractLoginModule
      provides the login() method, a JAAS module only has to implement a validateUser() method. 

  • After the user is successfully authenticated, the commit() method of each JAAS module is called.


The login() authentication method of

$webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") JCRAuthenticationModule
is mandatory. This method verifies that the user entered is valid and enabled. In addition it checks that the password entered matches the password stored for that user.

The second module's login authorization method is only called if the user has been properly verified. Therefore the login() authorization method of 

$webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") JCRAuthorizationModule
can be implemented empty.


The commit() method includes the values from both authentication and authorization. The authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.


Creating a new user class implementing

$webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") User

  • First create a JAAS module extending:
    $webResourceManager.requireResource("info.magnolia.sys.confluence.artifact-info-plugin:javadoc-resource-macro-resources") JCRAuthorizationModule
  • Next, extend the following two methods:
public void validateUser() throws LoginException {

        this.user = authenticate(, this.pswd);

	if (this.user == null) {
            throw new FailedLoginException("User not found or password incorrect");
	if (this.user.getAllGroups() != null) {
	if (this.user.getAllRoles() != null) {
		this.setRoleNames((Set) this.user.getAllRoles());
    public void setEntity() {
        EntityImpl user = new EntityImpl();
        user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
        user.addProperty(Entity.NAME, this.user.getName());
        user.addProperty(Entity.PASSWORD, new String(this.pswd));

Note that it is still necessary to implement the authentication method in order to properly create a User object.

Adding the JAAS module to the JAAS configuration

As Magnolia is to be the secondary user management method used, you have to use the following modifier:

magnolia {
  my.project.ExternalJAASModule sufficient;
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
  • No labels


  1. Just for the record, I just tried the above (extending JCRAuthorizationModule instead of JCRAuthenticationModule, and adding my custom module on top with flag sufficient) and it didn't work. Could be because of some patches I had to do, could be that this was working on previous versions, not sure.

  2. Hi! I'm looking into adding a two-factor authentication module. Having nowhere else to look for, this looks promising, but are there any other parts I need to touch eg. for adding a separate form or field to the login page? Is there something from Magnolia in the making?