JSP script

If you lost superuser password and are unable log in, use this procedure to reset the account back to its default settings. In case the user has been locked see Re-enabling a locked-out account instead.

  1. Stop Magnolia CMS.
  2. Copy the following JSP script and save it to your docroot folder, for example <apache-tomcat>/webapps/magnoliaAuthor/docroot/recovery-script.jsp.

    <%@ page contentType="text/plain" %>
    <%@ page import="info.magnolia.context.MgnlContext" %>
    <%@ page import="info.magnolia.importexport.BootstrapUtil" %>
    <%@ page import="javax.jcr.ImportUUIDBehavior" %>
    <%@ page import="javax.jcr.Session" %>
    info.magnolia.context.MgnlContext.setInstance(new info.magnolia.context.SingleJCRSessionSystemContext());
    try {
        BootstrapUtil.bootstrap(new String[] { "/mgnl-bootstrap/core/users.system.superuser.xml" },
        Session s = MgnlContext.getJCRSession("users");
    } catch (Exception e) {
  3. Open <apache-tomcat>/webapps/magnoliaAuthor/WEB-INF/web.xml in a text editor.

  4. Comment out the <filter> and <filter-mapping>sections.

    <!-- filter>
      <display-name>Magnolia global filters</display-name>
    </filter-mapping -->

    This will also disable the URI security filter, making your system vulnerable. Use a firewall or Apache Web Server in front of your application server to prevent unauthorized access while you do this.

  5. Save the web.xml file.
  6. Start Magnolia CMS.
  7. Request the JSP script at http://localhost:8080/magnoliaAuthor/docroot/recovery-script.jsp.
    The script will bootstrap the superuser account to default settings. You should see the following line in the log:

    WARN  info.magnolia.importexport.BootstrapUtil: 
    Deleted already existing node for bootstrapping: 
  8. Stop Magnolia CMS.
  9. Uncomment the <filter> and <filter-mapping> sections in the web.xml. (Undo step 4).
  10. Start Magnolia CMS.
  11. Log in as superuser with password superuser.

    If you still cannot login then try recreating search indexes for the users workspace.  

  12. As needed, add back any groups that might be needed by the superuser (see comment at bottom).

Alternative procedure using the Groovy Rescue App

An alternative to the above procedure is using the Groovy Rescue App.

Once set up as explained in the documentation link above, you can run the following script in the rescue app

Reset superuser with Groovy
session = MgnlContext.getJCRSession('users')
superuser = session.getNode('/system/superuser') 
superuser.pswd = info.magnolia.cms.security.SecurityUtil.getBCrypt('superuser') 

As with the JSP script, after you run the script you need to stop the web app and uncomment the filters sections in web.xml before rebooting Magnolia (refer again to Groovy Rescue App). 

  • No labels


  1. If you are on a devloping machine easiest is to set a breakpoint in info.magnolia.cms.security.MgnlUser.MgnlUser and set the values at runtime.

  2. I run into this frequently since I work with the platform but not the content itself, typically I don't have credentials for the resulting sites but periodically have to do maintenance or developement with h2 copies of them. I wrote a basic module that I just drop on the classpath which resets the supseruser account as a startup task. As a module, it does leave a mark in terms of a module node in the configuration workspace and obviously never use it on anything live, public or similar. https://github.com/wlfshmn/custom-magnolia-superuser-resetter