Creating custom system user

• used when a custom access to the repository is needed outside of logged in user session
• should be used for all sessions that are created in the OSGi services
• used to create a custom user that with designated privileges to perform required actions on jcr repository, for example query on some content, creating/deleting some nodes
• does not require username-passowrd pair - just user name and mapping to bundle that can use it

Service user

1. Create via /crx/explorer/index.jsp -> User administration -> Create system user
2. Assign permissions to system user under /useradmin
3. Map the system user to the bundle that will be allowed to use it (it is referenced by Bundle Symbolic Name). This is done through config: org.apache.sling.serviceusermapping.impl.ServiceUserMappingImpl.ammended-customId

<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0"
          xmlns:jcr="http://www.jcp.org/jcr/1.0" 
          jcr:primaryType="sling:OsgiConfig"
          user.mapping="[com.bundle.symbolic.name:userLoginUsedInResourceResolver=custom-service-user]" />

This config create a mapping that defines that user with given id can be reference by custom name in scope of a bundle.

Using custom service user

To use custom service user your OSGi service must create a session on behalf of this user. To do that ResourceResolverFactory is used:

...

   @Reference
   private ResourceResolverFactory factory;

   public void doSomething(){ 

        Map<String, Object> serviceParams = new HashMap<String, Object>();
        // use custom login defined in user mapping configuration
        serviceParams.put(ResourceResolverFactory.SUBSERVICE, "userLoginUsedInResourceResolver");

        try (ResourceResolver rr = factory.getServiceResourceResolver(serviceParams)) {
            // always close Resource resolver when not needed anymore
        }
    }

Documentation

• Service Users in AEM