Platform Explorer / Nuxeo Platform LTS 2015 7.10

Extension point userManager

Configure the userManager.

The extension should use the format:

    <userManager>
        <users>
            <directory>somedirectory</directory>
            <emailField>mail</emailField>
            <searchFields append="true">
                <substringMatchSearchField>first</substringMatchSearchField>
                <exactMatchSearchField>last</exactMatchSearchField>
            </searchFields>
            <listingMode>tabbed</listingMode>
            <anonymousUser id="Anonymous">
                <property name="firstName">Anonymous</property>
                <property name="lastName">User</property>
            </anonymousUser>
            <virtualUser id="MyCustomAdministrator" searchable="false">
                <password>secret</password>
                <property name="firstName">My Custom</property>
                <property name="lastName">Administrator</property>
                <group>administrators</group>
            </virtualUser>
            <virtualUser id="MyCustomMember" searchable="false">
                <password>secret</password>
                <property name="firstName">My Custom</property>
                <property name="lastName">Member</property>
                <group>members</group>
                <group>othergroup</group>
                <propertyList name="listprop">
                    <value>item1</value>
                    <value>item2</value>
                </propertyList>
            </virtualUser>
            <virtualUser id="ExistingVirtualUser" remove="true"/>
        </users>
        <defaultAdministratorId>admin</defaultAdministratorId>
        <administratorsGroup>myAdministrators</administratorsGroup>
        <disableDefaultAdministratorsGroup>
            false
          </disableDefaultAdministratorsGroup>
        <userSortField>sn</userSortField>
        <userPasswordPattern>^[a-zA-Z0-9]{5,}$</userPasswordPattern>
        <groups>
            <directory>somegroupdir</directory>
            <membersField>members</membersField>
            <groupLabelField>grouplabel</groupLabelField>
            <subGroupsField>subgroups</subGroupsField>
            <parentGroupsField>parentgroup</parentGroupsField>
            <listingMode>search_only</listingMode>
            <searchFields append="true">
                <substringMatchSearchField>grouplabel</substringMatchSearchField>
                <exactMatchSearchField>groupname</exactMatchSearchField>
            </searchFields>
        </groups>
        <defaultGroup>members</defaultGroup>
        <groupSortField>groupname</groupSortField>
    </userManager>

If the element anonymousUser has the attribute remove="true", then the anonymous user will be disabled. The anonymous user is searchable by default.

If a virtual user has the attribute remove="true", it is removed from the list of virtual users. Virtual users are searchable by default, but it is not implemented yet... so you should keep the attribute searchable="false" to keep the same behaviour when it will be.

Virtual users with the "administrators" group will have the same rights than the default administrator.

New administrators groups can be added using the "administratorsGroup" tag. Several groups can be defined, adding as many tags as needed. The default group named "administrators" can be disabled by setting the "disableDefaultAdministratorsGroup" to "true" (defaults to false): only new defined administrators groups will then be taken into account. Note that disabling this default group should be done after setting up custom rights in the repository, as this group is usually defined as the group of users who have all permissions at the root of the repository.

Anonymous and virtual users properties have to match the users directory schema fields to be taken into account.

The userPasswordPattern format is specified by java.util.regex.Pattern.

The values for users listingMode are: "all", "tabbed", "search_only". (These values are defined in org.nuxeo.ecm.webapp.security.UserManagerActionsBean.)

The values for groups listingMode are: "all" and "search_only".

This is the main ExtensionPoint for the UserService component.

This extension point let you configure and extend the UserManager service.

This extension point will let you configure :

  • what implementation class must be used to provide the UserManager service
  • what virtual users you want
  • what default groups you want
  • what directories should be used for groups and users
  • how search can be done
  • how users and groups are listed

Contribution Descriptor

Existing Contributions

Additional documentation

How To  
userManager

This is the main ExtensionPoint for the UserService component.

This extension point let you configure and extend the UserManager service.

This extension point will let you configure :

  • what implementation class must be used to provide the UserManager service
  • what virtual users you want
  • what default groups you want
  • what directories should be used for groups and users
  • how search can be done
  • how users and groups are listed
Activate anonymous authentication
  • 5.3.1-SNAPSHOT

In Nuxeo access to the repository is always done within an authenticated context.

If you want to have users accessing Nuxeo without having to login, you have to configure an Anonymous login.

This anonymous account will be used when a user access to Nuxeo without loging in.

This anonymous account is a virtual user (it does not have to exist in the DB or in the LDAP), but will by default appear in the users listings so that you can grant or deny permissions to it.

Configure virtual users
  • 5.3.1-SNAPSHOT

You can use the userManager extension point to define virtual users : users that do not have to exist into the backing directories (SQL or LDAP).

Classic use cases for that are :

  • add a user when you can not edit/update the backing directory (LDAP)
  • create a temp Administrator for recover
  • add some specific user accounts that may be used internaly in your plugins

These virtual users can be configured to not be searchable (i.e. not listed in the default administration screens).