Switch from HomeACLSetupService to Repository config



After upgrading to CQ 5.5, users with new accounts cannot open a page or select Page Options in SideKick (all options are dimmed). The users have all the applicable permissions. The logs files show the following information:

Error log
GET /undefined.permissions.json?path=%2Fcontent%2Fgeometrixx%2Fen%2Fservices&_charset_=utf-8&cq_ck=1367321920507 HTTP/1.1" 404 4312 "http://:/siteadmin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 
Access Log
GET /undefined.permissions.json HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /undefined.permissions.json not found
Request Log
GET /undefined.permissions.json?path=%2Fcontent%2Fgeometrixx%2Fen%2Fservices&_charset_=utf-8&cq_ck=1367321920684 HTTP/1.1



At <cq_home>/crx-quickstart/repository/repository.xml, add AuthorizableAction to UserManager.

<UserManager class="org.apache.jackrabbit.core.security.user.UserPerWorkspaceUserManager">
    <param name="usersPath" value="/home/users"/>
    <param name="groupsPath" value="/home/groups"/>
    <param name="defaultDepth" value="1"/>
    <param name="autoExpandTree" value="true"/>
    <AuthorizableAction class="org.apache.jackrabbit.core.security.user.action.AccessControlAction">
    	<param name="groupPrivilegeNames" value="jcr:read"/>
        <param name="userPrivilegeNames" value="jcr:all"/>

Additional information

This issue applies to the CQ 5.5 upgraded instance. In earlier versions (CQ 5.3 OR 5.4), HomeACLSetupService (OSGi bundle) allows you to specify JCR privilege names to grant to a user or group. The HomeACLSetupService is disabled in CQ5.5 to favor a repository configuration option with the user management. The repository configuration option along with granting JCR privilege provided the possibility to configure custom actions that are executed upon user (and group) creation. Before, the operation is persisted as follows:
  • Adding configurable hook for password validation.
  • To enforce additional logic associated with changing a user password. 
  • Creating additional mandatory properties.
  • Setting up permissions.
  • Calculating default group membership.