JAAS security setup

This short tutorial introduces you to Java Authentication and Authorization Service (JAAS) based on a dual module approach.


Magnolia uses Java Authentication and Authorization Service. JAAS creates two distinct processes:

  • Username and password request

  • Authentication and authorization

Although it’s possible to use other servlets, the default engine is Tomcat. Configuration is done in WEB-INF/config/jaas.config:

magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;

The default configuration uses two classes:

  • One for user login and password authentication.

  • One for authorization of user and password.

Each of these classes extends info.magnolia.jaas.sp.AbstractLoginModule. You can use this framework to implement your own login logic.

Login procedure

The following (simplified) login procedure assumes you have two JAAS modules configured:

Simple login procedure diagram

  1. When a user logs in to Magnolia, all configured JAAS modules try to authenticate the user by calling the login() method.

    The method throws a LoginException if the login fails authentication. Since info.magnolia.jaas.sp.AbstractLoginModule provides the login() method, a JAAS module only has to implement a validateUser() method.

  2. After the user is successfully authenticated, the commit() method of each JAAS module is called.

login() method

The login() authentication method of info.magnolia.jaas.sp.jcr.JCRAuthenticationModule is mandatory. This method verifies that the user entered is valid and enabled. In addition, it checks that the password entered matches the password stored for that user.

The second module’s login authorization method is only called if the user is verified. Therefore the login() authorization method of info.magnolia.jaas.sp.jcr.JCRAuthorizationModule can be implemented empty.

commit() method

The commit() method includes the values from both authentication and authorization. The authentication module provides all user properties, while the authorization module adds the roles and groups and the respective ACLs to the user object.


Creating a new user class implementing info.magnolia.cms.security.User


  1. Create a JAAS module extending the info.magnolia.jaas.sp.jcr.JCRAuthorizationModule.

  2. Then, extend the following two methods:

public void validateUser() throws LoginException {

        this.user = authenticate(this.name, this.pswd);

    if (this.user == null) {
            throw new FailedLoginException("User not found or password incorrect");
    if (this.user.getAllGroups() != null) {
    if (this.user.getAllRoles() != null) {
        this.setRoleNames((Set) this.user.getAllRoles());
    public void setEntity() {
        EntityImpl user = new EntityImpl();
        user.addProperty(Entity.LANGUAGE, this.user.getLanguage());
        user.addProperty(Entity.NAME, this.user.getName());
        user.addProperty(Entity.PASSWORD, new String(this.pswd));
You still have to implement the authentication method to properly create a User object.
Adding the JAAS module to the JAAS configuration

As Magnolia is to be the secondary user management method used, you have to use the following modifier:

magnolia {
  my.project.ExternalJAASModule sufficient;
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule requisite;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;

Further reading


Credits go to Ralf Hirning for the original content contributed to the Magnolia Community Wiki.


DX Core



This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules
6.3 beta

Magnolia 6.3 beta

Magnolia 6.3 is in beta. We are updating docs based on development and feedback. Consider the 6.3 docs currently in a state of progress and not final.

We are working on some 6.3-beta known issues during this phase.