Hi I am using embedded jackrabbit with tomcat. I wanted to change the default password for admin user to something else so it's secure and safe.

I saw in repository.xml place to update adminId to different id but it by defaults takes the same password as user id. so can anybody help in setting a password to different userid.

Thanks Manisha

As far as I know, there is no simple method to change admin password in Jackarbbit. When using the DefaultLoginModule, passwords are stored in the "security" workspace in a protected property, so you cannot change them. But you can use Jackrabbit ACL API methods from Java. I was able to change the password with a simple java class, like this:

import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.TransientRepository;

import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import java.io.File;

public class Main {

    public static void main(String[] args) {
        Repository repository = new TransientRepository(new File("path_to_jackrabbit_home_dir"));
        try {
            Session session = repository.login(new SimpleCredentials("admin", "admin".toCharArray()));

            UserManager userManager = ((JackrabbitSession) session).getUserManager();
            Authorizable authorizable = userManager.getAuthorizable("admin");

            ((User) authorizable).changePassword("newpassword");

            session.save();
            session.logout();
        } catch (RepositoryException e) {
            System.out.println("Auth error.");
            e.printStackTrace();
        }
    }
}

See also: http://jackrabbit.510166.n4.nabble.com/Doubt-with-username-and-password-td3173401.html

https://cwiki.apache.org/confluence/display/SLING/FAQ

from the link:

Using the userManager:

curl \ -F"oldPwd=admin" \ -F"newPwd=Fritz" \ -F"newPwdConfirm=Fritz" \ http://admin:admin@localhost:8080/system/userManager/user/admin.changePassword.html

You will also have to set that password in the Felix Web Management Console (/system/console/configMgr) under "Apache Sling Embedded JCR Repository." This is used by Sling to create an admin JCR session (using SlingRepository.loginAdministrative()) for components that need to have full access to the repository.

Note: Only after restarting the framework the old password will become invalid (as of 09-11-10).

Note: depending on the login module used in Jackrabbit, the password might not be checked at all (SimpleLoginModule, standard in Jackrabbit <= 1.4). Since Jackrabbit 1.5, the DefaultLoginModule provides full user support.

I've tried Emanuele's method, and also followed some of the instructions found in this post: http://jackrabbit.510166.n4.nabble.com/Doubt-with-username-and-password-td3173401.html

Nothing worked for me. Neither the jcr tools: SPT JCR Manager, jackrabbitexplorer, Toromiro, JCR Explorer or phpcr-browser.

My Jackrabbit webapp (3.0-SNAPSHOT) is deployed in a tomcat7, with aws as datastore and derby as persistence manager.

After struggling for several hours, the only solution that worked for me was invoking this simple jsp file, previously placed in the web application root:

<%@ page import="org.apache.jackrabbit.api.JackrabbitSession,
                     org.apache.jackrabbit.api.security.user.Authorizable,
                     org.apache.jackrabbit.api.security.user.User,
                     org.apache.jackrabbit.api.security.user.UserManager,
                     org.apache.jackrabbit.core.TransientRepository,
                     javax.jcr.Repository,
                     javax.jcr.Session,
                     javax.jcr.SimpleCredentials,
                     java.io.File,
                     org.apache.jackrabbit.commons.JcrUtils,
                     org.apache.jackrabbit.j2ee.RepositoryAccessServlet"
 %>
<%

Repository repository;
try {
    repository = RepositoryAccessServlet.getRepository(pageContext.getServletContext());
    Session jackrabbitSession = repository.login(new SimpleCredentials("admin", "oldpass".toCharArray()));

            UserManager userManager = ((JackrabbitSession) jackrabbitSession).getUserManager();
            Authorizable authorizable = userManager.getAuthorizable("admin");

            ((User) authorizable).changePassword("newpass");

            jackrabbitSession.save();
            jackrabbitSession.logout();    

} catch (Throwable e) {
    %><jsp:forward page="bootstrap/error.jsp"/><%
}

request.setAttribute("title", "Apache Jackrabbit JCR Server");
%>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
    <body>
        <h1>Hello World!</h1>
    </body>
</html>

Although is similar to Emanuele's answer, the only way I could actually change the current admin password was retrieving the repository using org.apache.jackrabbit.j2ee.RepositoryAccessServlet.

According to the documentation (http://jackrabbit.apache.org/jcr/jackrabbit-configuration.html), you can set the password with:

<param name="password" value="test"/>

Example:

<LoginModule class="org.apache.jackrabbit.core.security.authentication.DefaultLoginModule">
           <!-- 
              anonymous user name ('anonymous' is the default value)
            -->
           <param name="anonymousId" value="anonymous"/>
           <!--
              administrator user id (default value if param is missing is 'admin')
            -->
           <param name="adminId" value="newUser"/>
           <param name="password" value="newPassword"/>
</LoginModule>