in src/main/java/org/apache/sling/jcr/repoinit/impl/UserVisitor.java [116:137]
public void visitCreateUser(CreateUser u) {
final String username = u.getUsername();
try {
UserManager userManager = getUserManager(session);
User user = userManager.getAuthorizable(username, User.class);
checkUserType(username, user, false);
if (user == null || (u.isForcedPath() && needsRecreate(username, user, u.getPath(), "User"))) {
final String pwd = u.getPassword();
if (pwd != null) {
// TODO we might revise this warning once we're able
// to create users by providing their encoded password
// using u.getPasswordEncoding - for now I think only cleartext works
log.warn("Creating user {} with cleartext password - should NOT be used on production systems", username);
} else {
log.info("Creating user {}", username);
}
UserUtil.createUser(session, username, pwd, u.getPath());
}
} catch (Exception e) {
report(e, "Unable to create user [" + username + "]:" + e);
}
}