We allow ' character in JCR user nodes.
So we need to escape properly the user name, as it us used in queries to fetch the user in:
info.magnolia.cms.security.RepositoryBackedSecurityManager.findPrincipalNodeByQuery(String, Session, String, Node)

Especially for public users (and when having Scottish users) the ' character is used a lot and needed.

Here with a test user named "test'test".

ERROR info.magnolia.cms.security.MgnlUserManager 15.06.2016 16:39:42 – Could not retrieve user with name: simon_o'connell@westpac.co.nz
javax.jcr.query.InvalidQueryException: Query:
select * from [mgnl:user] where name() = 'test'test' and isdescendantnode(['/public(*)'])
at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:978)
at org.apache.jackrabbit.commons.query.sql2.Parser.getSyntaxError(Parser.java:959)
at org.apache.jackrabbit.commons.query.sql2.Parser.checkRunOver(Parser.java:773)
at

Or the bold part will be interpreted as query:
...name() = 'test'test' and isdescendantnode...

I added a patch with an escape method used for the user name.
Maybe one sees more cases to escape.

Group names can't have ' characters, so I'm not escaping the groupname.