Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

WSO2 API Manager's default configuration has a single user store. If required, it can be configure to connect to multiple user stores as well, so that users in any of the configured user stores are able to login and perform operations depending on their roles/permissions. This guide explains how to setup multiple user stores in WSO2 API Manager.

Server  Configuration

User stores are defined using $AM_HOME/repository/conf/user-mgt.xml file's <UserStoreManager> element and its <property> elements, which define the properties of a user store. By default, only a single <UserStoreManager> is enabled. To add multiple user stores, simply specify multiple <UserStoreManager> elements.

Few important points regarding user store configuration in user-mgt.xml are as follows: 

1. Precedence of the user stores are given to the order in which they are defined in user-mgt.xml. The UserStoreManager specified first is considered as the primary user store.

2. An admin user should be present for the primary user store. It is defined by the <AdminUser> element.

3. Each user store is uniquely identified by its domain name, which is defined in the <DomainName> sub element of the <UserStoreManager> element. For example,

Code Block
languagehtml/xml
<Property name="DomainName">foo.com</Property>

4. When having multiple JDBC user stores, the 'dataSource' property should be specified for each user store. The data source is defined in $AM_HOME/repository/conf/datasources/master-datasources.xml file.

Given below is an example of two JDBC user store configurations. 

Code Block
languagehtml/xml
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
     <Property name="dataSource">jdbc/WSO2UM1</Property>    
     <Property name="DomainName">foo.com</Property>
     <Property name="ReadOnly">false</Property>
     <Property name="MaxUserNameListLength">100</Property>
     <Property name="IsEmailUserName">false</Property>
     <Property name="DomainCalculation">default</Property>
     <Property name="PasswordDigest">SHA-256</Property>
     <Property name="StoreSaltedPassword">true</Property>
     <Property name="UserNameUniqueAcrossTenants">false</Property>
     <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
     <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
     <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
     <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
     <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
     <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
     <Property name="UserRolesCacheEnabled">true</Property>
     <Property name="maxFailedLoginAttempt">0</Property> 
</UserStoreManager>     
 
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
     <Property name="dataSource">jdbc/WSO2UM2</Property>
     <Property name="DomainName">bar.com</Property>
     <Property name="ReadOnly">false</Property>
     <Property name="MaxUserNameListLength">100</Property>
     <Property name="IsEmailUserName">false</Property>
     <Property name="DomainCalculation">default</Property>
     <Property name="PasswordDigest">SHA-256</Property>
     <Property name="StoreSaltedPassword">true</Property>
     <Property name="UserNameUniqueAcrossTenants">false</Property>
     <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
     <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property>
     <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
     <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property>
     <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
     <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property>
     <Property name="UserRolesCacheEnabled">true</Property>
     <Property name="maxFailedLoginAttempt">0</Property> 
</UserStoreManager>

User Creation and Login

Users created from the API Manager console and signing up from the API Store are added to the primary user store only. When logging in, users should provide the domain they belong to coupled with the username in the format 'DomainName/username' as their username. For example, consider a user with the following credentials
 
username - storeuser
password - storepass
domain    - foo.com
 
When logging in, credentials should be provided as follows:
 
username - foo.com/storeuser
password - storepass
 

Invoking the Login API  

When invoking the Login API for token generation, a user needs to provide credentials as explained in the section above, where the user name is coupled with the domain name. The following example shows how ‘storeuser’ of domain foo.com makes a request to the Login API using curl as the REST client. 

Code Block
curl -k -d "grant_type=password&username=foo.com/storeuser&password=storepass&scope=PRODUCTION" -H "Authorization :Bearer SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/login

Also refer to User Tokens.

Info
titleNote
Having multiple user stores does not have any effect on API invocations, since applications pass generated user tokens for authorization instead of user credentials.
Excerpt
hiddentrue

Description of how to configure multiple user stores, login and invoke APIs in WSO2 API Manager.