Multiple User Stores
WSO2 API Manager's default configuration has a single user store. If required, it can be configure to connect to multiple user stores as well, so that users in any of the configured user stores are able to login and perform operations depending on their roles/permissions. This guide explains how to setup multiple user stores in WSO2 API Manager.
Server Configuration
User stores are defined using $AM_HOME/repository/conf/user-mgt.xml file's <UserStoreManager> element and its <property> elements, which define the properties of a user store. By default, only a single <UserStoreManager> is enabled. To add multiple user stores, simply specify multiple <UserStoreManager> elements.
Few important points regarding user store configuration in user-mgt.xml are as follows:Â
1. Precedence of the user stores are given to the order in which they are defined in user-mgt.xml. The UserStoreManager specified first is considered as the primary user store.
2. An admin user should be present for the primary user store. It is defined by the <AdminUser> element.
3. Each user store is uniquely identified by its domain name, which is defined in the <DomainName> sub element of the <UserStoreManager> element. For example,
<Property name="DomainName">foo.com</Property>
4. When having multiple JDBC user stores, the 'dataSource' property should be specified for each user store. The data source is defined in $AM_HOME/repository/conf/datasources/master-datasources.xml file.
Given below is an example of two JDBC user store configurations.Â
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="dataSource">jdbc/WSO2UM1</Property> <Property name="DomainName">foo.com</Property> <Property name="ReadOnly">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="IsEmailUserName">false</Property> <Property name="DomainCalculation">default</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property> <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property> <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="maxFailedLoginAttempt">0</Property> </UserStoreManager> <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="dataSource">jdbc/WSO2UM2</Property> <Property name="DomainName">bar.com</Property> <Property name="ReadOnly">false</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="IsEmailUserName">false</Property> <Property name="DomainCalculation">default</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\\S]{5,30}$</Property> <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[\\S]{3,30}$</Property> <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\\S]{3,30}$</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="maxFailedLoginAttempt">0</Property> </UserStoreManager>
User Creation and Login
Users created from the API Manager console and signing up from the API Store are added to the primary user store only. When logging in, users should provide the domain they belong to coupled with the username in the format 'DomainName/username' as their username. For example, consider a user with the following credentials
Â
username - storeuser
password - storepass
domain    - foo.com
Â
When logging in, credentials should be provided as follows:
Â
username - foo.com/storeuser
password - storepassÂ
Use the <maxFailedLoginAttempt> element in <AM_HOME>/repository/conf/user-mgt.xml file to lock a user account when a given number of failed login attempts are exceeded.
Invoking the Login APIÂ
When invoking the Login API for token generation, a user needs to provide credentials as explained in the section above, where the user name is coupled with the domain name. The following example shows how ‘storeuser’ of domain foo.com makes a request to the Login API using curl as the REST client.Â
curl -k -d "grant_type=password&username=foo.com/storeuser&password=storepass&scope=PRODUCTION" -H "Authorization :Bearer SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://localhost:8243/login
Also refer to User Tokens.
Note