Password recovery for a store user can be done by enabling the password recovery feature. This feature will not work by default as an email server is not configured. Follow the steps below to configure it in the API Store.
<API-M_HOME>repository/conf/axis2/axis2.xmlfile and uncomment the following tag to configure a mail server. Change the default values with details of your mail server. See MailTo Transport for more information.
- After you configure the mail server, the user can click on the Forgot Password link on the Sign In page of the API Store and request a password change.
- You need to have a user account with an email configured for this feature to work. Click the Forgot Password link. You will be directed to the Password Reset page. Enter the username you are trying to recover the password of.
- After you add the username, click Request Password Change.
You will receive a notification that the password recovery instructions have been sent to your email address. Note that this is the email address stored during user sign up.
You will receive an email with the following information. A sample is shown below. Click on the link given in the email.
You can change the template of this email (E.g., email link, message body, etc.). To edit the mail template, open the
<API-M_HOME>/repository/conf/email/email-admin-config.xmlfile and make the changes.
- You will be redirected to the page shown below to change your password.
You can lock user accounts with the Account recovery and credential management feature, pre-installed in WSO2 API Manager.
Account locking by failed login attempts
The following steps show how to enable account locking.
Open the the
<API-M_HOME>/repository/conf/identity/identity.xmlfile. Ensure that the
IdentityMgtEventListenerwith the orderId=50 is set to true.
<API-M_HOME>/repository/conf/identity/identity-mgt.propertiesfile. Set the
Authentication.Policy.Enableproperty to true.
Change the following properties according to your preference.
The description for the properties are given in the table below
Locks the account for the specified time period.
Enables the account lock policy.
Specifies the maximum number of unsuccessful attempts before locking the account.
Restart the server for the changes to be applied.
An error message similar to the following will be logged in wso2carbon.log when the account is locked.
Account locking by an administrative user
An administrative user can lock a user account by editing the user’s profile in the management console.
Log in to the Management Console(
https://<host>:<port>/carbon) using admin credentials.
- Go to Claims > List on the Configure menu and select the
- Select the Account Locked claim and click Edit.
- Select the Supported by Default checkbox and click Update. This is done to make the Account Locked status appear in the user's profile.
Go to Users and Roles > List > Users on the Main menu and click on User Profile of the user you want to lock.
Tick the checkbox in front of the Account Locked field to lock the account for the user and click Update.
You can define custom password policies for store user signup as follows.
Open the identity.xml file in the <API-M_HOME>/repository/conf/identity/ folder and set the org.wso2.carbon.identity.mgt.IdentityMgtEventListener under the <EventListeners> tag to enable="true".
Uncomment and edit the following entries in identity-mgt.properties file in <API-M_HOME>/repository/conf/identity folder based on your preference.
For more information, see Writing a Custom Password Validator.
Customizing signup validation in the API Store
API Store self signup UI page input password field validation is based on the default password policy. You can change it to match with your custom policy by extending the self signup page with your custom html changes via a sub theme.