This documentation is for WSO2 API Manager 2.6.0. View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

Password Recovery

Password recovery for a store user can be done by enabling the password recovery feature. This feature will not work by default as an email server is not configured. Follow the steps below to configure it in the API Store.

  1. Open the <API-M_HOME>repository/conf/axis2/axis2.xml file and uncomment the following tag to configure a mail server. Change the default values with details of your mail server. See MailTo Transport for more information.

    <transportSender name="mailto" class="org.apache.axis2.transport.mail.MailTransportSender">
            <parameter name=""></parameter>
            <parameter name="mail.smtp.port">587</parameter>
            <parameter name="mail.smtp.starttls.enable">true</parameter>
            <parameter name="mail.smtp.auth">true</parameter>
            <parameter name="mail.smtp.user">synapse.demo.0</parameter>
            <parameter name="mail.smtp.password">mailpassword</parameter>
            <parameter name="mail.smtp.from">[email protected]</parameter>
  2. After you configure the mail server, the user can click on the Forgot Password link on the Sign In page of the API Store and request a password change.
  3. You need to have a user account with an email configured for this feature to work. Click the Forgot Password link. You will be directed to the Password Reset page. Enter the username you are trying to recover the password of.
  4. After you add the username, click Request Password Change. 

    You will receive a notification that the password recovery instructions have been sent to your email address. Note that this is the email address stored during user sign up.
  5. You will receive an email with the following information. A sample is shown below. Click on the link given in the email.

    Hi Ashley
                We received a request to change the password on the Ashley account associated with this e-mail address.
                If you made this request, please click the link below to securely change your password:
                If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address
                If you did not request to have your Ashley password reset, simply disregard this email and no changes
                to your account will be made.
                Best Regards,
                WSO2 Carbon Team

    You can change the template of this email (E.g., email link, message body, etc.). To edit the mail template, open the <API-M_HOME>/repository/conf/email/email-admin-config.xml file and make the changes.

  6. You will be redirected to the page shown below to change your password.

Account locking

You can lock user accounts with the Account recovery and credential management feature, pre-installed in WSO2 API Manager. 

Account locking by failed login attempts

The following steps show how to enable account locking.

  1. Open the the <API-M_HOME>/repository/conf/identity/identity.xml file. Ensure that the IdentityMgtEventListener with the orderId=50 is set to true. 

    <EventListener enable="true"
  2. Open the <API-M_HOME>/repository/conf/identity/ file. Set the Authentication.Policy.Enable property to true.


    Change the following properties according to your preference.


    The description for the properties are given in the table below

    Locks the account for the specified time period.
    Enables the account lock policy.
    Specifies the maximum number of unsuccessful attempts before locking the account.
  3. Restart the server for the changes to be applied.

An error message similar to the following will be logged in wso2carbon.log when the account is locked.

ERROR - AuthenticationAdmin System error while Authenticating/Authorizing User : 17003 User account is locked for user : testUser. cannot login until the account is unlocked

Account locking by an administrative user

An administrative user can lock a user account by editing the user’s profile in the management console.

  1. Log in to the Management Console(https://<host>:<port>/carbon) using admin credentials.

  2. Go to Claims > List on the Configure menu and select the claim dialect.
  3. Select the Account Locked claim and click Edit
  4. Select the Supported by Default checkbox and click Update. This is done to make the Account Locked status appear in the user's profile. 
  5. Go to Users and Roles > List > Users on the Main menu and click on User Profile of the user you want to lock.

  6. Tick the checkbox in front of the Account Locked field to lock the account for the user and click Update.

Password policies

You can define custom password policies for store user signup as follows.

  1. Open the identity.xml file in the <API-M_HOME>/repository/conf/identity/ folder and set the org.wso2.carbon.identity.mgt.IdentityMgtEventListener under the <EventListeners> tag to enable="true".

    <EventListener enable="true"
                orderId="50" type="org.wso2.carbon.user.core.listener.UserOperationEventListener"/>
  2. Uncomment and edit the following entries in file in <API-M_HOME>/repository/conf/identity folder based on your preference.

    # Define password policy enforce extensions
    Password.policy.extensions.3.pattern=^((?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[[email protected]#$%&*])).{0,100}$
    Password.policy.extensions.3.errorMsg='Password pattern policy violated. Password should contain a digit[0-9], a lower case letter[a-z], an upper case letter[A-Z], one of [email protected]#$%&* characters'

For more information, see Writing a Custom Password Validator.

Customizing signup validation in the API Store

API Store self signup UI page input password field validation is based on the default password policy. You can change it to match with your custom policy by extending the self signup page with your custom html changes via a sub theme.

  • No labels