Dynamic user authentication allows to authenticate database users dynamically for each data service call. This functionality can be enabled and configured at the time a data source is created as follows.
Dynamic user authentication is implemented using a mapping between the Carbon users and the database users. This mapping can be static inside the data service configuration itself or, provided at runtime through a Java class which implements the interface "org.wso2.carbon.dataservices.core.auth.DynamicUserAuthenticator".
Specified in the data source configuration section of the data service, as shown in the sample configuration snippet below.
The configuration above maps the two Carbon users to specific database credentials and the rest of the users to a different username/password pair. The "dynamicUserAuthMapping" property at location "/configuration/entry/@request" represents the incoming Carbon user, and the "username" and "password" elements that follow represent the mapped database credentials.
For dynamic user authentication to work, security should be enabled in the data service throug UsernameToken for user authentication. If user authentication is not available when a "dynamicUserAuthMapping" section is specified, it will, by default map to the request="*" scenario.
The following figure shows a sample configuration of dynamic user mappings. For each entry, the Carbon user and the target database user/password can be mapped.
In the runtime mode, the property "dynamicUserAuthClass" should be specified, instead of the data source configuration property "dynamicUserAuthMapping". The "dynamicUserAuthClass" property's value should have the fully-qualified class name of a Java class, which implements the interface "org.wso2.carbon.dataservices.core.auth.DynamicUserAuthenticator". The interface is as follows:
The following sample configuration snippet shows an implementation of a dynamic user authenticator class.
The "lookupCredentials" method takes in the request user and should return the database username/password in a String array. The dbs file configuration format is as follows:
The dynamic user authentication class can be specified in the field shown in the screenshot below.
Dynamic User Look-up Order of Precedence
In a single data source configuration, both the static and the runtime configurations can be available at once. In that case, they will be processed as follows:
- Higher precedence goes to the static mapping in initially looking up the credentials. The "*" request setting will be ignored in the first pass.
- If a request user/database credentials mapping cannot be found, the secondary runtime Java class implementation will be used to look up the user.
- If the previous option also fails, the program will return for the primary static mapping and process the "*" request mapping.
- The data service request will return an error only if all the above options fail.
Use of External Data Sources
When using non-inline data sources like Carbon, JNDI etc, the data sources must be specified in a way that its connections can be created for selected users. Specifically, in Carbon data sources, the setting "alternateUsernameAllowed" must be enabled for dynamic user authentication to function.