Dynamic user authentication allows you to authenticate database users dynamically for each data service call. This is implemented using a mapping between the server users and the database users. This mapping can be either,
- Static inside the data service configuration.
- Provided at runtime through a Java class that implements the interface
The following topics explain both:
You can specify a code as shown in the following example in the datasource configuration section of the data service.
The configuration above maps the two Carbon users to specific database credentials and the rest of the users to a different username/password pair. The
dynamicUserAuthMapping property in
/configuration/entry/@request represents the incoming Carbon user, and the username and password elements that follow represent the mapped database credentials.
For dynamic user authentication to work, security must be enabled in the data service throug
UsernameToken for user authentication. If user authentication is not available when a
dynamicUserAuthMapping section is specified, it maps to the request="*" scenario by default.
The following screenshot shows a sample configuration of dynamic user mappings. For each entry, the Carbon user and the target database user/password can be mapped.
In the runtime mode, the property
dynamicUserAuthClass must be specified instead of the datasource configuration property
dynamicUserAuthClass property's value must have the fully-qualified class name of a Java class that implements the interface
org.wso2.carbon.dataservices.core.auth.DynamicUserAuthenticator. The interface is as follows:
The following example code snippet shows an implementation of a dynamic user authenticator class.
lookupCredentials method takes in the request user and returns the database username/password in a String array. The dbs file configuration format is as follows:
The dynamic user authentication class can be specified in the field shown in the screenshot below.
Dynamic user lookup order of precedence
In a single datasource configuration, both the static and the runtime configurations can be available at once. The server processes them as follows:
- Higher precedence goes to the static mapping in initially looking up the credentials. The "*" request setting is ignored in the first pass
- If a request user/database credentials mapping cannot be found, the secondary runtime Java class implementation is used to look up the user
- If the previous option also fails, the program returns for the primary static mapping and processes the "*" request mapping
- The data service request returns an error only if all of the above options fail
Use of external datasources
When using datasources that are not inline like Carbon, JNDI etc. the datasources must be specified in a way that its connections can be created for selected users. Specifically in Carbon datasources, enable the setting
alternateUsernameAllowed for dynamic user authentication to function.