Enable basic authentication for Data Service - integrationfirst/wso2mi-references GitHub Wiki

Configure user store

Disable file-based user store

Add following section into deployment.toml

[internal_apis.file_user_store]
enable = false

Configure JDBC user store

  1. Create the database schema "public"
  • Set default schema by execute SET search_path = public;
  1. Create database structure by execute script {MI_HOME}/scripts/postgres/postgresql_user.sql
  2. Configure data store Modify deployment.toml to add following configuration
[[datasource]]
id = "WSO2CarbonDB"
url= "jdbc:postgresql://postgres:5432/wso2"
username="postgres"
password="postgres"
driver="org.postgresql.Driver"
pool_options.maxActive=50
pool_options.maxWait = 60000
pool_options.testOnBorrow = true

[user_store]
class = "org.wso2.micro.integrator.security.user.core.jdbc.JDBCUserStoreManager"
type = "database"

Note: keep the data source id = WSO2CarbonDB

  1. Copy the driver jar postgresql-42.7.5.jar to {MI_HOME}/lib
  2. Restart the wos2mi server to generate the data

Add user

  1. Obtain the JWT token
curl --location 'https://localhost:9164/management/login' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='

User admin:admin

Note: after this, there is the admin user created in the database table um_user 2. Add user

curl --location 'https://localhost:9164/management/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJraWQiOiIwNTM1YjA4ZC1jNmVjLTRjZTQtOWMzNy1mOTFiOWQ4MzRlMzAiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvMTAuODkuMC4yOjkxNjRcLyIsInN1YiI6ImFkbWluIiwiZXhwIjoxNzU1MDk5NzM1LCJzY29wZSI6ImFkbWluIn0.CNo6QrZ-piCa26GaflUvmIbtXIljxpw2ah-Ee8U-SFhhOkNOjc0-t7haF_KUabDp5MKW74HV3Y1OlYS0RZcpCDnxCssulZ0VlZho9ut46h6BmU0fWkyScwf2aBIYcDCmpxb3u6s5RkWRsovjSlDo5YM5YquHOPov04RtObWfL-Ks0O-_FOxpo0BWz20LTL5uh1z1ubXb9-8xvL4OfbFKb5gUlwnIHjkt-gDGwCAq1ZIARxr2ONgAWB9FY9jLYpzK8Juvoviyst3i-0OnwV4pJi1yyccHVIPXfGPTltGTI4sav8OksJplUo-NyIUC3-blDNcNeRq0qd_QC52syEaiYQ' \
--data '{
    "userId": "app",
    "password": "mysecret",
    "isAdmin": "false"
}'

Create the security policy

  1. Add new Resource (Registry)
  • Add new Resource > WS-Policy > UsernameToken
  • A new policy create as below
<wsp:Policy wsu:Id="UTOverTransport" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic256/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"/>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
    <rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy">
        <rampart:user>wso2carbon</rampart:user>
        <rampart:encryptionUser>useReqSigCert</rampart:encryptionUser>
        <rampart:timestampPrecisionInMilliseconds>true</rampart:timestampPrecisionInMilliseconds>
        <rampart:timestampTTL>300</rampart:timestampTTL>
        <rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
        <rampart:timestampStrict>false</rampart:timestampStrict>
        <rampart:tokenStoreClass>org.wso2.micro.integrator.security.extensions.SecurityTokenStore</rampart:tokenStoreClass>
        <rampart:nonceLifeTime>300</rampart:nonceLifeTime>
    </rampart:RampartConfig>
    <sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
        <sec:Authorization>
            <sec:property name="org.wso2.carbon.security.allowedroles">proj.admin</sec:property>
        </sec:Authorization>
    </sec:CarbonSecConfig>
</wsp:Policy>

Policy summary:

  • Only accept HTTPS
  • Only allow user with role proj.admin
  1. Configure in the Data Service Modify the Data Service source to add the policy as below
<data name="MyDataService" serviceNamespace="http://ws.wso2.org/dataservice" serviceGroup="" transports="http https" disableStreaming="true">
    <policy key="gov:/mi-resources/ws-policy/ProjSecPolicy.xml"/>
    <enableSec/>
</data>

Try data service API

Trigger the API to fetch data from the data service via HTTPS, because the policy only allow TLS call

curl --location 'https://localhost:8253/services/MyDataService/report?fromTime=2025-08-06T13%3A00%3A00Z&toTime=2025-08-13T23%3A59%3A59Z' \
--header 'Accept: application/xml' \
--header 'Authorization: Basic bWluaHRyYW46YWRtaW4='
⚠️ **GitHub.com Fallback** ⚠️