Hi,
With the latest release, we now support having multiple user stores at the
user manager. Each user store is uniquely identified by its domain name.
With this new feature, a user can login to the system by either providing
the username only, or by providing the domain/username.
Ex: option1 : username = user
option2 : username = domain/user.
Having multiple user stores can lead into a situation where there are two
users with the same username in two different user stores. In this kind of
a situation, if the user chose option1 to login, his password will be
matched against all user stores defined in the user-mgt.xml in a sequential
order until a correct match is found. But once he is authenticated, his
authorization happens against the username provided. This can lead into a
situation where the user is authorized to view/edit resources belonging to
another user in a different store (since both users share the same
username). See [1]
Therefore, would it be ok to enforce users to enter the domain name to
login when more than 1 user store is being used?
[1] - https://wso2.org/jira/browse/APIMANAGER-828
Thanks,
NuwanD.
--
Nuwan Dias
Software Engineer - WSO2, Inc.
Integration Technologies Team
email : [email protected]
Phone : +94 777 775 729
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
