WSO2 Identity Server email authentication - wso2

We're using WSO2 identity server 5.0 with SP1.
We've followed this guide to enable e-mail authentication, which has worked.
But now we aren't able to edit the email address (both, backend and scim) with return code 500.
Have we missing some configurations which aren't mentioned in the documentation or something, we've ran out of ideas.
Our user-mgt.xml:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="kdcEnabled">false</Property>
<Property name="Disabled">false</Property>
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
<Property name="ConnectionName">uid=admin,ou=system</Property>
<Property name="ConnectionPassword">admin</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserNameListFilter">(&(objectClass=identityPerson)(mail=*))</Property>
<Property name="UserEntryObjectClass">identityPerson</Property>
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
<Property name="UserNameSearchFilter">(&(objectClass=identityPerson)(mail=?))</Property>
<Property name="UserNameAttribute">mail</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="ServicePasswordJavaRegEx">^[\\S]{5,30}$</Property>
<Property name="ServiceNameJavaRegEx">^[\\S]{2,30}/[\\S]{2,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegEx">^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*#[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupEntryObjectClass">groupOfNames</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="SharedGroupNameAttribute">cn</Property>
<Property name="SharedGroupSearchBase">ou=SharedGroups,dc=wso2,dc=org</Property>
<Property name="SharedGroupEntryObjectClass">groupOfNames</Property>
<Property name="SharedGroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="SharedGroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="SharedTenantNameListFilter">(objectClass=organizationalUnit)</Property>
<Property name="SharedTenantNameAttribute">ou</Property>
<Property name="SharedTenantObjectClass">organizationalUnit</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
</UserStoreManager>
SCIM Error:
{"Errors":[{"description":"Error while updating attributes of user:
customer#wso2.com","code":"500"}]}

It seems to be there is some configuration missing in the doc, You need to add following property in to the user store configuration as well. Other configuration seems to be fine. Also you can find more and clear details on enabling email username from here
<Property name="UsernameWithEmailJavaScriptRegEx">[a-zA-Z0-9#._-|//]{3,30}$</Property>
Also, it is WSO2IS errors are logged in the/repository/logs/wso2carbon.log file. It is better to check it for finding actual exception

Thanks for the answer. We have added the missing property. our configuration seems to be the same as described in blog. In the /repository/logs/wso2carbon.log we found the following error.
Object : 'mail=customer#wso2.com,ou=Users,dc=wso2,dc=org'
Modification[0]
Operation : replace
Modification
mobile: (null)
Modification[1]
Operation : replace
Modification
url: (null)
Modification[2]
Operation : replace
Modification
givenName: John
Modification[3]
Operation : replace
Modification
country: (null)
Modification[4]
Operation : replace
Modification
sn: Doe
Modification[5]
Operation : replace
Modification
telephoneNumber: (null)
Modification[6]
Operation : replace
Modification
organizationName: (null)
Modification[7]
Operation : replace
Modification
mail: customer2#wso2.com
Modification[8]
Operation : replace
Modification
im: (null)
Modification[9]
Operation : replace
Modification
streetAddress: (null)
: ERR_62 Entry mail=customer#wso2.com,ou=Users,dc=wso2,dc=org does not have the mail attributeType, which is part of the RDN";]; remaining name 'mail=customer#wso2.com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3098)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1391)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:235)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:147)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:136)
at org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager.doSetUserClaimValues(ReadWriteLDAPUserStoreManager.java:871)
... 121 more
TID: [0] [IS] [2015-06-04 10:48:39,046] ERROR {org.wso2.carbon.identity.user.profile.ui.client.UserProfileCient} - org.apache.axis2.AxisFault: Profile information could not be updated in ApacheDS LDAP user store {org.wso2.carbon.identity.user.profile.ui.client.UserProfileCient}
TID: [0] [IS] [2015-06-04 11:11:29,749] ERROR {org.apache.directory.server.core.schema.SchemaInterceptor} - ERR_62 Entry mail=customer#wso2.com,ou=Users,dc=wso2,dc=org does not have the mail attributeType, which is part of the RDN"; {org.apache.directory.server.core.schema.SchemaInterceptor}
TID: [0] [IS] [2015-06-04 11:11:29,749] ERROR {org.apache.directory.server.core.schema.SchemaInterceptor} - ERR_62 Entry mail=customer#wso2.com,ou=Users,dc=wso2,dc=org does not have the mail attributeType, which is part of the RDN"; {org.apache.directory.server.core.schema.SchemaInterceptor}
TID: [0] [IS] [2015-06-04 11:11:29,750] ERROR {org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver} - Profile information could not be updated in ApacheDS LDAP user store {org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver}
org.wso2.carbon.identity.user.profile.mgt.UserProfileException: Profile information could not be updated in ApacheDS LDAP user store

Related

How to configure password expire time in bulk import from CSV in WSO2 Identity Server 5.3.0

Hi I am using WSO2 Identity Server 5.3.0. I want to create users by using bulk import from a CSV File. I am able to do it successfully.
Problem Statement:
Users are created successfully but in the documentation link, it is mentioned that the default password expiry for the users is 24 hours. Is there any way possible through configuration that we can turn this setting off. OR Increase the time for this password expiry.
Document Link:
I enabled the Bulk storage from user-mgt.xml file.
<Property name="MembershipAttribute">member</Property>
<Property name="BackLinksEnabled">false</Property>
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="SCIMEnabled">true</Property>
<Property name="IsBulkImportSupported">true</Property>
<Property name="EmptyRolesAllowed">true</Property>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="MultiAttributeSeparator">,</Property>
<Property name="MaxUserNameListLength">500</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="kdcEnabled">false</Property>
<Property name="defaultRealmName">WSO2.ORG</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ConnectionPoolingEnabled">false</Property>
<Property name="LDAPConnectionTimeout">5000</Property>
<Property name="ReadTimeout"/>
<Property name="RetryAttempts"/>
But I cannot find any configuration here to configure this time.
One other hack would be directly removing this password expiry property for all the users from the userstore database directly. You can simply set "UM_REQUIRE_CHANGE" value for all the users to make their passwords work even after 24hours.
UPDATE UM_USER SET UM_REQUIRE_CHANGE=FALSE;
Further explained in https://stackoverflow.com/a/57944771/2910841
Currently, Identity Server does not have an out-of-box configuration option for making the password validity period to increase or to turn the setting off. However, we can accomplish your requirement of not invalidating the password by writing a custom component by extending relevant UserStoreManager. For this purpose you can write a custom userstore manager extending the default JDBCUserStoreManager which will make the password to be valid for an indefinite period. Please refer [1] for more information regarding this. In this sample extension, you need to only override the method "doAddUser()" by making requestPasswordChange variable to false in order to avoid the invalidation of the password. Sample code is as follows.
public void doAddUser(String userName, Object credential, String[] roleList,
Map<String, String> claims, String profileName, boolean requirePasswordChange)
throws UserStoreException {
super.doAddUser(userName, credential, roleList, claims, profileName, false);
}
[1] https://docs.wso2.com/display/IS530/Writing+a+Custom+User+Store+Manager

WSO2 IS error when creating user store

When I try to create an LDAP Base user store in WSO2 IS 5.3.0 I always get the following error:
TID: [-1234] [] [2017-04-03 11:40:49,521] ERROR {org.wso2.carbon.identity.user.store.configuration.UserStoreConfigAdminService} - Error occurred during the transformation process of C:\WSO2IS~1.0\bin\..\repository\deployment\server\userstores\myUserStore.xml
org.wso2.carbon.identity.user.store.configuration.utils.IdentityUserStoreMgtException: Error occurred during the transformation process of C:\WSO2IS~1.0\bin\..\repository\deployment\server\userstores\myUserSotre.xml
I have tried previous version and it fails till 5.0.0, in which I succeed in create the user store. User store config in WSO2 ESB seems to works the same way that WSO2 IS user store, so, I configured the user store in WSO2 ESB, and copy the myUserSotre.xml generated by WSO2 ESB just in the same path where IS failed to find the file.
That worked, and result in WSO2 IS recognizing the User Store. I can see the users from the user store in WSO2 IS user store. However, if I try update the "forced" user store, it keeps throwing the error.
I am using windows 7 and jdk 8.
This is the xml from ESB and IS 5.0.0 that works if I paste it in IS 5.3
<?xml version="1.0" encoding="UTF-8"?>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ConnectionName">cn=Manager,dc=company,dc=com</Property>
<Property name="ConnectionURL">ldap://IP:HOST</Property>
<Property name="ConnectionPassword">password</Property>
<Property name="UserSearchBase">ou=People,dc=company,dc=com</Property>
<Property name="Disabled">false</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
<Property name="ReadOnly">true</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="ReadGroups">false</Property>
<Property name="GroupSearchBase">ou=system</Property>
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="MemberOfAttribute"/>
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="DomainName">ldap</Property>
<Property name="Description"/>
</UserStoreManager>
Is there any issue about this? Is there extra configuration needed?
This happens in Windows because of the file path encoding. Currently this is not fixed from WSO2 side. As a work around, you can rename WSO2IS~1.0 folder not contain the '~' character. eg. rename it with WSO2IS and try.
The solution is simple. Set environment variable CARBON_HOME to the path of your wso2 IS folder.

Facing Issue while creating Custom User Store Manager [WSO2 API Manager 1.9.1]

I am totally new to WSO2. I have to create custom user store manger using wso2 api manager. While some word around I am facing an exception as,
TID: [0] [AM] [2016-01-14 16:19:57,732] INFO {org.wso2.carbon.databridge.agent.thrift.AgentHolder} - Agent created ! {org.wso2.carbon.databridge.agent.thrift.AgentHolder}
TID: [0] [AM] [2016-01-14 16:19:57,736] INFO {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS} - Successfully deployed Agent Client {org.wso2.carbon.databridge.agent.thrift.internal.AgentDS}
TID: [0] [AM] [2016-01-14 16:19:59,608] ERROR {org.wso2.carbon.user.core.common.DefaultRealmService} - Cannot initialize the realm. {org.wso2.carbon.user.core.common.DefaultRealmService}
org.wso2.carbon.user.core.UserStoreException: org.wso2.sample.user.store.manager.CustomUserStoreManagerType class java.lang.ClassNotFoundException
I have updated user-mgt.xml as,
<UserStoreManager class="org.wso2.sample.user.store.manager.CustomUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
<Property name="ReadOnly">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="IsEmailUserName">false</Property>
<Property name="DomainCalculation">default</Property>
<Property name="PasswordDigest">SHA-256</Property>
<Property name="StoreSaltedPassword">true</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="UserNameUniqueAcrossTenants">false</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SharedGroupEnabled">false</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
I have also registered service as,
Public class CustomUserStoreMgtDSComponent{
private static Log log = LogFactory.getLog(CustomUserStoreMgtDSComponent.class);
private static RealmService realmService;
protected void activate(ComponentContext ctxt) {
log.info("Custome Component activated..");
CustomUserStoreManager customUserStoreManager = new CustomUserStoreManager();
ctxt.getBundleContext().registerService(UserStoreManager.class.getName(), customUserStoreManager, null);
log.info("CustomUserStoreManager bundle activated successfully..");
}
protected void deactivate(ComponentContext ctxt) {
if (log.isDebugEnabled()) {
log.debug("Custom User Store Manager is deactivated ");
}
}
protected void setRealmService(RealmService rlmService) {
realmService = rlmService;
}
protected void unsetRealmService(RealmService realmService) {
realmService = null;
}
}
I have also added sample-store.jar inside dropins folder.
Is there any reference guide/link to create custom user store manager through wso2 api manager?
Any help would be highly appreciable.

JDBCUserStoreManager Configuring as Secondary User Stores is not working in wso2esb

I am using wso2 esb 4.8.1.
I am trying to add the JDBCUserStoreManager Configuring as Secondary User Stores but unable to add some query related errors occurring.
my configuration is like this
<
UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
<Property name="driverName">oracle.jdbc.OracleDriver</Property>
<Property name="url">jdbc:oracle:thin:#localhost:1521:xe</Property>
<Property name="userName">fff</Property>
<Property name="password">fff</Property>
<Property name="Disabled">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="PasswordDigest">SHA-256</Property>
<Property name="ReadGroups">true</Property>
<Property name="ReadOnly">false</Property>
<Property name="IsEmailUserName">false</Property>
<Property name="DomainCalculation">default</Property>
<Property name="StoreSaltedPassword">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="UserNameUniqueAcrossTenants">false</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="UsernameJavaRegEx">^[\S]{5,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="RolenameJavaRegEx">^[\S]{5,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="SCIMEnabled">false</Property>
<Property name="SelectUserSQL">select fff.AUTHENTICATION.username from kkkk.AUTHENTICATION;</Property>
<Property name="GetRoleListSQL">select fff.AUTHENTICATION.username from kkkk.AUTHENTICATION;</Property>
<Property name="DomainName">TT.com</Property>
<Property name="Description"/>
</UserStoreManager>
its showing success message while adding if i restart the server its giving so many errors.
like
[2014-07-08 17:07:42,620] ERROR - JDBCUserStoreManager Using sql : select fff.AUTHENTICATION.username from fff.AUTHENTICATION;
[2014-07-08 17:07:42,624] ERROR - AbstractUserStoreManager org.wso2.carbon.user.
core.UserStoreException: Invalid column index
[2014-07-08 17:07:42,663] INFO - ServiceBusInitializer Starting ESB...
if i add this configuratin
<Property name="SelectUserSQL">select kkkk.AUTHENTICATION.username from kkkk.AUTHENTICATION;</Property>
<Property name="EmptyRolesAllowed">Allowed</Property>
<Property name="DomainName">TT.com</Property>
again its giving this error
tenant -1234
[2014-07-08 17:49:10,112] ERROR - JDBCUserStoreManager Error while retrieving ro
les from JDBC user store
java.sql.SQLException: ORA-00942: table or view does not exist
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.
java:207)
i need to add the data source for this else its work,I am unable to get the issue.
my table is like this
table name:AUTHENTICATION
columnnames: username, password,role
data:system,system,everyone
any help for this.
Thanks in advance,
The cause may be that some of the other SQL queries running are expecting the default WSO2 user store schema as you are using the default shipped JDBCUserStoreManager with a different schema. When you have the need to use a this kind of different user store structure, it is recommended to use a custom user store, which provide you more freedom on handling user store functionality according to your requirement. Following links may be of help to you. (Please note that though document is for Identity Server - 5.0.0, it's valid for ESB 4.8.1 as well.)
[1] - http://docs.wso2.com/display/IS500/Writing+a+Custom+User+Store+Manager
[2] - http://pushpalankajaya.blogspot.com/2013/09/how-to-write-custom-user-store-manager.html

WSO2 Identity Server 4.1.0: User store is operating in read only mode. Cannot write into the user store

I'm getting the following error when I start WSO2 Identity Server 4.1.0:
[2013-02-27 17:00:33,192] ERROR {org.wso2.carbon.identity.mgt.IdentityMgtEventListener} - Error while init identity listener
org.wso2.carbon.user.core.UserStoreException: User store is operating in read only mode. Cannot write into the user store.
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doSetUserClaimValue(ReadOnlyLDAPUserStoreManager.java:1293)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.setUserClaimValue(AbstractUserStoreManager.java:823)
at org.wso2.carbon.identity.mgt.IdentityMgtEventListener.<init>(IdentityMgtEventListener.java:68)
at org.wso2.carbon.identity.mgt.internal.IdentityMgtServiceComponent.activate(IdentityMgtServiceComponent.java:89)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
...
That means that WSO2 is trying to write in the ldap, but i've configured it to be read only:
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ReadOnly">true</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldaps://xxxx:636</Property>
<Property name="ConnectionName">uid=xxx,ou=xx,dc=xx,dc=xx,dc=x</Property>
<Property name="ConnectionPassword">xxxxxx</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="UserSearchBase">ou=xx,dc=x,dc=xx,dc=xx</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">uid</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">ou=xx,dc=xx,dc=xx,dc=xx</Property>
<Property name="GroupNameListFilter">(objectClass=posixGroup)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">memberUid</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">0</Property>
</UserStoreManager>
Am I missing something?
Your read-only user store should contain the 'admin' user, which is specified in the realm configuration section at the top of user-mgt.xml.
<AdminUser>
<UserName>admin</UserName>
<Password>admin</Password>
</AdminUser>
Since it could not be found, WSO2 IS is trying to write it.