[keycloak-dev] Semantics of Realm.get***ById()

Bill Burke bburke at redhat.com
Fri Feb 21 13:14:57 EST 2014

On 2/21/2014 1:07 PM, Marek Posolda wrote:
> Hi,
> Felt into an issue when trying to fix testsuite with Mongo and adding
> more unit tests... Currently when we call realm.getRoleById("123") it
> will always return the role with ID "123" even if this role belongs to
> different realm or it's application role. For JPA model, there is
> usually just call to: RoleEntity entity = em.find(RoleEntity.class, id);
> Nothing, which checks that role with this ID belongs to this realm. I am
> not sure how to address this. I can see options:
> 1) Change the semantics, so that realm.getRoleById("123") will return
> role just in case that it belongs to this realm/application. This means
> that instead of em.find(RoleEntity.class, id) we will need to use named
> query for both roleId and realm. This will affect performance...
> 2) Move methods like "getRoleById", "getApplicationById", "getUserById"
> etc. from RealmModel to IdentitySession as it would be global search
> (not just in context of the particular Realm). This will require some
> changes in impl, as for example RoleAdapter or ApplicationAdapter wants
> access to RealmModel right now.
> 3) Keep current behaviour and live with the fact that "get***ById()" may
> return entity from different realm.
> To me, it seems that option 3 is fine and won't affect performance, but
> wanted to ask for sure.

4) Add a realm ManyToOne relationship to Role, app, and user.  Return 
null if em.find() returns an entity not defined in the realm?


Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list