[security-dev] Multi-application support for IDM

Shane Bryzak sbryzak at redhat.com
Thu Nov 8 06:27:46 EST 2012

I've been thinking about Bill's request for multi-application support, 
and I think I've come up with a solution that's going to be minimally 
disruptive to the existing API.  For starters, we need to add a few 
methods to IdentityManager to support application management:

void createApplication(Application application);

void removeApplication(Application application);

Application getApplication(String applicationId);

Collection<Application> getAllApplications();

(The getAllApplications() method is necessary as the Query API only 
deals with IdentityTypes, of which Application isn't one).

The next step is to allow the Application to be set somehow for any 
given identity management operation.  I think the easiest way to do this 
is by providing a new method called forApplication():

IdentityManager forApplication(Application application);

The forApplication() method returns an instance of IdentityManager for 
which any operations performed will be within the context of the 
specified Application.  Let's take a look at this in more practical 
terms - for example, pretend we want to grant the "moderator" role to 
user "bill" for the application "JBossForums".  The code would look like 

Application jbossForums = identityManager.getApplication("jbossForums");

IdentityManager im = identityManager.forApplication(jbossForums);

User bill = im.getUser("bill");
Role moderator = im.getRole("moderator");
im.grantApplicationRole(bill, moderator);

The selected Application is passed to the underlying IdentityStores via 
the IdentityStoreInvocationContext, to which we will add a 
getApplication() method.  We can also support multi-application 
configuration, where one application might use an LDAP-based identity 
store, while another might use a File-based identity store.

By providing multi-application support in this way, we can maintain the 
existing API (we don't need to refactor every single method to add an 
Application parameter) and for the consumers who don't care about 
multi-application support the feature won't get in their way. We can 
then very easily expose the IDM API as a set of RESTful web services to 
achieve a standalone identity management service.

What do you guys think?

More information about the security-dev mailing list