[security-dev] IDM Realms and Applications - The Nitty Gritty

Pedro Igor Silva psilva at redhat.com
Wed Nov 14 08:41:53 EST 2012

Hi Shane,

    I think the realm concept is quite similar what we got with identity stores. Usually the realm is used to define the store for users, groups, roles, permissions and also to define authentication policies like supported credential types or authentication methods/mechanisms.

    Each application may have its own realm, using a specific store (eg.: ldap, jdbc, file, etc), and have its own authentication policies like which credential types are supported (consequently which authentication mechanisms are supported).

    I agree with David that applications should be decoupled from realms. I think realms should be used by applications. That way each application can use its own realm that defines where the identity state is (identity store) and what are the authentication policies to be considered. We can have also some global realms that can be reused by multiple applications or a specific realm for a specific application.

    Another thing regarding realms/stores. Is quite common to store user/authentication data (personal info, credentials, etc) separated from authorization data (roles, groups, permissions, etc). usually people use LDAP to store the first type of data and databases (given the flexibility) for the other type. How we solve that with the current implementation ? As far as i know, the IdentityManager is tied with a specific store.

    I tried to illustrate that in the attached image. It is just a scratch.

Pedro Igor


----- Original Message -----
From: "Shane Bryzak" <sbryzak at redhat.com>
To: security-dev at lists.jboss.org
Sent: Wednesday, November 14, 2012 1:04:08 AM
Subject: Re: [security-dev] IDM Realms and Applications - The Nitty Gritty

On 11/14/2012 12:24 PM, David M. Lloyd wrote:
> I'm not sure I understand the rationale of the relationship between
> realms and applications.
> To me the concept of a "realm" in terms of identity management relates
> more to segregating users into groups based on organizational and
> technological realities.  For example, if I am hosting a multi-tenant
> application I might have a realm for each of my customers (but only one
> or a few application(s)).  For another example, I might have a realm for
> application authentication (i.e. regular users), a realm for
> computer-to-computer authentication (might be identified by public key
> or certificate or some other atypical principal type), and a realm for
> administration, all of which are utilized by one or a few application(s).

That's a good point and a valid use case that I thought I had taken into 
consideration, however thinking about it a little deeper there are some 
nuances of the design that have question marks over them. Let me think 
about it a little more and I'll get back to you.

> Unless I'm grossly misunderstanding the concepts (a very real
> possibility), it seems like applications should be decoupled from realms
> completely.

Possibly, and while it's relatively clear that Users would remain within 
the Realm and Roles would remain defined by the Application, I'm not 
quite sure where Groups would fit in.  My first instinct is to keep them 
in the Realm also, although I'm not 100% sure... time for some mulling I 

security-dev mailing list
security-dev at lists.jboss.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: idm.png
Type: image/png
Size: 75232 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/security-dev/attachments/20121114/becac91e/attachment-0001.png 

More information about the security-dev mailing list