[security-dev] IDM Realms and Applications - The Nitty Gritty
David M. Lloyd
david.lloyd at redhat.com
Wed Nov 14 14:17:57 EST 2012
A couple more use case tidbits...
Connecting roles to applications is sensible in the respect that most
roles are application-specific, however it seems plausible that one
might want to have a role which spans applications. Also it seems that
there is a (conceptual) equivalency between roles and simple permissions
(in the java.security.Permission sense). Is that equivalency ever
formalized anywhere, particularly in the context of a security manager?
Finally it seems to me that there may be benefit in identity-oriented
storage for things like application preferences and that sort of thing.
Is there any allowance for this concept in this IDM model?
On 11/13/2012 09:04 PM, Shane Bryzak wrote:
> On 11/14/2012 12:24 PM, David M. Lloyd wrote:
>> I'm not sure I understand the rationale of the relationship between
>> realms and applications.
>> To me the concept of a "realm" in terms of identity management relates
>> more to segregating users into groups based on organizational and
>> technological realities. For example, if I am hosting a multi-tenant
>> application I might have a realm for each of my customers (but only one
>> or a few application(s)). For another example, I might have a realm for
>> application authentication (i.e. regular users), a realm for
>> computer-to-computer authentication (might be identified by public key
>> or certificate or some other atypical principal type), and a realm for
>> administration, all of which are utilized by one or a few application(s).
> That's a good point and a valid use case that I thought I had taken into
> consideration, however thinking about it a little deeper there are some
> nuances of the design that have question marks over them. Let me think
> about it a little more and I'll get back to you.
>> Unless I'm grossly misunderstanding the concepts (a very real
>> possibility), it seems like applications should be decoupled from realms
> Possibly, and while it's relatively clear that Users would remain within
> the Realm and Roles would remain defined by the Application, I'm not
> quite sure where Groups would fit in. My first instinct is to keep them
> in the Realm also, although I'm not 100% sure... time for some mulling I
> security-dev mailing list
> security-dev at lists.jboss.org
More information about the security-dev