[security-dev] IDM Realms and Applications - The Nitty Gritty

Anil Saldhana Anil.Saldhana at redhat.com
Wed Nov 14 14:20:49 EST 2012

On 11/14/2012 01:17 PM, David M. Lloyd wrote:
> A couple more use case tidbits...
> Connecting roles to applications is sensible in the respect that most
> roles are application-specific, however it seems plausible that one
> might want to have a role which spans applications.  Also it seems that
> there is a (conceptual) equivalency between roles and simple permissions
> (in the java.security.Permission sense).  Is that equivalency ever
> formalized anywhere, particularly in the context of a security manager?
I am unsure if this directly belongs in the core IDM system. Projects
using IDM should be able to define their own requirements.
> Finally it seems to me that there may be benefit in identity-oriented
> storage for things like application preferences and that sort of thing.
>    Is there any allowance for this concept in this IDM model?
Yeah.  This should be a capability of the IDM.
> On 11/13/2012 09:04 PM, Shane Bryzak wrote:
>> On 11/14/2012 12:24 PM, David M. Lloyd wrote:
>>> I'm not sure I understand the rationale of the relationship between
>>> realms and applications.
>>> To me the concept of a "realm" in terms of identity management relates
>>> more to segregating users into groups based on organizational and
>>> technological realities.  For example, if I am hosting a multi-tenant
>>> application I might have a realm for each of my customers (but only one
>>> or a few application(s)).  For another example, I might have a realm for
>>> application authentication (i.e. regular users), a realm for
>>> computer-to-computer authentication (might be identified by public key
>>> or certificate or some other atypical principal type), and a realm for
>>> administration, all of which are utilized by one or a few application(s).
>> That's a good point and a valid use case that I thought I had taken into
>> consideration, however thinking about it a little deeper there are some
>> nuances of the design that have question marks over them. Let me think
>> about it a little more and I'll get back to you.
>>> Unless I'm grossly misunderstanding the concepts (a very real
>>> possibility), it seems like applications should be decoupled from realms
>>> completely.
>> Possibly, and while it's relatively clear that Users would remain within
>> the Realm and Roles would remain defined by the Application, I'm not
>> quite sure where Groups would fit in.  My first instinct is to keep them
>> in the Realm also, although I'm not 100% sure... time for some mulling I
>> think.
>> _______________________________________________
>> security-dev mailing list
>> security-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list