[security-dev] [PicketLink IDM] - File-based Identity Store

Anil Saldhana Anil.Saldhana at redhat.com
Fri Jan 18 13:55:19 EST 2013

On 01/18/2013 12:24 PM, Pedro Igor Silva wrote:
> Hi All,
>      Would like to know your opnion about how we're storing identity information using the File-based Identity Store and discuss possible alternatives.
>      Just for background, the motivation behind the file-based store is to provide a fast, ready-to-use and simple store, ideally for test and development scenarios/environments. The configuration is minimal and requires the file system.
A potential usage is in JBossAS which may not have default configuration 
for databases and ldap.  In that case, we have to worry about the 
serialization issues with files and versions.

>      Today we're basically serializing objects (JDK Serialization API) and storing them into files. The layout is quite simple:
>          /tmp/pl-idm/:
>          total 4
>          drwxrwxr-x. 2 pedroigor pedroigor 140 Jan 18 15:20 65d62693-953c-43a6-ac43-4b655174bbb4 ----> Each Partitions has its own directory
>          -rw-rw-r--. 1 pedroigor pedroigor 554 Jan 18 15:20 pl-idm-partitions.db ----> Serialized data for partitions
>          -rw-rw-r--. 1 pedroigor pedroigor    0 Jan 18 15:20 pl-idm-relationships.db ----> Serialized data for Relationships
>          /tmp/pl-idm/65d62693-953c-43a6-ac43-4b655174bbb4: ----> Partition directory.
>          total 8
>          -rw-rw-r--. 1 pedroigor pedroigor  789 Jan 18 15:20 pl-idm-agents.db ----> Serialized data for Agents
>          -rw-rw-r--. 1 pedroigor pedroigor 1134 Jan 18 15:20 pl-idm-credentials.db ----> Serialized data for Credentials
>          -rw-rw-r--. 1 pedroigor pedroigor    0 Jan 18 15:20 pl-idm-groups.db ----> Serialized data for Groups
>          -rw-rw-r--. 1 pedroigor pedroigor    0 Jan 18 15:20 pl-idm-roles.db ----> Serialized data for Roles
>       Serialization provides us a fast way to store data, but I have some concerns that I want to share:
>          - As we're serializing objects, we may have to ensure compatibility with prior versions. I think Version Control is a option here (btw, Stuart Douglas gave me some tips about that).
>          - Is better to use JBoss Marshalling instead of using the JDK Serialization API directly ? Mainly considering the JBoss ecosystem ?
>          - Is there a better format to store data ? Such as XML ...
Compared to Java serialization, XML would be painful.
>          - I had some discussions with Shane about using Infinispan. We agreed that the IDM cache will be ISPN-based, that is fine. But maybe a ISPN-based store can fits well too. ISPN allows to store data using different CacheStore implementations, transaction support, indexing, distributable or local storage, etc.
The Default cache should be ISPN.  But I am not sold on a ISPN store. 
ISPN File Cache Store instead of IDM FileStore Implementation is a 
option.  But JDBCCacheStore probably not.

More information about the security-dev mailing list