[security-dev] no API for managing EntityManagers

Bill Burke bburke at redhat.com
Mon Jul 8 10:52:16 EDT 2013

I've already stated this, but I'll state it again.

If you want to use the JPA store, your application requires specific 
knowledge that it is using a JPA store, on multiple levels: 
IdentityManagerFactory creation as well as each time you interact with 
an IdentityManager.  For JPA, you'll want to begin/commit/rollback, and 
you also need to close the underlying EntityManager.  I don't think JPA 
will be alone in wanting to do this.  There may be other stores that 
could be transactionally aware i.e. Infinispan, etc.

The ContextInitializer is inadequate because it only handles 
initialization and none of the other callbacks I mentioned 

Also, I strongly believe you need to expose an abstract "transaction" 
interface for the IDM.  I suggest the following:

interface IdentityContextFactory {

    IdentityContext createIdentityContext();
    void close();

interface IdentityContext {
    void begin();
    void commit();
    void rollback();
    void close();

    Realm getRealm(String id);
    void deleteRealm(Realm realm);
    Realm createRealm(String id);

    Tier getTier(String id);
    void deleteTier(Tier tier);
    Tier createTier(String id);

    PartitionManager createPartitionManager(Partition partition);
    PartitionManager defaultPartitionManager();

interface PartitionManager extends IdentityManager { // really I want to 
rename IdentityManager

interface ContextInitializer {
    void begin(SecurityContext context);
    void commit(SecurityContext context);
    void rollback(SecurityContext context);
    void close(SecurityContext context);

    void initContextForStore(SecurityContext context, IdentityStore<?> 

I'd be happy to implement this so long as I can get any pull request I 
create committed sooner than the 25 days my current pull request is 
sitting in the queue.

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list