[security-dev] no API for managing EntityManagers

Anil Saldhana asaldhan at redhat.com
Tue Jul 9 00:20:53 EDT 2013

Shane/Pedro - what do you think about the JPA/transaction issues Bill is raising?

The tx api Bill is proposing looks fine to me but I cannot think of any cases where
it may be redundant.

Bill, regarding pending PR - we are close to doing a beta release with the custom identity types work and other
changes. Your pull request will be dealt along with that. We are counting on your feedback with this beta release.

----- Original Message -----
From: "Bill Burke" <bburke at redhat.com>
To: security-dev at lists.jboss.org
Sent: Monday, July 8, 2013 12:49:51 PM
Subject: Re: [security-dev] no API for managing EntityManagers

I'll also want to restate that core Wildfly usage of Picketlink IDM will 
not run in a container that can manage EntityManager instances.  Even in 
the EJB case you'll be authenticating and authorizing before a 
transaction is started.  Without a transaction, you don't have automatic 
management of EntityManager instances.

On 7/8/2013 10:52 AM, Bill Burke wrote:
> I've already stated this, but I'll state it again.
> If you want to use the JPA store, your application requires specific
> knowledge that it is using a JPA store, on multiple levels:
> IdentityManagerFactory creation as well as each time you interact with
> an IdentityManager.  For JPA, you'll want to begin/commit/rollback, and
> you also need to close the underlying EntityManager.  I don't think JPA
> will be alone in wanting to do this.  There may be other stores that
> could be transactionally aware i.e. Infinispan, etc.
> The ContextInitializer is inadequate because it only handles
> initialization and none of the other callbacks I mentioned
> (begin/commit/rollback/close/destroy).
> Also, I strongly believe you need to expose an abstract "transaction"
> interface for the IDM.  I suggest the following:
> interface IdentityContextFactory {
>      IdentityContext createIdentityContext();
>      void close();
> }
> interface IdentityContext {
>      void begin();
>      void commit();
>      void rollback();
>      void close();
>      Realm getRealm(String id);
>      void deleteRealm(Realm realm);
>      Realm createRealm(String id);
>      Tier getTier(String id);
>      void deleteTier(Tier tier);
>      Tier createTier(String id);
>      PartitionManager createPartitionManager(Partition partition);
>      PartitionManager defaultPartitionManager();
> }
> interface PartitionManager extends IdentityManager { // really I want to
> rename IdentityManager
> }
> interface ContextInitializer {
>      void begin(SecurityContext context);
>      void commit(SecurityContext context);
>      void rollback(SecurityContext context);
>      void close(SecurityContext context);
>      void initContextForStore(SecurityContext context, IdentityStore<?>
> store);
> }
> I'd be happy to implement this so long as I can get any pull request I
> create committed sooner than the 25 days my current pull request is
> sitting in the queue.

Bill Burke
JBoss, a division of Red Hat
security-dev mailing list
security-dev at lists.jboss.org

More information about the security-dev mailing list