[security-dev] how to model services managed by a realm

Bill Burke bburke at redhat.com
Mon Jun 10 21:45:00 EDT 2013

On 6/10/2013 8:54 PM, Pedro Igor Silva wrote:
> Hi Bill,
>      First of all, custom IdentityType implementations are targeted for Beta5 and is related with PLINK-130.

I see custom relationship tests.

>      That said and considering what we have today, I would consider mapping applications as realms. If I understood your use case correctly, each application has its own users, roles, groups and relationships between them, not visible or accessible by others.

I don't think you understood.  Each application does not have its own 
set of users, but does have its own set of roles.  So the Realm manages 
a set of users who have access to a set of applications, each of which 
has their own set of roles.  Think of a set of distributed applications 
in a company.  You don't want to require registering a user for each one 
of these applications, you just want to define one user, then map their 
permissions to each application.

>      A realm will allow you to organize identity data per application, where you can have the same user, role and group (with the same loginName or name) between different realms. Maybe this example application can be useful to demonstrate how to handle different realms in a multi-tennancy architecture (using realms, only).
>          https://github.com/pedroigor/jboss-as-quickstart/tree/master/picketlink-authentication-idm-multi-tennancy
>      Another way to organize identity data is using tiers. Tiers, different than realms, can be used to store only roles and groups. So, if you want to share users you can use a single realm to store them and use a specific tier for each application where its specific roles and groups are located.

If you store your users in a realm, and each application's roles in a 
tier, how do you create a role mapping between a role in the tier and 
the user in the realm?

Then another problem with your suggestion is, for a given Realm, how do 
I find out the associated Tiers?  I'm not seeing any examples or code 
that allows me to do this.

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list