Looks very similar to what I proposed back when we had this stuff in DeltaSpike. +1, I like it.<br><br><div class="gmail_quote">On Mon, Oct 29, 2012 at 2:38 AM, Shane Bryzak <span dir="ltr"><<a href="mailto:sbryzak@redhat.com" target="_blank">sbryzak@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've started reviewing the IdentityManager interface to see where we can<br>
improve the API. The first area I'd like to visit is the Query API, of<br>
which I've come to the conclusion that we need to do some serious<br>
redesign - the current API is non-intuitive, too verbose and not future<br>
proof.<br>
<br>
What I'd like to do is throw it all out and start again, replacing it<br>
with a new cleaner API that looks something like this:<br>
<br>
public interface IdentityManager {<br>
// <snip other methods><br>
<br>
<T extends IdentityType> IdentityQuery<T> createQuery();<br>
}<br>
<br>
public interface IdentityQuery<T extends IdentityType> {<br>
public enum Param {id, key, created, expired, enabled, firstName,<br>
lastName, email, name, parent, memberOf};<br>
<br>
public enum Operator { equals, notEquals, greaterThan, lessThan };<br>
<br>
IdentityQuery<T> reset();<br>
<br>
IdentityQuery<T> setParameter(Param param, Object value);<br>
<br>
IdentityQuery<T> setParameter(Param param, Operator operator,<br>
Object value);<br>
<br>
IdentityQuery<T> setAttributeParameter(String attributeName, Object<br>
value);<br>
<br>
IdentityQuery<T> setAttributeParameter(String attributeName,<br>
Operator operator, Object value);<br>
<br>
IdentityQuery<T> setRange(Range range);<br>
<br>
List<T> getResultList();<br>
}<br>
<br>
This unified API basically replaces the 4 separate existing interfaces<br>
we currently have; UserQuery, RoleQuery, GroupQuery and<br>
MembershipQuery. I've put together a few usage scenarios to show how it<br>
might work:<br>
<br>
1) Find users with first name 'John':<br>
<br>
List<User> users = identityManager.<User>createQuery()<br>
.setParameter(Param.firstName, "John")<br>
.getResultList();<br>
<br>
2) Find all expired users:<br>
<br>
List<User> users = identityManager.<User>createQuery()<br>
.setParameter(Param.expired, Operator.lessThan, new Date())<br>
.getResultList();<br>
<br>
3) Find all users that are a member of the "Superuser" group<br>
<br>
List<User> users = identityManager.<User>createQuery()<br>
.setParameter(Param.memberOf, identityManager.getGroup("Superuser"))<br>
.getResultList();<br>
<br>
4) Find all sub-groups of the "Employees" group:<br>
<br>
List<Group> groups = identityManager.<Group>createQuery()<br>
.setParameter(Param.memberOf, identityManager.getGroup("Employees"))<br>
.getResultList();<br>
<br>
5) Find all disabled roles:<br>
<br>
List<Role> roles = identityManager.<Role>createQuery()<br>
.setParameter(Param.enabled, false)<br>
.getResultList();<br>
<br>
6) Find all Users, Groups and Roles that have been granted the "Payroll<br>
Officer" role in the "Human Resources" group:<br>
<br>
List<IdentityType> identities = identityManager.<IdentityType>createQuery()<br>
.setParameter(Param.memberOf, identityManager.getGroup("Human<br>
Resources"))<br>
.setParameter(Param.memberOf, identityManager.getRole("Payroll<br>
Officer"))<br>
.getResultList();<br>
<br>
7) Find all Users that have an attribute named "Citizenship" with a<br>
value of "Greenland":<br>
<br>
List<User> users = identityManager.<User>createQuery()<br>
.setAttributeParameter("Citizenship", "Greenland")<br>
.getResultList();<br>
<br>
I'm *pretty* certain that this API is at least as capable as what we<br>
currently have, if not more so, and IMHO provides a far simpler and more<br>
versatile design (being able to select different IdentityTypes in a<br>
single query I think is a big plus). I'd love to hear any feedback on<br>
whether you like it, hate it or can think of any improvements to the<br>
design to make it better for our developers. Also, please think<br>
especially about additional usage scenarios and whether or not there are<br>
any particular use cases which might be problematic for this API.<br>
<br>
<br>
Thanks!<br>
Shane<br>
_______________________________________________<br>
security-dev mailing list<br>
<a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/security-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Jason Porter<br><a href="http://lightguard-jp.blogspot.com" target="_blank">http://lightguard-jp.blogspot.com</a><br><a href="http://twitter.com/lightguardjp" target="_blank">http://twitter.com/lightguardjp</a><br>
<br>Software Engineer<br>Open Source Advocate<br><br>PGP key id: 926CCFF5<br>PGP key available at: <a href="http://keyserver.net" target="_blank">keyserver.net</a>, <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>