Re: [security-dev] IDM Realms and Applications - The Nitty Gritty

A couple more use case tidbits... Connecting roles to applications is sensible in the respect that most roles are application-specific, however it seems plausible that one might want to have a role which spans applications. Also it seems that there is a (conceptual) equivalency between roles and simple permissions (in the java.security.Permission sense). Is that equivalency ever formalized anywhere, particularly in the context of a security manager?

Finally it seems to me that there may be benefit in identity-oriented storage for things like application preferences and that sort of thing. Is there any allowance for this concept in this IDM model?

On 11/13/2012 09:04 PM, Shane Bryzak wrote: > On 11/14/2012 12:24 PM, David M. Lloyd wrote: >> I'm not sure I understand the rationale of the relationship between >> realms and applications. >> >> To me the concept of a "realm" in terms of identity management relates >> more to segregating users into groups based on organizational and >> technological realities. For example, if I am hosting a multi-tenant >> application I might have a realm for each of my customers (but only one >> or a few application(s)). For another example, I might have a realm for >> application authentication (i.e. regular users), a realm for >> computer-to-computer authentication (might be identified by public key >> or certificate or some other atypical principal type), and a realm for >> administration, all of which are utilized by one or a few application(s). > That's a good point and a valid use case that I thought I had taken into > consideration, however thinking about it a little deeper there are some > nuances of the design that have question marks over them. Let me think > about it a little more and I'll get back to you. > >> Unless I'm grossly misunderstanding the concepts (a very real >> possibility), it seems like applications should be decoupled from realms >> completely. > Possibly, and while it's relatively clear that Users would remain within > the Realm and Roles would remain defined by the Application, I'm not > quite sure where Groups would fit in. My first instinct is to keep them > in the Realm also, although I'm not 100% sure... time for some mulling I > think. > > _______________________________________________ > security-dev mailing list > security-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/security-dev >