[jboss-dev-forums] [Design of JBoss Portal] - Re: Initiall identity model discussion

Sat Aug 4 15:46:40 EDT 2007

Hello,

I've been working recently on identity. 
For both a portal in a company, and my own portal.

Something that appeared usefull :

****************************
Delegating user and role to a service provider instead of only to a source
****************************
*** Situation ***
The portal is seen as an application among others.
The users/roles comes from "another source" (LDAP or legacy db, or even just customized users in db with added features for business process).

The User and Role class for all the application are much more complex than the User and Role for the portal.

Example : 
 - the user is linked to the company organisation (subsidiaries, department), and the role depends of that link.
 - the user is linked to an account, and/or to services offers, and the application needs that information every where to do their work 

The integration of portal, federating all the applications, requiers to provide Users and Roles for all the application. Most of the time, it means build in JBoss AS a service that provides this to all the applications that will run under jboss (EJB3, Struts, other framework above jboss).

*** Problem ***
Small technical problem with the interfaces, when integrating the Portal and other application Users.

The User interface has a method
Object getId()

If the "all other application" works with a UserBP (User for Business Process) that have a 
long getId()
(or any other type... String, custom Id class,...)

the portal User cannot be an interface used "in common", by inheritance on the UserBP. (UserBP extends User).

Then, the portal Identity services cannot work directly with an instance of UserBP (slightly modified with adding the portal User interface).

Simply said : the User for portal will often be of a different type than the UserBP for other application. And there will often be a problem for making inheritance.

And can't says : to work in the portal, just reprogram your UserBP class and all the application code that yet use it. Retest all these applications and that's it... ;-)

*** Proposal ***
The portal is not there for solving all the integration problem (of course).
But there is something quiet simple, that would help integration work.

The best way I found for integration is : 
 - define a UserPortal and use the existing UserBP from the company ("business process..." )
 - UserBP is for all the applications : the user, seen by the organisation (legacy)
 - UserPortal is kind of a "sub user", just for the needs of the portal ("this application among the others").

 - build some jboss IdentityBP services, that manage/provide the UserBP (for all applications)
 - IdentityBP services is a JBoss AS service for all the application that want to use it.
 - for the portal, customize the Identity services of portal into a IdentityPortal services : to manage and provides the UserPortal 
 - the IdentityPortal services call the IdentityBP services, as a delegate, and build it's UserPortal from the information of UserBP.

So : Having a delegation of the Identity Services, to some Abstract classes that provides/manage a UserPortal, relying on the UserBP would be great.

The Abstract class would have methods that take an Object (in fact a UserBP), and do the job on it to produce a UserPortal.

The Abstract class could be ReadOnly, or ReadWrite, depending on the possibility of two way conversion of UserBP to UserPortal.

Said differently : 
Instead of having a delegation at the source level : DB or LDAP
It could be a delegation to a Custom Identity Service (which deals with DB or LDAP).
Delegation at the java class of User level (and at Service level).
Having the delegation at this level allow to provide a common service for UserBP for all the application that run inside the portlets. 
And to use that same service as a delegate for the portal application.

This is a better archictecture for several application that run on JBoss AS, than "each application manage the way it builds it's users, from a common datasource".

Having this delegation to a Custom Identity Service would be an help for integration work : avoid each company to develop it from the Identity Services provided by the portal now.

Hope it is understandable... and it will help.
Feel free to ask questions...

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4070897#4070897

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4070897