[keycloak-dev] Semantics of Realm.get***ById()
Marek Posolda
mposolda at redhat.com
Fri Feb 21 13:07:14 EST 2014
Hi,
Felt into an issue when trying to fix testsuite with Mongo and adding
more unit tests... Currently when we call realm.getRoleById("123") it
will always return the role with ID "123" even if this role belongs to
different realm or it's application role. For JPA model, there is
usually just call to: RoleEntity entity = em.find(RoleEntity.class, id);
Nothing, which checks that role with this ID belongs to this realm. I am
not sure how to address this. I can see options:
1) Change the semantics, so that realm.getRoleById("123") will return
role just in case that it belongs to this realm/application. This means
that instead of em.find(RoleEntity.class, id) we will need to use named
query for both roleId and realm. This will affect performance...
2) Move methods like "getRoleById", "getApplicationById", "getUserById"
etc. from RealmModel to IdentitySession as it would be global search
(not just in context of the particular Realm). This will require some
changes in impl, as for example RoleAdapter or ApplicationAdapter wants
access to RealmModel right now.
3) Keep current behaviour and live with the fact that "get***ById()" may
return entity from different realm.
To me, it seems that option 3 is fine and won't affect performance, but
wanted to ask for sure.
Marek
More information about the keycloak-dev
mailing list