[keycloak-dev] Semantics of Realm.get***ById()

Marek Posolda mposolda at redhat.com
Fri Feb 21 13:07:14 EST 2014


Felt into an issue when trying to fix testsuite with Mongo and adding 
more unit tests... Currently when we call realm.getRoleById("123") it 
will always return the role with ID "123" even if this role belongs to 
different realm or it's application role. For JPA model, there is 
usually just call to: RoleEntity entity = em.find(RoleEntity.class, id);

Nothing, which checks that role with this ID belongs to this realm. I am 
not sure how to address this. I can see options:

1) Change the semantics, so that realm.getRoleById("123") will return 
role just in case that it belongs to this realm/application. This means 
that instead of em.find(RoleEntity.class, id) we will need to use named 
query for both roleId and realm. This will affect performance...

2) Move methods like "getRoleById", "getApplicationById", "getUserById" 
etc. from RealmModel to IdentitySession as it would be global search 
(not just in context of the particular Realm). This will require some 
changes in impl, as for example RoleAdapter or ApplicationAdapter wants 
access to RealmModel right now.

3) Keep current behaviour and live with the fact that "get***ById()" may 
return entity from different realm.

To me, it seems that option 3 is fine and won't affect performance, but 
wanted to ask for sure.


More information about the keycloak-dev mailing list