[keycloak-dev] Semantics of Realm.get***ById()

Marek Posolda mposolda at redhat.com
Fri Feb 21 13:34:14 EST 2014

On 21.2.2014 19:14, Bill Burke wrote:
> On 2/21/2014 1:07 PM, Marek Posolda wrote:
>> Hi,
>> Felt into an issue when trying to fix testsuite with Mongo and adding
>> more unit tests... Currently when we call realm.getRoleById("123") it
>> will always return the role with ID "123" even if this role belongs to
>> different realm or it's application role. For JPA model, there is
>> usually just call to: RoleEntity entity = em.find(RoleEntity.class, id);
>> Nothing, which checks that role with this ID belongs to this realm. I am
>> not sure how to address this. I can see options:
>> 1) Change the semantics, so that realm.getRoleById("123") will return
>> role just in case that it belongs to this realm/application. This means
>> that instead of em.find(RoleEntity.class, id) we will need to use named
>> query for both roleId and realm. This will affect performance...
>> 2) Move methods like "getRoleById", "getApplicationById", "getUserById"
>> etc. from RealmModel to IdentitySession as it would be global search
>> (not just in context of the particular Realm). This will require some
>> changes in impl, as for example RoleAdapter or ApplicationAdapter wants
>> access to RealmModel right now.
>> 3) Keep current behaviour and live with the fact that "get***ById()" may
>> return entity from different realm.
>> To me, it seems that option 3 is fine and won't affect performance, but
>> wanted to ask for sure.
> 4) Add a realm ManyToOne relationship to Role, app, and user.  Return
> null if em.find() returns an entity not defined in the realm?
Looks fine, likely also affects performance a bit as it would need to 
join the realm, but likely not much. I will do that and send PR.


> Bill

More information about the keycloak-dev mailing list