[security-dev] PicketLink 3 - Group/Role - Membership
Shane Bryzak
sbryzak at redhat.com
Sun Dec 2 17:24:56 EST 2012
On 12/01/2012 09:03 PM, Darran Lofthouse wrote:
> I haven't spent too much time digging into the query side yet so
> hopefully a quick question.
>
> For a given user is it possible to run a query that returns a list of
> all of their groups/roles?
Not quite, the Query API needs a little further refinement to allow this
however it's just an additional parameter type which I'll try to get
added today. The Query would return all groups and roles within the
user's Realm, plus and groups and roles for the currently active Tier.
>
> For a given role/group is it possible to run a query to identify all of
> the members?
Yes, for a group query it would currently look like this:
List<IdentityType> results =
identityManager.<IdentityType>createQuery()
.setParameter(IdentityType.MEMBER_OF.group("managers"), true)
.getResultList();
And for a role query it would look like this:
List<IdentityType> results =
identityManager.<IdentityType>createQuery()
.setParameter(IdentityType.GRANTED.role("admin"), true)
.getResultList();
However, in light of the recent changes we've made to support realms and
tiers I think we need to review the Query API again to bring it in
line. Specifically, I think that QueryParameter (the first parameter in
the setParameter() method) should become an enum again, and the value
parameter should be a varargs:
IdentityQuery<T> setParameter(QueryParameter param, Object... value);
Since groups and roles may be either realm or tier-specific now, it's no
longer sufficient to allow a simple String-based parameter value for
their name, and instead we need to use the actual Group or Role instance:
Group managers = identityManager.getGroup("managers");
List<IdentityType> results =
identityManager.<IdentityType>createQuery()
.setParameter(MEMBER_OF, managers)
.getResultList();
For a group role query, I would pass in both the role and the group as
parameters:
Group managers = identityManager.getGroup("managers");
Role admin = identityManager.getGroup("admin");
// Return all identities that have the admin role in the
managers group
List<IdentityType> results =
identityManager.<IdentityType>createQuery()
.setParameter(HAS_ROLE, admin, managers)
.getResultList();
I think this is more intuitive than what we currently have (in fact,
when I went to write the example queries above I had forgotten how the
existing Query API actually worked and had to read the code to find out
how), and is more closer aligned with the JPA Query API which most
developers are going to be already familiar with.
>
> Regards,
> Darran Lofthouse.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
More information about the security-dev
mailing list