[security-dev] PicketLink 3 - Group/Role - Membership

Shane Bryzak sbryzak at redhat.com
Sun Dec 2 17:24:56 EST 2012 

On 12/01/2012 09:03 PM, Darran Lofthouse wrote:
> I haven't spent too much time digging into the query side yet so
> hopefully a quick question.
>
> For a given user is it possible to run a query that returns a list of
> all of their groups/roles?

Not quite, the Query API needs a little further refinement to allow this 
however it's just an additional parameter type which I'll try to get 
added today.  The Query would return all groups and roles within the 
user's Realm, plus and groups and roles for the currently active Tier.

>
> For a given role/group is it possible to run a query to identify all of
> the members?

Yes, for a group query it would currently look like this:

         List<IdentityType> results = 
identityManager.<IdentityType>createQuery()
.setParameter(IdentityType.MEMBER_OF.group("managers"), true)
                 .getResultList();

And for a role query it would look like this:

         List<IdentityType> results = 
identityManager.<IdentityType>createQuery()
                 .setParameter(IdentityType.GRANTED.role("admin"), true)
                 .getResultList();

However, in light of the recent changes we've made to support realms and 
tiers I think we need to review the Query API again to bring it in 
line.  Specifically, I think that QueryParameter (the first parameter in 
the setParameter() method) should become an enum again, and the value 
parameter should be a varargs:

IdentityQuery<T> setParameter(QueryParameter param, Object... value);

Since groups and roles may be either realm or tier-specific now, it's no 
longer sufficient to allow a simple String-based parameter value for 
their name, and instead we need to use the actual Group or Role instance:

         Group managers = identityManager.getGroup("managers");
         List<IdentityType> results = 
identityManager.<IdentityType>createQuery()
                 .setParameter(MEMBER_OF, managers)
                 .getResultList();

For a group role query, I would pass in both the role and the group as 
parameters:

         Group managers = identityManager.getGroup("managers");
         Role admin = identityManager.getGroup("admin");

         // Return all identities that have the admin role in the 
managers group
         List<IdentityType> results = 
identityManager.<IdentityType>createQuery()
                 .setParameter(HAS_ROLE, admin, managers)
                 .getResultList();

I think this is more intuitive than what we currently have (in fact, 
when I went to write the example queries above I had forgotten how the 
existing Query API actually worked and had to read the code to find out 
how), and is more closer aligned with the JPA Query API which most 
developers are going to be already familiar with.

>
> Regards,
> Darran Lofthouse.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

More information about the security-dev mailing list