[security-dev] Multi-application support for IDM
Shane Bryzak
sbryzak at redhat.com
Thu Nov 8 06:27:46 EST 2012
I've been thinking about Bill's request for multi-application support,
and I think I've come up with a solution that's going to be minimally
disruptive to the existing API. For starters, we need to add a few
methods to IdentityManager to support application management:
void createApplication(Application application);
void removeApplication(Application application);
Application getApplication(String applicationId);
Collection<Application> getAllApplications();
(The getAllApplications() method is necessary as the Query API only
deals with IdentityTypes, of which Application isn't one).
The next step is to allow the Application to be set somehow for any
given identity management operation. I think the easiest way to do this
is by providing a new method called forApplication():
IdentityManager forApplication(Application application);
The forApplication() method returns an instance of IdentityManager for
which any operations performed will be within the context of the
specified Application. Let's take a look at this in more practical
terms - for example, pretend we want to grant the "moderator" role to
user "bill" for the application "JBossForums". The code would look like
this:
Application jbossForums = identityManager.getApplication("jbossForums");
IdentityManager im = identityManager.forApplication(jbossForums);
User bill = im.getUser("bill");
Role moderator = im.getRole("moderator");
im.grantApplicationRole(bill, moderator);
The selected Application is passed to the underlying IdentityStores via
the IdentityStoreInvocationContext, to which we will add a
getApplication() method. We can also support multi-application
configuration, where one application might use an LDAP-based identity
store, while another might use a File-based identity store.
By providing multi-application support in this way, we can maintain the
existing API (we don't need to refactor every single method to add an
Application parameter) and for the consumers who don't care about
multi-application support the feature won't get in their way. We can
then very easily expose the IDM API as a set of RESTful web services to
achieve a standalone identity management service.
What do you guys think?
More information about the security-dev
mailing list