[security-dev] IDM Realms and Applications - The Nitty Gritty

David M. Lloyd david.lloyd at redhat.com
Wed Nov 14 14:17:57 EST 2012 

A couple more use case tidbits...

Connecting roles to applications is sensible in the respect that most 
roles are application-specific, however it seems plausible that one 
might want to have a role which spans applications.  Also it seems that 
there is a (conceptual) equivalency between roles and simple permissions 
(in the java.security.Permission sense).  Is that equivalency ever 
formalized anywhere, particularly in the context of a security manager?

Finally it seems to me that there may be benefit in identity-oriented 
storage for things like application preferences and that sort of thing. 
  Is there any allowance for this concept in this IDM model?

On 11/13/2012 09:04 PM, Shane Bryzak wrote:
> On 11/14/2012 12:24 PM, David M. Lloyd wrote:
>> I'm not sure I understand the rationale of the relationship between
>> realms and applications.
>>
>> To me the concept of a "realm" in terms of identity management relates
>> more to segregating users into groups based on organizational and
>> technological realities.  For example, if I am hosting a multi-tenant
>> application I might have a realm for each of my customers (but only one
>> or a few application(s)).  For another example, I might have a realm for
>> application authentication (i.e. regular users), a realm for
>> computer-to-computer authentication (might be identified by public key
>> or certificate or some other atypical principal type), and a realm for
>> administration, all of which are utilized by one or a few application(s).
>
> That's a good point and a valid use case that I thought I had taken into
> consideration, however thinking about it a little deeper there are some
> nuances of the design that have question marks over them. Let me think
> about it a little more and I'll get back to you.
>
>>
>> Unless I'm grossly misunderstanding the concepts (a very real
>> possibility), it seems like applications should be decoupled from realms
>> completely.
>
> Possibly, and while it's relatively clear that Users would remain within
> the Realm and Roles would remain defined by the Application, I'm not
> quite sure where Groups would fit in.  My first instinct is to keep them
> in the Realm also, although I'm not 100% sure... time for some mulling I
> think.
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>


-- 
- DML

More information about the security-dev mailing list