Created
March 8, 2012 21:11
-
-
Save pauldijou/2003474 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Realm : a space where user can be authenticated (database, LDAP, file, ...) | |
| User : a subject that can be authenticated in, at least, one realm | |
| Identity : bean in session scope that manage the current authenticated user | |
| Authenticator : stateless bean that can try to authenticate Credentials (have to specify in which realm) | |
| Identity should not be informed about how the application manage what a user is or is not allowed to do. Identity should only say "Yes" or "No" when asked about a User trying to do something. Which mean only one method like "boolean can(...)" with eventually different combinations of parameters (see Identity interface). | |
| In practive, several more specific implementations should be provided (one like Picketlink, one like Seam 2 with Role and Permission, ...) in order to help user, but nothing specific inside the Identity interface itself. Because, when I write code, I want to write it quickly and easily : one entry point, like here : https://gist.github.com/1997314 | |
| Why is the realm provide the concrete User ? Because each realm has its own way to store and retrieve a User. There is no way a stateless authenticator who can authenticate in several different realms (depending on the Crendatials) can retrieve the user (well, it could, but it would only ask the realm in which he is currently authenticating to do so in its place). | |
| So, what a developer should do ? | |
| 1) In a simple application : | |
| - configure its realm (database) | |
| - choose the authenticator | |
| - choose a specific Identity implementation (if one is ok for him) or implements its own | |
| 2) In a complex application : | |
| - configure several realms (one LDAP for employes, one database for good customers, another database for day-to-day customers) | |
| - choose severals authenticators and provide them to the AuthenticatorSelector | |
| - during the login process, depending on the credentials, ask the right authenticator to realise the authenticate method and telling him in which realm doing so | |
| - no idea how to manage several Identity implementations inside the same application yet |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment