12.5. Identity Management
The subsystem provides a domain model that allows you to configure PicketLink Identity Management Services using the
standalone/domain.xml. Basically, what the subsystem does is parse the configuration, automatically build a org.picketlink.idm.PartitionManager and expose it via JNDI for further access.
With the subsystem you can :
-
Externalize and centralize the IDM configuration for deployments.
-
Define multiple configuration for identity management services.
-
Expose the
PartitionManagervia JNDI for further access. -
If using CDI, inject the
PartitionManagerinstances using theResourceannotation. -
If using CDI, use the PicketLink IDM alone without requiring the base module dependencies. In this case you can provide your own configuration without using the subsystem's domain model.
The IDM domain model is an abstraction for all PicketLink IDM configuration, providing a single schema from which all configurations can be defined. If you're already familiar with the Configuration API, you'll find the domain pretty simple and intuitive.
<subsystem xmlns="urn:jboss:domain:picketlink:1.0"> <identity-management jndi-name="picketlink/FileBasedPartitionManager" alias="file.based.partition.manager"> <identity-configuration name="file.config"> <file-store working-dir="/tmp/pl-idm-complete" always-create-files="true" async-write="true" async-write-thread-pool="10"> <supportedTypes supportsAll="true"/> </file-store> </identity-configuration> </identity-management> <identity-management jndi-name="picketlink/JPADSBasedPartitionManager" alias="jpa.ds.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store data-source="jboss/datasources/ExampleDS"> <supportedTypes supportsAll="true"/> </jpa-store> </identity-configuration> </identity-management> </subsystem>
Note
If you are looking for more examples about how to use the domain model, take a look at https://github.com/picketlink/picketlink-as-subsystem/blob/master/src/test/resources/picketlink-subsystem.xml.
Most of the configuration are known if you are familiar with the PicketLink IDM configuration. But the domain model provides some additional configuration in order to allow deployments to access the configured identity management services. Basically, each configuration must have a:
-
jndi-url, that defines where the
PartitionManagershould be published in the JNDI tree for further access. -
alias, an alias for the configuration to allow other subsystems to inject the Identity Management Services using the MSC injection infrastructure.
The rest of the configuration is very similar with how you use the Configuration API to programmaticaly build the IDM configuration. For a complete description of the domain model elements, please take a look at the XML Schema.
12.5.1. JPAIdentityStore
In order to provide a better and easy integration with the container, the
JPAIdentityStore configuration provides some additional configuration to let you configure how the EntityManagerFactory is built or used by the JPAIdentityStore.
12.5.1.1. Using a DataSource JNDI Url
When you specify a DataSource JNDI url, the subsystem will automatically build a
EntityManagerFactory using a default configuration. This is the fast way to get a JPA Identity Store configuration.
The DataSource JNDI url can be specified using the data-source attribute as follows:
<subsystem xmlns="urn:jboss:domain:picketlink:1.0"> <identity-management jndi-name="picketlink/JPADSBasedPartitionManager" alias="jpa.ds.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store data-source="jboss/datasources/ExampleDS"> <supportedTypes supportsAll="true"/> </jpa-store> </identity-configuration> </identity-management> </subsystem>
This configuration option is very handy if you want to use the basic IDM model provided by PicketLink.
12.5.1.2. Using a EntityManagerFactory JNDI Url
Sometimes you may need more control over the JPA Persistence Unit configuration. In this case you can use the entity-manager-factory attribute to specify where your previously built
EntityManagerFactory is located.
<subsystem xmlns="urn:jboss:domain:picketlink:1.0"> <identity-management jndi-name="picketlink/JPAEMFBasedPartitionManager" alias="jpa.emf.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store entity-manager-factory="jboss/PicketLinkEMF"> <supportedTypes> <supportedType class="org.picketlink.idm.model.Partition"/> <supportedType class="org.picketlink.idm.model.IdentityType"/> <supportedType class="org.picketlink.idm.model.Relationship"/> </supportedTypes> </jpa-store> </identity-configuration> </identity-management> </subsystem>
This configuration option is very useful if you want to support custom types.
12.5.1.3. Using a JBoss Module
The JPA Identity Store configuration allows you to specify a JBoss Module from where the JPA Persistence Unit and mapped entities will be loaded from.
This configuration can be done using two attributes:
-
entity-module, the module name where the JPA Persistence Unit and all mapped entities are located.
-
entity-module-unit-name, the name of the JPA Persistence Unit name. If you don't provide a name the subsystem will use identity.
<subsystem xmlns="urn:jboss:domain:picketlink:1.0"> <identity-management jndi-name="picketlink/JPACustomEntityBasedPartitionManager" alias="jpa.custom.entity.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store entity-module="org.picketlink.test" entity-module-unit-name="custom-pu" module="org.picketlink.test"> <supportedTypes> <supportedType class="org.picketlink.idm.model.Partition"/> <supportedType class="org.picketlink.idm.model.IdentityType"/> <supportedType class="org.picketlink.idm.model.Relationship"/> </supportedTypes> <credential-handlers> <credential-handler class="test.org.picketlink.as.subsystem.module.idm.SaleAgentPasswordCredentialHandler"/> </credential-handlers> </jpa-store> </identity-configuration> </identity-management> </subsystem>