11.5. Partition-Based Access Control
PicketLink uses partitions to logically separate identities such as user, roles and groups. A very common requirement for SaaS applications where multi-tenancy may be an important requirement.
The
@PartitionsAllowed
annotation allows you to restrict access for beans based on the partition an user belongs. You only need to specify the partition name.
@PartitionsAllowed("Acme Realm") public void someMethod() { // only users from "Acme Realm" partition are allowed to access this method }
The
@PartitionsAllowed
annotation can also be used on types. In this case, all bean methods are protected:
@PartitionsAllowed("Acme Realm") public class ACMEServices() { }
You can also define multiple partitions if you want to:
@PartitionsAllowed({"ACME Realm", "Foo Realm"})
Partitions in PicketLink are represented by a specific type. For example, by default PicketLink provides a
org.picketlink.idm.model.basic.Realm
type to represent them. Considering that PicketLink allows you to provide your own types, the @PartitionsAllowed
can also be used to restrict which partition types are allowed to perform an operation:
@PartitionsAllowed(type = {Acme.class, Foo.class})
Where
Acme
and Foo
are partition types, implementing the org.picketlink.idm.model.Partition
interface.
You can even combine both configurations (name and type) if you want.