13.5. Identity Management
This subsystem provides a domain model that allows you to configure PicketLink Identity Management Services using the
standalone.xml
or domain.xml
. Basically, what the subsystem does is parse the configuration, automatically build a PartitionManager
and expose it via JNDI for further access.
With the subsystem you can :
-
Externalize and centralize the IDM configuration for deployments.
-
Define multiple configuration for identity management services.
-
Expose the
PartitionManager
via JNDI for further access. -
If using CDI, inject the
PartitionManager
instances using theResource
annotation. -
If using CDI, use the PicketLink IDM alone without requiring the base module dependencies.
The IDM domain model is an abstraction for all PicketLink IDM configuration, providing a single schema from which all configuration can be defined. If you're already familiar with the Configuration API, you'll find the syntax pretty simple and intuitive.
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0"> <!-- A complete configuration using a file-based identity store. --> <partition-manager jndi-name="picketlink/FileCompletePartitionManager" name="file.complete.partition.manager"> <identity-configuration name="file.config"> <file-store relative-to="jboss.server.data.dir" working-dir="pl-idm-complete" always-create-files="true" async-write="true" async-write-thread-pool="10"> <supported-types supports-all="true"/> </file-store> </identity-configuration> </partition-manager> <!-- A configuration using a JPA-based identity store. The store is configured using a existing datasource. --> <partition-manager jndi-name="picketlink/JPADSBasedPartitionManager" name="jpa.ds.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store data-source="jboss/datasources/ExampleDS"> <supported-types supports-all="true"/> </jpa-store> </identity-configuration> </partition-manager> </subsystem>
Note
If you are looking for more examples about how to use the domain model, take a look at
JBOSS_HOME
/docs/examples/configs/standalone-picketlink.xml.
Most of the configuration are known if you are familiar with the PicketLink IDM configuration. But the domain model provides some additional configuration in order to allow deployments to access the configured identity management services. Basically, each configuration must have a:
-
jndi-url, that defines where the
PartitionManager
should be published in the JNDI tree for further access. -
name, the name of the configuration to allow other subsystems to inject the Identity Management Services using the MSC injection infrastructure.
The rest of the configuration is very similar with how you use the Configuration API to programmaticaly build the IDM configuration. For a complete description of the domain model elements, please take a look at the XML Schema.
13.5.1. <code xmlns="http://docbook.org/ns/docbook">JPAIdentityStore</code>
In order to provide a better and easy integration with the container, the
JPAIdentityStore
configuration provides some additional configuration to let you configure how the EntityManagerFactory
is built or used by the JPAIdentityStore
.
13.5.1.1. Using a DataSource JNDI Url
When you specify a DataSource JNDI url, the subsystem will automatically build a
EntityManagerFactory
using a default configuration. This is the fastest way to get a JPA Identity Store up and running, specially if you just want to use the Section 5.1, “Basic Identity Model” provided by PicketLink.
The DataSource JNDI url can be specified using the data-source attribute as follows:
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0"> <!-- A configuration using a JPA-based identity store. The store is configured using a existing datasource. --> <partition-manager jndi-name="picketlink/JPADSBasedPartitionManager" name="jpa.ds.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store data-source="jboss/datasources/ExampleDS"> <supported-types supports-all="true"/> </jpa-store> </identity-configuration> </partition-manager> </subsystem>
This configuration option is very handy if you want to use the Basic Model provided by PicketLink.
13.5.1.2. Using a EntityManagerFactory
JNDI Url
Sometimes you may need more control over the JPA Persistence Unit configuration. In this case you can use the entity-manager-factory attribute to specify where your previously built
EntityManagerFactory
is located.
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0"> <!-- A configuration using a JPA-based identity store. The store is configured using a existing JPA EntityManagerFactory, obtained via JNDI. --> <partition-manager jndi-name="picketlink/JPAEMFBasedPartitionManager" name="jpa.emf.based.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store entity-manager-factory="jboss/MyEntityManagerFactory"> <supported-types> <supported-type code="Partition"/> <supported-type code="IdentityType"/> <supported-type code="Relationship"/> </supported-types> </jpa-store> </identity-configuration> </partition-manager> </subsystem>
13.5.1.3. Using a JBoss Module
The JPA Identity Store configuration allows you to specify a JBoss Module from where the JPA Persistence Unit and mapped entities will be loaded from.
This configuration can be done using two attributes:
-
entity-module, the module name where the JPA Persistence Unit and all mapped entities are located.
-
entity-module-unit-name, the name of the JPA Persistence Unit name. If you don't provide a name the subsystem will use identity.
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0"> <!-- A configuration using a JPA-based identity store. The store is configured using a existing JPA Persistence Unit from a static module. --> <partition-manager jndi-name="picketlink/JPAEMFModulePartitionManager" name="jpa.emf.modules.partition.manager"> <identity-configuration name="jpa.config"> <jpa-store entity-module="my.module" entity-module-unit-name="my-persistence-unit-name"> <supported-types supports-all="true"/> </jpa-store> </identity-configuration> </partition-manager> </subsystem>