3.3. Identity Model
The Identity Model is a set of classes that define the security structure of an application. It may consist of identity objects such as users, groups and roles; relationships such as group and role memberships; and partitions such as realms or tiers. The classes found in the
org.picketlink.idm.model
package define the base types upon which the identity model is built upon:
-
AttributedType
is the base interface for the identity model. It declares a number of methods for managing a set of attribute values, plusgetId()
andsetId()
methods for setting a unique identifier value. -
Attribute
is used to represent an attribute value. An attribute has a name and a (generically typed) value, and may be marked as read-only. Attribute values that are expensive to load (such as large binary data) may be lazy-loaded; theisLoaded()
method may be used to determine whether the Attribute has been loaded or not. -
Partition
is the base interface for partitions. Since each partition must have a name it declares agetName()
method. -
Relationship
is the base interface for relationships. Besides the base methods defined by theAttributedType
interface, relationship implementations have no further contractual requirements, however they will define methods that return the identities and attribute values in accordance with the relationship type. -
IdentityType
is the base interface for Identity objects. It declares properties that indicate whether the identity object is enabled or not, optional created and expiry dates, plus methods to read and set the owningPartition
. -
Account
is the base interface for identities that are capable of authenticating. Since the authentication process may not depend on one particular type of attribute (not all authentication is performed with a username and password) there are no hard-coded property accessors defined by this interface. It is up to each application to define theAccount
implementations required according to the application's requirements. -
AbstractAttributedType
is an abstract base class for creatingAttributedType
implementations. -
AbstractPartition
is an abstract base class that implements the base methods of thePartition
interface, to simplify the development of partition implementations. -
AbstractIdentityType
is an abstract base class that implements the base methods of theIdentityType
interface, to simplify the development of identity objects.
3.3.1. Which Identity Model Should My Application Use?
The base identity types listed above do not define an identity model implementation themselves, so they cannot be used directly to service the security requirements of an application. Instead, an application must either define its own identity model (by providing implementations of whichever identity objects are required by the application, such as user, group or role classes) or by using a pre-prepared model. PicketLink provides a basic identity model (more details can be found in Chapter 5, Identity Management - Basic Identity Model) which provides a basic set of identity objects, however in case the basic identity model is insufficient, it is quite simple to define a custom model as we'll see in the next section.