Product SiteDocumentation Site

3.3. Identity Model

The Identity Model is a set of classes that define the security structure of an application. It may consist of identity objects such as users, groups and roles; relationships such as group and role memberships; and partitions such as realms or tiers. The classes found in the org.picketlink.idm.model package define the base types upon which the identity model is built upon:
  • AttributedType is the base interface for the identity model. It declares a number of methods for managing a set of attribute values, plus getId() and setId() methods for setting a unique identifier value.
  • Attribute is used to represent an attribute value. An attribute has a name and a (generically typed) value, and may be marked as read-only. Attribute values that are expensive to load (such as large binary data) may be lazy-loaded; the isLoaded() method may be used to determine whether the Attribute has been loaded or not.
  • Partition is the base interface for partitions. Since each partition must have a name it declares a getName() method.
  • Relationship is the base interface for relationships. Besides the base methods defined by the AttributedType interface, relationship implementations have no further contractual requirements, however they will define methods that return the identities and attribute values in accordance with the relationship type.
  • IdentityType is the base interface for Identity objects. It declares properties that indicate whether the identity object is enabled or not, optional created and expiry dates, plus methods to read and set the owning Partition.
  • Account is the base interface for identities that are capable of authenticating. Since the authentication process may not depend on one particular type of attribute (not all authentication is performed with a username and password) there are no hard-coded property accessors defined by this interface. It is up to each application to define the Account implementations required according to the application's requirements.
  • AbstractAttributedType is an abstract base class for creating AttributedType implementations.
  • AbstractPartition is an abstract base class that implements the base methods of the Partition interface, to simplify the development of partition implementations.
  • AbstractIdentityType is an abstract base class that implements the base methods of the IdentityType interface, to simplify the development of identity objects.

3.3.1. Which Identity Model Should My Application Use?

The base identity types listed above do not define an identity model implementation themselves, so they cannot be used directly to service the security requirements of an application. Instead, an application must either define its own identity model (by providing implementations of whichever identity objects are required by the application, such as user, group or role classes) or by using a pre-prepared model. PicketLink provides a basic identity model (more details can be found in Chapter 5, Identity Management - Basic Identity Model) which provides a basic set of identity objects, however in case the basic identity model is insufficient, it is quite simple to define a custom model as we'll see in the next section.