9 Replies Latest reply on Mar 28, 2012 3:43 AM by lightguard

    How to use existing JpaIdentityStore

    hurzeler
    hurzeler Mar 27, 2012 1:16 AM

      Hey there,

      I have an existing JPAIdentityStore produced by the Seam 3 Sample Security application. I would like to reuse it. This means I have 2 persistence units one for my webapp and one for the JPAIdentityStore. How do I configure Seam Security so that it knows how to talk to the 2nd peristence unit in terms of security?

       

      My beans.xml currently looks something like this:

       

      <beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:s="urn:java:ee" xmlns:security="urn:java:org.jboss.seam.security"
      xmlns:plidm="urn:java:org.jboss.seam.security.management.picketlink"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://jboss.org/schema/cdi/beans_1_0.xsd">
      <interceptors>
        <class>org.jboss.seam.transaction.TransactionInterceptor</class>
        <class>org.jboss.seam.security.SecurityInterceptor</class>
      </interceptors>
      <security:IdentityImpl>
        <s:modifies />
        <security:authenticatorClass>org.jboss.seam.security.management.IdmAuthenticator
        </security:authenticatorClass>
        <!-- security:authenticatorClass>com.icm.ip.security.DBAuthenticator </security:authenticatorClass -->
      </security:IdentityImpl>
       
          <plidm:JpaIdentityStoreConfiguration>
             <s:replaces />
             <plidm:identityClass>com.icm.ip.security.IdentityObject</plidm:identityClass>
             <plidm:credentialClass>com.icm.ip.security.IdentityObjectCredential</plidm:credentialClass>
             <plidm:relationshipClass>com.icm.ip.security.IdentityObjectRelationship</plidm:relationshipClass>
             <plidm:roleTypeClass>com.icm.ip.security.IdentityRoleName</plidm:roleTypeClass>
             <plidm:attributeClass>com.icm.ip.security.IdentityObjectAttribute</plidm:attributeClass>
           </plidm:JpaIdentityStoreConfiguration>
      </beans>

       

      But perhaps I don't even need my own classes.

      I need help!

      Thanks

        • 1. Re: How to use existing JpaIdentityStore
          lightguard
          lightguard Mar 27, 2012 4:01 PM (in response to hurzeler)

          If they're using the same database, there's really no reason to use different Persistence Units.

            • Actions
          • 2. Re: How to use existing JpaIdentityStore
            hurzeler
            hurzeler Mar 28, 2012 1:27 AM (in response to lightguard)

            Well the whole point is that the JPAIdentityStore is in a different database.

              • Actions
            • 3. Re: How to use existing JpaIdentityStore
              lightguard
              lightguard Mar 28, 2012 1:48 AM (in response to hurzeler)

              Without digging into the code, I'd suggest using a regular non qualified EM for security and a qualified EM for everything else.

                • Actions
              • 4. Re: How to use existing JpaIdentityStore
                hurzeler
                hurzeler Mar 28, 2012 2:14 AM (in response to lightguard)

                Sorry for my ignorance. EM = EntityManager? And what is the difference qualified and unqualified? Is it:

                 

                public class ManagedPersistenceIDMContextFactory {
                @ConversationScoped
                @PersistenceUnit(unitName="idm")
                @Produces
                @IDM
                @ExtensionManaged
                private EntityManagerFactory emf; }

                 

                For the qualified EM @IDM

                 

                and

                public class ManagedPersistenceContextFactory {

                @ConversationScoped
                @PersistenceUnit(unitName="default")
                @Produces
                @Default
                @ExtensionManaged
                private EntityManagerFactory emf; }

                 

                 

                For the unqualified EM?

                 

                The qualifier:

                @Qualifier

                @Retention(RUNTIME)
                @Target({TYPE, METHOD, FIELD, PARAMETER})
                public @interface IDM {}

                 

                 

                Then I use the identity EM like:

                @Inject
                @IDM
                private EntityManager idmEntityManager;

                 

                And the persistence.xml


                <?xml version="1.0" encoding="UTF-8" standalone="no"?>
                <persistence xmlns="http://java.sun.com/xml/ns/persistence"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.0"
                xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd">
                  <persistence-unit name="default" transaction-type="JTA">
                    <description>Invoice Persistence Unit</description>
                    <provider>org.hibernate.ejb.HibernatePersistence</provider>
                    <jta-data-source>java:jboss/datasources/defaultDS</jta-data-source>
                    <exclude-unlisted-classes>false</exclude-unlisted-classes>
                    <properties>
                      <property name="hibernate.hbm2ddl.auto" value="update"/>
                      <property name="hibernate.transaction.flush_before_completion" value="true"/>
                    </properties>
                  </persistence-unit>

                    <persistence-unit name="idm" transaction-type="JTA">
                    <description>IDM Persistence Unit</description>
                    <provider>org.hibernate.ejb.HibernatePersistence</provider>
                    <jta-data-source>java:jboss/datasources/idmDS</jta-data-source>
                    <exclude-unlisted-classes>false</exclude-unlisted-classes>
                    <properties>
                      <property name="hibernate.hbm2ddl.auto" value="update"/>
                      <property name="hibernate.transaction.flush_before_completion" value="true"/>
                    </properties>
                  </persistence-unit>
                </persistence>

                Correct?

                  • Actions
                • 5. Re: How to use existing JpaIdentityStore
                  lightguard
                  lightguard Mar 28, 2012 2:28 AM (in response to hurzeler)

                  Pretty much, but reversed. I'd have to dig into the code (or you) but I'm pretty sure the IDM code would not make use of a qualified entity manager.

                   

                  Yes, I just checked, you will need an EntityManager that is un qualified, no additional qualifiers: 

                  @Produces @PersistenceUnit(...) EntityManager em

                  or the like.

                    • Actions
                  • 6. Re: How to use existing JpaIdentityStore
                    hurzeler
                    hurzeler Mar 28, 2012 2:58 AM (in response to lightguard)

                    If I understand this correcly then it should just be the otherway round. Right?

                     

                    The @Default EM should be the qualified EMi.e. @IDM or whatever, and the @IDM EM should be @Default EM.

                     

                    OR

                     

                    I also did a bit of digging and found that the

                    org.picketlink.idm.api.IdentitySession has a method getPersistenceManager(). So perhaps I don't need the second persistence unit at all as picket link is somehow doing it already???

                    The doco http://docs.jboss.org/seam/3/security/latest/reference/en-US/html/security-identitymanagement.html#d0e845 does not mention a second persistence unit.

                      • Actions
                    • 7. Re: How to use existing JpaIdentityStore
                      lightguard
                      lightguard Mar 28, 2012 2:47 AM (in response to hurzeler)

                      Yes. I would however, suggest something other than @Default as Solder and CDI both have a @Default annotation.

                        • Actions
                      • 8. Re: How to use existing JpaIdentityStore
                        hurzeler
                        hurzeler Mar 28, 2012 3:12 AM (in response to lightguard)

                        Jason can you comment on my OR statment. Does the documentation imply that no second persistence unit is needed and that picket link's datasource is configured elsewhere? It is just not clear or at least it is not clear to me.

                          • Actions
                        • 9. Re: How to use existing JpaIdentityStore
                          lightguard
                          lightguard Mar 28, 2012 3:43 AM (in response to hurzeler)

                          If they're the same database and same persistence unit then you wouldn't need to have an entity manager with a CDI qualifier. The code is just looking for a basic EntityManager, it doesn't appear there is a way to configure it to use one with a qualifier, hence you need to use the "default" one for IDM and an entity manager with a qualifier everywhere else in the application.

                            • Actions