15.4. Identity Management
Identity Management provides a standard API for managing a Seam application's users and roles, regardless of the identity store (database, LDAP, etc.) used in back-end operations. The
identityManager
component is at the core of the Identity Management API, and provides all methods for creating, modifying, and deleting users, granting and revoking roles, changing passwords, enabling and disabling user accounts, authenticating users, and listing users and roles.
Before use, the
identityManager
must be configured with at least one IdentityStore
. These components interact with the back-end security provider.
15.4.1. Configuring IdentityManager
The
identityManager
component allows you to configure separate identity stores for authentication and authorization. This means that users can be authenticated against one identity store (for example, an LDAP directory), but have their roles loaded from another identity store (such as a relational database).
Seam provides two
IdentityStore
implementations out of the box. The default, JpaIdentityStore
, uses a relational database to store user and role information. The other implementation is LdapIdentityStore
, which uses an LDAP directory to store users and roles.
The
identityManager
component has two configurable properties: identityStore
and roleIndentityStore
. The value for these properties must be an EL expression that refers to a Seam component with the IdentityStore
interface. If left unconfigured, the default (JpaIdentityStore
) will be used. If only the identityStore
property is configured, the same value will be used for roleIdentityStore
. For example, the following entry in components.xml
will configure identityManager
to use an LdapIdentityStore
for both user-related and role-related operations:
<security:identity-manager identity-store="#{ldapIdentityStore}"/>
The following example configures
identityManager
to use an LdapIdentityStore
for user-related operations, and JpaIdentityStore
for role-related operations:
<security:identity-manager identity-store="#{ldapIdentityStore}" role-identity-store="#{jpaIdentityStore}"/>
The following sections explain each identity storage method in greater detail.