search

multi-tenant / grails-multi-tenant-single-db

Multi Tenant implementation for single database environments - Use grails-filtering and grails-hibernate-hijacker
Apache License 2.0
32 stars 25 forks source link

Change the registration order of the multi-tenant filter #18

Closed badock closed 11 years ago

badock commented 12 years ago

Hello,

I am using your plugin on a project where I have to associate the multi-tenant plugin and the spring security plugin. In this project, each tenant can have several spring-user/role/userRole, and those user/role/userRole belongs to one tenant.

My problem is that the multi-tenant filter is registered after the spring security filter.

Is there a way to force the registration of the multi-tenant plugin before the spring security plugin?

Thank you very much for your awesome work!

basejump commented 12 years ago

help me understand why this is a problem to have spring-security-filter registered first.

pmenhart commented 11 years ago

Current order of filters is based on assumption that SpringSecurityTenantResolver will determine tenant/customer based on currentUser.userTenantId. Because spring security comes first, all usernames must be globally unique!

I have to use an alternative approach, where users of each tenant are independent. Each tenant has an admin that will create new users as a self-service. Users have to be unique only within the domain. This is quite different from scenario implemented via the script mt-spring-security: I am using a DNS based TenantResolver. The domain User is handled as a regular '@MultiTenant'. However, the currentTenant must be established BEFORE springSecurityFilterChain will retrieve User.findByUsername() from database. Solution is to modify filter positions in webxml.FilterManager. As a proof of concept, I manually changed MultiTenantSingleDbGrailsPlugin.getWebXmlFilterOrder() from FilterManager.SITEMESH_POSITION - 100 to FilterManager.GRAILS_WEB_REQUEST_POSITION + 90 (i.e. before springSecurityFilterChain).

I see two ways how to solve this permanently:

  1. Make the filter position configurable in this plugin, or
  2. Override the position of tenantFilter via FilterManager.registerWebXmlFilterPosition at a suitable point in the application build process (probably a customized build script, I have no experience in this area). (3. It is actually possible to hardwire web.xml, but I am not keen to go this route.)

Please let me know your opinion. If 1. is acceptable, I can prepare a patch. If 2. is easy (any hints appreciated), then it should be documented for benefit of others with similar scenario.

sronderos commented 11 years ago

Pull request accepted