Closed badock closed 11 years ago
help me understand why this is a problem to have spring-security-filter registered first.
Current order of filters is based on assumption that SpringSecurityTenantResolver
will determine tenant/customer based on currentUser.userTenantId
. Because spring security comes first, all usernames must be globally unique!
I have to use an alternative approach, where users of each tenant are independent. Each tenant has an admin that will create new users as a self-service. Users have to be unique only within the domain.
This is quite different from scenario implemented via the script mt-spring-security
: I am using a DNS based TenantResolver
. The domain User
is handled as a regular '@MultiTenant'. However, the currentTenant
must be established BEFORE springSecurityFilterChain
will retrieve User.findByUsername()
from database.
Solution is to modify filter positions in webxml.FilterManager
. As a proof of concept, I manually changed MultiTenantSingleDbGrailsPlugin.getWebXmlFilterOrder()
from FilterManager.SITEMESH_POSITION - 100
to FilterManager.GRAILS_WEB_REQUEST_POSITION + 90
(i.e. before springSecurityFilterChain).
I see two ways how to solve this permanently:
tenantFilter
via FilterManager.registerWebXmlFilterPosition
at a suitable point in the application build process (probably a customized build script, I have no experience in this area).
(3. It is actually possible to hardwire web.xml
, but I am not keen to go this route.)Please let me know your opinion. If 1. is acceptable, I can prepare a patch. If 2. is easy (any hints appreciated), then it should be documented for benefit of others with similar scenario.
Pull request accepted
Hello,
I am using your plugin on a project where I have to associate the multi-tenant plugin and the spring security plugin. In this project, each tenant can have several spring-user/role/userRole, and those user/role/userRole belongs to one tenant.
My problem is that the multi-tenant filter is registered after the spring security filter.
Is there a way to force the registration of the multi-tenant plugin before the spring security plugin?
Thank you very much for your awesome work!