[
https://issues.apache.org/jira/browse/OFBIZ-5019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13527509#comment-13527509
]
Carsten Schinzer commented on OFBIZ-5019:
-----------------------------------------
Further to this I do see a UtilityMethod on
LoginWorker.setWebContextObjects(...) which takes care of placing information
in the various contexts after login.
Firstly I think this very same method would be of use in the ContextFilter
class as well (make it protected? is LoginWorker the correct place for this?
should it not be part of ContexFilter and usable by LoginWorker?)
Secondly I can read in the implementation that this method just overwrites
settings in the ServletContext ('just in case any of it has changed' as the
method comment sais) which IMHO is not a good use of that context. The
ServletContext should contain Session-independant, basic configurations and
remain unchanged throughout the lifecycle of the Servlet ie. as long as the JVM
is up.
Any Session-(ie. User-) dependant configuration should be added to the Session
context.
> Multitenant delegator assignment not working correctly
> -------------------------------------------------------
>
> Key: OFBIZ-5019
> URL: https://issues.apache.org/jira/browse/OFBIZ-5019
> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS, framework
> Affects Versions: SVN trunk
> Environment: multitenantuse = "Y"
> Tenant with no Domain setting or Tenant using different domain for backend
> applications
> Reporter: Carsten Schinzer
> Labels: authentication, context, multitenancy, security
> Attachments:
> OFBIZ-5019_Multitenant_delegator_assignment_not_working_correctly.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> This issue arises when Multitenancy is in use. It arises only on backend
> applications (as typically the frontend store applications will use a context
> variable defined in web.xml to determin the delegator to be used (ie. the
> database to use for data lookups etc).
> The issue manifests as follows:
> * the wrong data is read for standard backoffice displays (e.g. orders,
> accounts, etc.); it is the dataa from the default datasource, not the
> tenant´s data source
> * in the backend apps certain functions require authentication (checked
> dynamically) and this will fail when the default delegator is used since the
> tenant's user accounts will differ (if not in name then in password hashes)
> from the default datasource -- this leads to authentication warnings all over
> the place
> * one will not be able to mainpulate data of course, either
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
