[
https://issues.apache.org/jira/browse/OFBIZ-5019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13558277#comment-13558277
]
Carsten Schinzer commented on OFBIZ-5019:
-----------------------------------------
Meanwhile I did some research in the codebase regarding the question where the
various code bits to lookup a delegator parameter. Search for
'.getAttribute("delegator")" in any java file of hte code base results
basically as follows:
- ContextFilter and LoginWorker do lookup such attributes from Session, Visit
and HttpRequest
while
- any other java class does this lookup from HttpRequest
Yet, I do not find any hint how the basic delegator lookup for backoffice
applications work except the following:
- when excluding the rewrite of delegatorName in the ServletContext from
ContextFilter, the backoffice apps do not show tenant data.
- when explicitly rewriting the ServletContex's attribute called "delegator",
then the backoffice applications do show tenant data
I am looking for any hint that would show how (or where) the backoffice
applications lookup the delegator to use.
> Multitenant delegator assignment not working correctly
> -------------------------------------------------------
>
> Key: OFBIZ-5019
> URL: https://issues.apache.org/jira/browse/OFBIZ-5019
> Project: OFBiz
> Issue Type: Bug
> Components: ALL APPLICATIONS, framework
> Affects Versions: SVN trunk
> Environment: multitenantuse = "Y"
> Tenant with no Domain setting or Tenant using different domain for backend
> applications
> Reporter: Carsten Schinzer
> Labels: authentication, context, multitenancy, security
> Attachments:
> OFBIZ-5019_Multitenant_delegator_assignment_not_working_correctly.patch
>
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> This issue arises when Multitenancy is in use. It arises only on backend
> applications (as typically the frontend store applications will use a context
> variable defined in web.xml to determin the delegator to be used (ie. the
> database to use for data lookups etc).
> The issue manifests as follows:
> * the wrong data is read for standard backoffice displays (e.g. orders,
> accounts, etc.); it is the dataa from the default datasource, not the
> tenant´s data source
> * in the backend apps certain functions require authentication (checked
> dynamically) and this will fail when the default delegator is used since the
> tenant's user accounts will differ (if not in name then in password hashes)
> from the default datasource -- this leads to authentication warnings all over
> the place
> * one will not be able to mainpulate data of course, either
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
