Consider keeping your roles "clean" and use the Permission model to grant access to specific Customer instances.
You can follow a permission model something like this: permissiveEntity:permission customer_12345:edit,view Use this in conjunction with the doGetAuthorizationInfo in an extended AuthorizingRealm and return permissions in a List<String>: (e.g. customer_12345:edit,view ). You'll need to keep an application level persistent mapping of User to Entity access. I used this technique combined with Roles recently in a similar type application very successfully to tightly control access to anything I wanted. Within code I could check for permission with something like below as well as use the Shiro Taglibs where appropriate. if ( SecurityUtils.getSubject().isPermitted(permissiveEntity+":edit")) Good luck! -- View this message in context: http://shiro-user.582556.n2.nabble.com/multi-tenant-authorization-tp7135267p7142133.html Sent from the Shiro User mailing list archive at Nabble.com.
