Dear Les et al, I'm building a multi tenant saas servlet app, where everyone gets to use their preferred domain name with the app.
Although I had a very good look at the shiro-multitenant-sample, I chose not to use the ThreadLocal / Filter based approach in my app, because imho it seemed to be not the best bolt-on to Shiro's otherwise clean design. Instead in my custom realm, I inspect the UsernamePassword token in the doGetAuthenticationInfo() for the hostname and pass that as part of my database query, which this thread seems to suggest is ok: http://shiro-user.582556.n2.nabble.com/Integrating-Shiro-Am-i-writing-too-much-code-td6048755.html Now, I've started implementing a custom CacheManager so that users can stay logged into the site over long periods of time, and I just realized that there would be a security flaw if I did this. Eg. Users could potentially migrate their session between tenants. I don't think that's optimal for a security related framework; I could see others easily making the same mistake. I have a feeling this could be a potential bug with Shiro's DefaultSessionManagers. Anyway to wrap up, I'd really like to see first class multitenant support in shiro. I think the obvious design is the right one, and a simple string or long integer (that can be mapped to a tenant) be passed around the user facing APIs. So I'd like to know: 1) If I make the change in Shiro, will you incorporate the patch? I need this urgently, so if you tell me how you would want it done, I will do exactly what you want. 2) Also, if you can give feedback about how I can achieve my goal with the current framework that would be great. I want #1 regardless, but if I'm mistaken about the security bug then your thoughts on how I can achieve my goal (long term multitenant sessions) would also be a huge help. Thanks, Alex
