Reputation: 49
What's the best way to pass tenant id through an application in a Multi Tenant Architecture
Our company has a multi tenant asp.net web application. The application is 3 tier e.g. website,business and dataaccess. We hold the tenant id in session after the user logs in.
When we need to get a list of 'customers or orders' we pass the tenant id from the website to the business to the data access and then to the database (and query for customers or orders for that tenant). (almost every business function takes tenantId as a parameter)
Sometimes when creating new functions developers forget to add the tenant id from the website to the database, causing a security issue.
Is there a way we could do this so that the developers dont need to always remember to pass the tenant id.
Any suggestions on how best to resolve this issue.
Upvotes: 2
Views: 1700
Answers (4)
Reputation: 81
public class CommonService
{
public int getTenantId()
{
//do your validations and error handlings
string tid = session["tenantId"] // or get it from customs claims principal or set it in a httpcontext.current.items
return tid;
}
}
Then use the service in every business object to get the tenant id and pass it to the data layer without depending on the developers to do it. Its a very big security hole, missing an tenantId might return data which the user is not supposed to see and might shutdown the company
Upvotes: 2
Reputation: 1339
One approach would be to create a View per table per tenant (may not be practical depending on the number of tenants you have and how frequently they change) and deny access to the application to the underlying tables.
This article explains how to do this as well as several other approaches and their performance tradeoffs: http://msdn.microsoft.com/en-us/library/aa479086.aspx
Upvotes: 0
Reputation: 18215
It sounds like you are passing all the values around individually.
If you construct an object that you can pass around freely, you will always have the information you need. I would assume that the UserId is always associated with a tenant. Can you build a simple object, store it in the session and then pass it to all functions needing it.
class user{ int userID; int tenantID; }
Upvotes: 0
Reputation: 3891
If you have a value in the Session and you need it in the database queries, you have to propagate it through the tiers to the database queries.
If your developers sometimes forget to pass the value and they get security issues, that is actually not a security issue but a security feature.
If the database needs that id, then the business layer methods should have parameters for it. How can they forget it?
Upvotes: 0
Related Questions
- Is Passing Tenant ID in JWT Token a good practice?
- ASP.NET multi-Tenant Application
- how to implement a Multi-Tenant-Asp.net MVC application?
- Store tenant id in the asp.net session?
- Multi-tenant ASP.Net MVC application - Where to store tenant specific data
- Access TenantId in Model Project in ASP.NET MVC
- How to handle ClientId in multi-tenant database
- Handling data access in multi tenant site
- multi-tenant asp.net
- Pass tenant id via sql server connection