Hi, we are thinking about to use Shiro as a basis for our multi-tenant architecture. Shiro is intended to be used as a kind of "smart" api/abstraction for a OAuth 2.0 authorization/authentication infrastructure.
Further there will be at least three levels of interaction contexts : Level 0 : Admins, Batching, Backup, etc Level 1 : Tenants ( B2B Partners) Level 2 : Customers/Users that are "owned" by the Level 1 Tenants For this concept we would like to leverage the runAs() feature. So imagine a product-management capability (or app) that is reachable at /products the "REST" way. It would be required that the Administrator that is responsible to bootstrap this App has the corresponding permissions, e.g. products:bootstrap:*. Now to model or express the interactions (on the REST channel) with this App for a given tenant we are thinking about to use the expression Administrator.runAs(Tenant1); Same principle for the interaction with the users : Administrator.runAs(Tenant1.runAs(User1)); This principle can be theoretically extended to more levels, but for how this three levels are fine. The question is if Shiro considers runAs() per Session or if this is independent from a given session. Means that a Administrator will runAs() for Tenant1 and Tenant2 at the SAME time but within different sessions. Same for Tenant and User, but with much more possible sessions. The motivation for this concept is a fully transparent multi-tenant architecture. Means that during the development of business features it is not required to consider tenants as the concrete tenant will be retrieved using isRunAs() and getPreviousPrincipals() by the Framework and injected to all interactions with the domain model. Thank you guys for any feedback or ideas. Best Regards, jj
