What is the best practice to handle Multitenant security in Breeze?

Question

I'm developing an Azure application using this stack:

(Client) Angular/Breeze

(Server) Web API/Breeze Server/Entity Framework/SQL Server

With every request I want to ensure that the user actually has the authorization to execute that action using server-side code. My question is how to best implement this within the Breeze/Web API context.

Is the best strategy to:

1. Modify the Web API Controller and try to analyze the contents of the Breeze request before passing it further down the chain?

2. Modify the EFContextProvider and add an authorization test to every method exposed?

3. Move the security all into the database layer and make sure that a User GUID and Tenant GUID are required parameters for every query and only return relevant data?

4. Some other solution, or some combination of the above?

Answer 1

If you are using Sql Azure then one option is to use Azure Federation to do exactly that.

In a very simplistic term if you have TenantId in your table which stores data from multiple tenants then before you execute a query like SELECT Col1 FROM Table1, you execute USE FEDERATION... statement to restrict the query results to a particular TenantId only, and you don't need to add WHERE TenantId=@TenantId to your query,

USE FEDERATION example: http://msdn.microsoft.com/en-us/library/windowsazure/hh597471.aspx

Note that use of Sql Azure Federation comes with lots of strings attached when it comes to Building a DB schema one of the best blog I have found about it is http://blogs.msdn.com/b/cbiyikoglu/archive/2011/04/16/schema-constraints-to-consider-with-federations-in-sql-azure.aspx.