Skip to main content

How to implement multi-tenancy with subdomains using Route Constraint in ASP.NET MVC

According to Wikipedia, The term "software multitenancy" refers to a software architecture in which a single instance of software runs on a server and serves multiple tenants. A tenant is a group of users who share a common access with specific privileges to the software instance. With a multitenant architecture, a software application is designed to provide every tenant a dedicated share of the instance - including its data, configuration, user management, tenant individual functionality and non-functional properties. Multitenancy contrasts with multi-instance architectures, where separate software instances operate on behalf of different tenants. By giving companies, access to a tenant through a subdomain of choice, will help to personalise the experience more and gives a sense of ownership to each tenant. This will go along way to bring consistency in there branding.

Implementing Route Constraint

You use route constraints to restrict the browser requests that match a particular route. To make this most easy, we shall be making our class to inherit the IRouteConstraint interface and this will help to route all specific tenant request. What then is an IRouteConstraint, according to msdn, IRouteConstraint Defines the contract that a class must implement in order to check whether a URL parameter value is valid for a constraint. The following implementation will get the tenant id and add it to route value dictionary.

public class RoutingConstraint : IRouteConstraint  
   public bool Match(HttpContextBase httpContext, Route route, string getParameter, RouteValueDictionary values, RouteDirection routeDirection)
    var GetAddress = httpContext.Request.Headers["Host"].Split('.');
       if (GetAddress.Length < 2)
           return false;

       var tenant = GetAddress[0];
       if (!values.ContainsKey("tenant"))
           values.Add("tenant", tenantId);

       return true;

Modify the Routes by adding the Route Constraints

           name: "Default", url: "{controller}/{action}/{id}",
           defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional },
           constraints: new { TenantRouting = new RoutingConstraint() }

To get the tenant id from the controller that processes the request, simply add

public ActionResult Index()  
   var mytenant = this.RouteData.Values["tenant"]; // it will extract tenant data
   return View();


With the implementation, we can identify tenant specific data a user is trying to access.


Popular posts from this blog

How to implement RESTful API Versioning in ASP.NET Web API 2 using IHttpRouteConstraint

The only thing constant in life is change, and that is proved everyday in our industry, API’s are cool to extend the functionality of your application and expose it to other developers. The cool thing about IT and software, it’s that things changes quite rapidly and so it’s the technology, hence technology can change and the needs of your organisation can change, hence in order to keep serving this evolving needs and keep been relevant, your api might need to change also. Small changes can be accommodated within the initial version, but changes that will risked breaking the existing code, will required the need for versioning.

Implementing a custom IHttpRouteConstraint

According to msdn, a IHttpRouteConstraint simply Represents a base class route constraint. What then is a route constraint? A route constraint simply gets or sets a dictionary of expressions that specify valid values for a URL parameter.

publicclassApiVersionRouteConstraint : IHttpRouteConstraint


Top 4 Ways To Stop Mass Assignment Attack in ASP.NET Core MVC

Mass assignment or over posting is an attack on websites that binds models to request. This is where active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status. Because the attack is use to set or alter values that the developers does not expect to be by the user.

Scenarios of Mass Assignment Attack

To demonstrate how mass attack work, take for instance a web application, that has many users with different level of privileges and roles on the website. Each user is restricted on some point on what and what not to do while on the website, with the admin as the only user that have absolute role to control and do all things in the website. With mass attack a user can simply take over the role of the admin in the website and start doing things that is outside his roles and privileges.

For Instance, Let say you have a model:

public class UserModel
public string U…