Multitenancy with Spring Boot using Postgres Row Level Security

In this post I will show you how to provide multitenancy in a Spring Boot application using Postgres Row Level Security Feature.

Table of contents

What Is Multitenancy

As soon as your application has multiple customers you will need to implement some kind of multitenancy for your application.

Microsoft writes on multitenant applications:

A multitenant application is a shared resource that allows separate users, or "tenants," to view the application as though it was their own. A typical scenario that lends itself to a multitenant application is one in which all users of the application may wish to customize the user experience but otherwise have the same basic business requirements.

The best introduction to multitenant applications I have found is written by Microsoft at:

Multitenant Models

There are several models to achieve multitenancy in an application:

  1. Database per Tenant
    • Each Tenant has its own database and is isolated from other tenants.
  2. Shared database, Separate Schema
    • All Tenants share a database, but have their own database schemas and their own tables.
  3. Shared Database, Shared Schema
    • All Tenants share a database and tables. Every table has a Column with the Tenant Identifier, that shows the owner of the row.

Think about it like this (taken from StackExchange Software Engineering):

  1. Database per Tenant: Every Tenant has its own house.
  2. Shared Database, Separate Schema: Every Tenant in the same building, but has its own apartment.
  3. Shared Database, Shared Schema: Everyone is living in the same apartment and all stuff is marked with sticky-notes to show who owns it.

Every model is a trade-off between isolation and resource sharing, which is explained in detail at:

In a previous post I have shown how to implement a Database per Tenant approach, in this post we will see how to provide Multitenancy in a Shared Database, Shared Schema.

The implementation idea is based on a great article by the Amazon Team:

Spring Boot Example

The GitHub repository for this post can be found at:

In this example we are going to develop a multitenant application to manage customers.

Creating the Databases

First of all create the user philipp for connecting to the databases:

PS C:\Users\philipp> psql -U postgres
psql (9.4.1)
postgres=# CREATE USER philipp WITH PASSWORD 'test_pwd';

Then we can create the database and set the owner to philipp:

postgres=# CREATE DATABASE sampledb
postgres-#   WITH OWNER philipp;

SQL Script

Now execute the following SQL Script to create the Schema, Tables and Policy. The script also create the app_user, that is used to connect to the database. The repository also comes with a Batch Script and a Shell Script to create the database.

DO $$

-- Create the Schema     --
IF NOT EXISTS (SELECT 1 FROM information_schema.schemata WHERE schema_name = 'sample') THEN

    CREATE SCHEMA sample;


-- Create the Table      --
    SELECT 1 
    FROM information_schema.tables 
    WHERE  table_schema = 'sample' 
    AND table_name = 'customer'

CREATE TABLE sample.customer
    customer_id SERIAL PRIMARY KEY,
    first_name VARCHAR(255) NOT NULL,
    last_name VARCHAR(255) NOT NULL,
    tenant_name VARCHAR(255) NOT NULL


-- Enable RLS            --

-- Create the RLS Policy --

DROP POLICY IF EXISTS tenant_isolation_policy ON sample.customer;

CREATE POLICY tenant_isolation_policy ON sample.customer
    USING (tenant_name = current_setting('app.current_tenant')::VARCHAR);

-- Create the app_user   --
  SELECT FROM pg_catalog.pg_roles
  WHERE  rolname = 'app_user') THEN

  CREATE ROLE app_user LOGIN PASSWORD 'app_user';

-- Grant Access to the Schema --
GRANT USAGE ON SCHEMA sample TO app_user;
GRANT ALL ON SEQUENCE sample.customer_customer_id_seq TO app_user;


Project Structure

It's useful to take a look at the Project structure first:

Project Overview

The purpose of the various classes:

  • async
    • AsyncConfig
      • Provides a TaskExecutor decorated for TenantAware Processing.
    • TenantAwareTaskDecorator
      • Adds a Spring Boot TaskDecorator, that passes the TenantName to a Child Thread.
  • core
    • ThreadLocalStorage
      • Stores the Tenant Identifier in a ThreadLocal.
  • datasource
    • TenantAwareHikariDataSource
      • Overrides the HikariDataSource#getConnection method to set the Tenant information for the connection.
  • model
    • Customer
      • The Customer entity, which will be managed in each Tenant Database.
  • repositories
    • ICustomerRepository
      • A CRUD Repository to persist customers.
  • web
    • configuration
      • WebMvcConfig
        • Configures the Spring MVC interceptors.
    • controllers
      • CustomerController
        • Implements a REST Webservice for persisting and deleting Customers.
    • converter
      • Converters
        • Converts between the Domain Model and the Data Transfer Object.
    • interceptor
      • TenantNameInterceptor
        • Extracts the Tenant Identifier from an incoming request.


Storing Tenant Identifier

The ThreadLocalStorage class wraps a ThreadLocal to store the Tenant data in the current thread context.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.core;

public class ThreadLocalStorage {

    private static ThreadLocal<String> tenant = new ThreadLocal<>();

    public static void setTenantName(String tenantName) {

    public static String getTenantName() {
        return tenant.get();


Creating the TenantAwareHikariDataSource

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.datasource;

import com.zaxxer.hikari.HikariDataSource;
import de.bytefish.multitenancy.core.ThreadLocalStorage;

import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;

public class TenantAwareHikariDataSource extends HikariDataSource {

    public Connection getConnection() throws SQLException {
        Connection connection = super.getConnection();

        try (Statement sql = connection.createStatement()) {
            sql.execute("SET app.current_tenant = '" + ThreadLocalStorage.getTenantName() + "'");

        return connection;

    public Connection getConnection(String username, String password) throws SQLException {
        Connection connection = super.getConnection(username, password);

        try (Statement sql = connection.createStatement()) {
            sql.execute("SET app.current_tenant = '" + ThreadLocalStorage.getTenantName() + "'");

        return connection;


Domain Layer

The Customer Entity

The Customer Entity models the Customer entity. We are using the annotations from the javax.persistence namespace to annotate the domain model and set the database columns. Hibernate plays nicely with these annotations.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.model;

import javax.persistence.*;

@Table(schema = "sample", name = "customer")
public class Customer {

    @GeneratedValue(strategy = GenerationType.IDENTITY)
    @Column(name = "customer_id")
    private Long id;

    @Column(name = "first_name")
    private String firstName;

    @Column(name = "last_name")
    private String lastName;

    @Column(name = "tenant_name")
    private String tenantName;

    protected Customer() {

    public Customer(Long id, String firstName, String lastName, String tenantName) { = id;
        this.firstName = firstName;
        this.lastName = lastName;
        this.tenantName = tenantName;

    public Long getId() {
        return id;

    public String getFirstName() {
        return firstName;

    public String getLastName() {
        return lastName;

    public String getTenantName() {
        return tenantName;

The Customer Repository

Adding CRUD functionality is simple with Spring Boot, which provides a so called CrudRepository. You simply extend from the CrudRepository interface and Spring automatically provides all CRUD functionality for your entity.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.repositories;

import de.bytefish.multitenancy.model.Customer;

public interface ICustomerRepository extends CrudRepository<Customer, Long> {

The Web Layer

Extracting the Tenant Information

There are several ways to extract the tenant identifier from an incoming request. The Webservice client will send a HTTP Header with the name X-TenantID in the example. In Spring MVC you can implement a HandlerInterceptorAdapter to intercept an incoming request and extract data from it.

The TenantNameInterceptor reads the X-TenantID header and stores its value in the ThreadLocalStorage.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.web.interceptors;

import de.bytefish.multitenancy.core.ThreadLocalStorage;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class TenantNameInterceptor extends HandlerInterceptorAdapter {
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {

        // Implement your logic to extract the Tenant Name here. Another way would be to
        // parse a JWT and extract the Tenant Name from the Claims in the Token. In the
        // example code we are just extracting a Header value:
        String tenantName = request.getHeader("X-TenantID");

        // Always set the Tenant Name, so we avoid leaking Tenants between Threads even in the scenario, when no
        // Tenant is given. I do this because if somehow the afterCompletion Handler isn't called the Tenant Name
        // could still be persisted within the ThreadLocal:

        return true;

    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

        // After completing the request, make sure to erase the Tenant from the current Thread. It's
        // because Spring may reuse the Thread in the Thread Pool and you don't want to leak this
        // information:

Data Transfer Object and Converter

You should always separate your Web Layer from the Domain Layer. In an ideal world Web Layer should only care about receiving and sending Data Transfer Objects to the consumer. It should know how to convert between the Data Transfer Object and the Domain model, so it can use the Domain repositories.

The CustomerDto Data Transfer Object uses Jackson annotations to provide the JSON mapping.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.web.model;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;

public class CustomerDto {

    private final Long id;

    private final String firstName;

    private final String lastName;

    public CustomerDto(@JsonProperty("id") Long id, @JsonProperty("firstName") String firstName, @JsonProperty("lastName") String lastName) { = id;
        this.firstName = firstName;
        this.lastName = lastName;

    public Long getId() {
        return id;

    public String getFirstName() {
        return firstName;

    public String getLastName() {
        return lastName;

And the Converters class provides two methods to convert between the CustomerDto and the Customer model.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.web.converter;

import de.bytefish.multitenancy.model.Customer;
import de.bytefish.multitenancy.web.model.CustomerDto;

import java.util.List;

public class Converters {

    private Converters() {


    public static CustomerDto convert(Customer source) {
        if(source == null) {
            return null;

        return new CustomerDto(source.getId(), source.getFirstName(), source.getLastName());

    public static Customer convert(CustomerDto source, String tenantName) {
        if(source == null) {
            return null;

        return new Customer(source.getId(), source.getFirstName(), source.getLastName(), tenantName);

    public static List<CustomerDto> convert(Iterable<Customer> customers) {
        return, false)


Implementing the RESTful Webservice with Spring MVC requires us to implement a RestController. We are using the ICustomerRepository for querying the database and using the Converters to convert between both representations.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.web.controllers;

import de.bytefish.multitenancy.core.ThreadLocalStorage;
import de.bytefish.multitenancy.model.Customer;
import de.bytefish.multitenancy.repositories.ICustomerRepository;
import de.bytefish.multitenancy.web.converter.Converters;
import de.bytefish.multitenancy.web.model.CustomerDto;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;

public class CustomerController {

    private final ICustomerRepository repository;

    public CustomerController(ICustomerRepository repository) {
        this.repository = repository;

    public List<CustomerDto> getAll() {
        Iterable<Customer> customers = repository.findAll();

        return Converters.convert(customers);

    public CustomerDto get(@PathVariable("id") long id) {
        Customer customer = repository

        return Converters.convert(customer);

    public List<CustomerDto> getAllAsync() throws ExecutionException, InterruptedException {
        return repository.findAllAsync()
                .thenApply(x -> Converters.convert(x))

    public CustomerDto post(@RequestBody CustomerDto customer) {
        // Get the current Tenant:
        String tenantName = ThreadLocalStorage.getTenantName();

        // Convert to the Domain Object:
        Customer source = Converters.convert(customer, tenantName);

        // Store the Entity:
        Customer result =;

        // Return the DTO:
        return Converters.convert(result);

    public void delete(@PathVariable("id") long id) {



To configure Spring MVC, we need to extend the WebMvcConfigurer and add the TenantNameInterceptor to the list of interceptors.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy.web.configuration;

import de.bytefish.multitenancy.web.interceptors.TenantNameInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

public class WebMvcConfig implements WebMvcConfigurer {

    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new TenantNameInterceptor());


Plugging it together

Finally it is time to plug everything together using Spring Boot. All we have to do is to define a Bean for the DataSource to be used. This is the TenantAwareHikariDataSource using the Postgres Driver and connection string.

I have also added some sane properties for Spring JPA, so Spring doesn't try to automatically detect the database.

All other dependencies are automatically resolved by Spring Boot.

// Copyright (c) Philipp Wagner. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.

package de.bytefish.multitenancy;

import com.zaxxer.hikari.HikariDataSource;
import de.bytefish.multitenancy.datasource.TenantAwareHikariDataSource;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.scheduling.annotation.EnableAsync;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.transaction.annotation.EnableTransactionManagement;

import javax.sql.DataSource;

public class SampleSpringApplication {

    public static void main(String[] args) {, args);

    public DataSource dataSource() {
        HikariDataSource dataSource = new TenantAwareHikariDataSource();

        dataSource.addDataSourceProperty("url", "jdbc:postgresql://");
        dataSource.addDataSourceProperty("user", "app_user");
        dataSource.addDataSourceProperty("password", "app_user");

        return dataSource;

Getting Rid if Warning

Spring Boot introduces a lot of magic to make things work with minimal coding... and sometimes convention over configuration introduces headaches. When Spring Boot starts there is no Tenant set in the Thread, so we cannot use things like automatic detection of the database.

So I have added a Properties file to configure Spring:

# Get Rid of the OIV Warning:
# Show the SQL Statements fired by JPA:
# Set sane Spring Hibernate properties:
# Prevent JPA from trying to Initialize...:
# ... and do not Auto-Detect the Database:
# Prevent Hibernate from Automatic Changes to the DDL Schema:

The same thing happens down in Hibernate internals, where it attempts to read Metadata to initialize JDBC settings. To prevent those connections, which we don't want to be done I have added a properties file which is automagically read by Hibernate:


Testing the Application

We start with inserting customers to the database of Tenant TenantOne:

> curl -H "X-TenantID: TenantOne" -H "Content-Type: application/json" -X POST -d "{\"firstName\" : \"Philipp\", \"lastName\" : \"Wagner\"}"  http://localhost:8080/customers


> curl -H "X-TenantID: TenantOne" -H "Content-Type: application/json" -X POST -d "{\"firstName\" : \"Max\", \"lastName\" : \"Mustermann\"}"  http://localhost:8080/customers


Getting a list of all customers for TenantOne will now return two customers:

> curl -H "X-TenantID: TenantOne" -X GET http://localhost:8080/customers


While requesting a list of all customers for TenantTwo returns an empty list:

> curl -H "X-TenantID: TenantTwo" -X GET http://localhost:8080/customers


We can now insert a customer into the TenantTwo database:

> curl -H "X-TenantID: TenantTwo" -H "Content-Type: application/json" -X POST -d "{\"firstName\" : \"Hans\", \"lastName\" : \"Wurst\"}"  http://localhost:8080/customers


Querying the TenantOne database still returns the two customers:

> curl -H "X-TenantID: TenantOne" -X GET http://localhost:8080/customers


Querying the TenantTwo database will now return the inserted customer:

> curl -H "X-TenantID: TenantTwo" -X GET http://localhost:8080/customers



It's really easy to provide multitenancy with Spring Boot and Postgres Row Level Security.

If you have troubles with the project, feel free to open an issue in the GitHub repository.