diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 11e27bca6f..0923ce15a4 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -75,7 +75,7 @@
 # eventlet_debug = false
 
 [pipeline:main]
-pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl slo dlo ratelimit tempauth container-quotas account-quotas proxy-logging proxy-server
+pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-logging proxy-server
 
 [app:proxy-server]
 use = egg:swift#proxy
@@ -526,7 +526,7 @@ use = egg:swift#bulk
 [filter:container-quotas]
 use = egg:swift#container_quotas
 
-# Note: Put before both ratelimit and auth in the pipeline.
+# Note: Put after auth and staticweb in the pipeline.
 [filter:slo]
 use = egg:swift#slo
 # max_manifest_segments = 1000
@@ -543,8 +543,7 @@ use = egg:swift#slo
 # Time limit on GET requests (seconds)
 # max_get_time = 86400
 
-# Note: Put before both ratelimit and auth in the pipeline, but after
-# gatekeeper, catch_errors, and proxy_logging (the first instance).
+# Note: Put after auth and staticweb in the pipeline.
 # If you don't put it in the pipeline, it will be inserted for you.
 [filter:dlo]
 use = egg:swift#dlo
diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py
index 096af45083..fb15195d4f 100644
--- a/swift/common/middleware/keystoneauth.py
+++ b/swift/common/middleware/keystoneauth.py
@@ -16,6 +16,7 @@ from swift.common import utils as swift_utils
 from swift.common.middleware import acl as swift_acl
 from swift.common.swob import HTTPNotFound, HTTPForbidden, HTTPUnauthorized
 from swift.common.utils import register_swift_info
+import functools
 
 
 class KeystoneAuth(object):
@@ -103,7 +104,9 @@ class KeystoneAuth(object):
             self.logger.debug('Using identity: %r', identity)
             environ['keystone.identity'] = identity
             environ['REMOTE_USER'] = identity.get('tenant')
-            environ['swift.authorize'] = self.authorize
+            env_identity = self._integral_keystone_identity(environ)
+            environ['swift.authorize'] = functools.partial(
+                self.authorize, env_identity)
             user_roles = (r.lower() for r in identity.get('roles', []))
             if self.reseller_admin_role in user_roles:
                 environ['reseller_request'] = True
@@ -177,9 +180,7 @@ class KeystoneAuth(object):
                     return s
         return None
 
-    def authorize(self, req):
-        env = req.environ
-        env_identity = self._integral_keystone_identity(env)
+    def authorize(self, env_identity, req):
         tenant_id, tenant_name = env_identity['tenant']
         user_id, user_name = env_identity['user']
         referrers, roles = swift_acl.parse_acl(getattr(req, 'acl', None))
diff --git a/swift/proxy/server.py b/swift/proxy/server.py
index 057abab38c..59123ae8f2 100644
--- a/swift/proxy/server.py
+++ b/swift/proxy/server.py
@@ -56,10 +56,11 @@ required_filters = [
     {'name': 'catch_errors'},
     {'name': 'gatekeeper',
      'after_fn': lambda pipe: (['catch_errors']
-                               if pipe.startswith("catch_errors")
+                               if pipe.startswith('catch_errors')
                                else [])},
-    {'name': 'dlo', 'after_fn': lambda _junk: ['catch_errors', 'gatekeeper',
-                                               'proxy_logging']}]
+    {'name': 'dlo', 'after_fn': lambda _junk: [
+        'staticweb', 'tempauth', 'keystoneauth',
+        'catch_errors', 'gatekeeper', 'proxy_logging']}]
 
 
 class Application(object):
diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py
index 70a4b33262..575dd7757e 100644
--- a/test/unit/common/middleware/test_keystoneauth.py
+++ b/test/unit/common/middleware/test_keystoneauth.py
@@ -214,7 +214,9 @@ class TestAuthorize(unittest.TestCase):
             default_env.update(env)
         req = self._make_request(path, headers=headers, environ=default_env)
         req.acl = acl
-        result = self.test_auth.authorize(req)
+
+        env_identity = self.test_auth._integral_keystone_identity(req.environ)
+        result = self.test_auth.authorize(env_identity, req)
 
         # if we have requested an exception but nothing came back then
         if exception and not result:
@@ -398,5 +400,20 @@ class TestAuthorize(unittest.TestCase):
                                        env={'REQUEST_METHOD': 'DELETE'})
         self.assertEqual(bool(req.environ.get('swift_owner')), True)
 
+    def test_identity_set_up_at_call(self):
+        def fake_start_response(*args, **kwargs):
+            pass
+        the_env = self._get_identity(
+            tenant_id='test', roles=['reselleradmin'])
+        self.test_auth(the_env, fake_start_response)
+
+        subreq = Request.blank(
+            '/v1/%s/c/o' % self.test_auth._get_account_for_tenant('test'))
+        subreq.environ.update(
+            self._get_identity(tenant_id='test', roles=['got_erased']))
+
+        authorize_resp = the_env['swift.authorize'](subreq)
+        self.assertEqual(authorize_resp, None)
+
 if __name__ == '__main__':
     unittest.main()