Securing presentation or business layer? Arguments?

[Andreas Schildbach]

Hello everyone,

My understanding of Acegi is that (with the included classes) it gives the option building security on two different facades:

- the entry point to the presentation layer (FilterSecurityInterceptor)
- the entry point to the business layer (MethodSecurityInterceptor)

Which one is best suited for the average web application? Or will you use both?

Personally I'd say that security at the business layer is more flexible. At this point you usually know the business objects the current request is dealing with. At the presentation, usually the only thing you know is the requesting (authenticated) user and a bunch of textual parameters.

Another argument for securing the business layer is that in the case of two different presentations (say an HTTP service and a Web service) you only need to apply security constraints once.

On the other hand, there may be information that is only available to the presentation layer. The IP address of the request is an example. Fortunately, you can attach such data to the ContextHolder/SecureContext, so it is available to the business layer, too.

Is there any argument for security at the presentation layer?

Any thoughts? Which kind of security do you use? I'm looking forward to your experiences.

Best regards,

Andreas

[Ben Alex]

Personally I find little need for presentation layer security except for (i) ensuring the user is authenticated before they hit services layer methods and (ii) in content management situations where users want to protect parts of their web site differently. Although even the former I have implemented more elegantly and powerfully using ACL services at the services layer level!