In Spring Security, FAQ Why Not Use web.xml Security? section, it states that some disadvantage when implementing security logic in controller/view layer.
.... implement security logic within their MVC controller code (or, even worse, inside the views). There are serious disadvantages with this approach
MVC controllers or views that implement authorization code makes it more difficult to test both the controller and the authorization logic, is more difficult to debug
Support for rich clients and web services: If an additional client type must ultimately be supported, any authorization code embedded within the web layer is non-reusable.... As a result, authorization logic needs to be located in the services layer to support a multitude of client types.
We also found some issues (as below shown) where they are not easy to resolve in service layer so I think that service layer may not be a better approach either.
Suppose there is a request handler will involve three services calls: S1, S2, S3, with each service requiring different permissions.
-
Compared to performing security checks in the controller/view layer, it is possible that S1 and S2 succeed, and the last call to S3 failed duo to permission issue, it can introduce a partial failure issue due to permission constraints.
-
Building upon the previous point, if the S3 service method is executed in a separate thread, the end-users may not receive a response promptly, potentially affecting the customer experience.
-
When dealing with different sources of requests (e.g., client, web browser), varying permissions may be required for different request sources. How can we implement permission checks in service layer?
Comment From: sjohnr
When dealing with different sources of requests (e.g., client, web browser), varying permissions may be required for different request sources. How can we implement permission checks in service layer?
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
Having said that, if you would like to suggest improvements to the documentation please be clear in your request in that regard. As it stands, it seems you are interested in engaging in a conversation around your application design, and this is not the correct place to do that. I'm going to close this for now, but if you are able to adjust the issue to point to specific, improvements to the documentation, we can potentially re-open.