44

I have been using spring security with @PreAuthorize on my controller methods. My reasoning was that I wanted the authorization check to happen predictably in one layer, and as early as possible in the request. However, I just read the spring security 3 documentation, and saw that they recommend applying method level security on the service layer (but they don't say why).

My question is: should spring security method level annotations be applied at the controller layer or the service layer? (Or "both", or "it depends"?) More importantly: why?

Jason
  • 7,356
  • 4
  • 41
  • 48

3 Answers3

26

"It depends" :). If your application has a service layer through which all your business logic is applied then that is usually a clean place to apply your security constraints and be certain that you haven't missed out any corner cases.

Web code is generally messier, there's more of it, it changes more rapidly and you may end up calling the same service methods from multiple places. Someone might add a new controller and forget to secure it properly. Alternatively you might have different types of clients calling the same services.

But it depends on how your application is structured and what your use cases are. You may have a good argument for why you want to secure a controller.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • Thanks, you mentioned good arguments for putting security on the service. What would you consider to be good arguments for securing a controller? Also for context, the app I have in mind has basically a service method per controller endpoint, since my service defines transactional boundaries. So the same service method is only called from one place and there are no other clients using the service. – Jason Feb 03 '13 at 21:18
  • 1
    Another reason I thought of for putting authorization on the service is that the question of who can access what service could be a business decision, and as such could be located with the business logic. – Jason Feb 03 '13 at 21:26
  • 1
    Off the top of my head, I don't have any good arguments for securing a controller in preference to a service layer. That doesn't mean they might not exist in specific cases. Your requirements might specify rules based on data that is normally only available in the web tier, for example, such as request headers. – Shaun the Sheep Feb 03 '13 at 21:49
  • @ShauntheSheep Why "Web code is generally messier"? By "Web code" Do you mean of only Rest controllers or something else? Because the rest controllers in my app are simpler than the services. In particular, because my app is only backend, it does'not have UI (UI is in other webapp) – Zhenyria Jul 01 '21 at 17:19
  • @Zhenyria I think in the context of this question, "web code" was referring to UI code which would be rendering web pages via MVC controllers. – Shaun the Sheep Jul 01 '21 at 18:03
11

Think in terms of code reuse. Are you going to use your service elsewhere? Not just to feed your web tier? We also reuse our services with jms bridges so we secure our service layer.

ramon_salla
  • 1,587
  • 1
  • 17
  • 35
  • 1
    that's a good point to keep in consideration, thanks. For this particular case the service is only for use to feed the web tier. – Jason Jul 25 '13 at 12:27
6

I think the Service is the better place to use it.

Despites some problems that @PreAuthorize could create on Controller and the Spring Security FAQ recommendation to put this kind of annotation on Service, I understand that the authorization for some action is more a business rule than a responsibility for the web tier.

Dherik
  • 17,757
  • 11
  • 115
  • 164