I wonder what is the recommended way of applying security constraints with Spring Security? I have read that you should secure your service layer so that is what I have done. Now, looking at my controller I have some questions.
- Is it correct to not have authorization annotations in the controller layer?
- Is the controller layer meant to only be authorized in a coarse grained way using the
intercept-urlelements in the XML app-context? - If you only specify
ROLE_USERas the minimum role in theintercept-urlelement for your app. And then you specify that a certain method in the service layer requiresROLE_ADMIN, then you potentially allow some of the code in the controller to execute because the admin constraint isn't nesaccary the first thing in the controller method. However, if the assumptions on the questions above are right, then it won't be a problem because you have set the admin role on that particular endpoint in the XML anyway.
