0

What's the best place to check for user authorization and authentication. The business tier or the application layer?

In my opinion it is the application tier. It cannot let the user make actions for which the user has not got enough privileges.

The business should only be concerned with business services and exposing those services to trusted tiers. Using a password to secure against unauthorized access.

But maybe I'm getting something wrong here.

David Barker
  • 14,484
  • 3
  • 48
  • 77
GionJh
  • 2,742
  • 2
  • 29
  • 68
  • 1
    You answered your own question, with good reasoning. Why would you not just go with it and then work out if it fits **your** style of app development? – David Barker Sep 26 '15 at 09:34
  • thanks, the fact is that in my understanding authorization is somehow also part of businness logic, why we use the application layer to enforce it ? – GionJh Sep 26 '15 at 11:55

1 Answers1

1

It depends on how you architected your application. If the application layer and business layer are part of the same process, it's fine to do your authentication and authorization checks only in the application layer.

Doing them in the application layer indeed allows you to disable functionality the user is not allowed to use.

However, if you architected your business layer into separate services, you'll need to you know who's calling them and what those users can do. You'll need authN and authZ at those security boundaries too.

Trusted subsystems only work if you make sure no untrusted parties can ever call that code.

MvdD
  • 22,082
  • 8
  • 65
  • 93