6

As title is suggesting, I am interested in general opinion on where is the best to put all security related code(like code for JWT, standard authentication, etc.)

I am thinking about it quite a while and I do not have a clue what should be suitable place for this.

Does somebody has any experience with this. What is for you correct place for this, according to DDD?

nemo_87
  • 4,523
  • 16
  • 56
  • 102
  • 2
    Does standard authentication sound like a _business concept_ to you/your domain experts? If not you should not put it into your domain, since I believe it doesn't belong there, but rather to the possibly entry point(s) of your application... – kayess Sep 05 '16 at 13:44
  • 1
    Possible duplicate of [Access Control in Domain Driven Design](http://stackoverflow.com/questions/23464697/access-control-in-domain-driven-design) – guillaume31 Sep 05 '16 at 13:48
  • @kayess I had exact same doubt. In one hand it does belong in domain, on the other it looks like its not suitable for it to be there. Possible entry points of an app sounds like a good idea to me... thanks for suggesting it :) – nemo_87 Sep 05 '16 at 13:49
  • @guillaume31 Actually I was new to DDD when I wrote that answer. I'll revise it asap. – inf3rno Sep 05 '16 at 14:08
  • 1
    @guillaume31 Done. – inf3rno Sep 05 '16 at 14:23

1 Answers1

2

As mentioned by @inf3rno in Access Control in Domain Driven Design, Vaughn Vernon briefly touches upon this in his book Implementing Domain-Driven Design.

Security and permissions should be centralized in its own bounded context, which is then used by other bounded contexts. Have a look at the Identity Access bounded context for inspiration, but I recommend following Schneier's Law, which states that you should not build your own security system.

Community
  • 1
  • 1
Martin4ndersen
  • 2,806
  • 1
  • 23
  • 32