Reputation: 2894
Correct tier to check user authorizion and authentication
What's the best place to check for user authorization and authentication. The business tier or the application layer?
In my opinion it is the application tier. It cannot let the user make actions for which the user has not got enough privileges.
The business should only be concerned with business services and exposing those services to trusted tiers. Using a password to secure against unauthorized access.
But maybe I'm getting something wrong here.
Upvotes: 0
Views: 54
Answers (1)
Reputation: 23486
It depends on how you architected your application. If the application layer and business layer are part of the same process, it's fine to do your authentication and authorization checks only in the application layer.
Doing them in the application layer indeed allows you to disable functionality the user is not allowed to use.
However, if you architected your business layer into separate services, you'll need to you know who's calling them and what those users can do. You'll need authN and authZ at those security boundaries too.
Trusted subsystems only work if you make sure no untrusted parties can ever call that code.
Upvotes: 1
Related Questions
- Which layer of an application should keep security logic (permissions, authorization)?
- Better approach to check users access in Web Api, Service layer, DB
- On Which Tier should user authentication should exist in n-tier website
- Authorization in multi layered architecture.
- Where does User Login Logic Belong? 3-Tier Application
- where should I implement security/Authorization in n-tier architecture?
- Which tier of my ASP.NET MVC application should I be checking Membership information?
- Opinions about authentication between application and database tiers
- Best practice for authorization in the business layer?
- Authentication and authorisation in an n-tiered architecture