Announcement Announcement Module
No announcement yet.
Security on DAOs, Services or Datasource Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security on DAOs, Services or Datasource

    Where should I secure my web application on services (this appears to be the popular choice) or DAOs?

    I prefer the former because it avoids coupling the database tier to the security. I prefer the latter because it reduces the risk of another developer bypassing the security altogether (by forgetting to secure a service that goes straight to the unsecured DAOs).

    I know that the latter doesn't prevent a developer from injecting a session factory and directly hitting the database themselves, but it would be unlikely as this is quite a bit of hassle.

    I guess the ultimate solution would be to secure the datasource to provide row level security which would be great but I guess quite complicated. I'm guessing AspectJ pointcuts might be the way to go there.

    I'm using spring ACLs and annotations.