I have an API which I’m exposing via REST and I’m deliberating about where to place the authorities restrictions.
I’ve read that there is a best practice about securing the service layer as it is the one doing the work and you don’t know where it’s going to get called but I’m not sure what’s the best practice with respect to the WS layer.
One thought I have is that I need to have a very fine grained model of authorization on the service layer and a very coarse grained model of authorization on the WS layer as to minimize breaking the DRY principle on the one hand but still have some notion of defence in depth.

Example:

For the Users resource there is a UserWS and a UserService. Admins can create/update/delete users and Users can read about other users.
Assuming the UserWS is bound to %root%/users I will define an intercept-url for that url with the ROLE_USER authority which just says that you have to be a user to get there but the service layer itself will specify the specific authorities for the relevant methods.

Other options are:

• Place the same authorization requirements on both the service and the WS-
  Pro- You’ll filter out as early as possible intruders (and save for example the conversion of parameters if you’re using spring mvc)
  Con- Duplication of configuration is a maintenance issue and is error prone => security issue

• Place the authorization requirements only on the WS-
  Pro- Filter as soon as possible if comming from the WS
  Con- The service layer might be used from different contexts

• Plate the authorization requirements only on the service-
  Pro- No Duplication
  Con- Overhead of allowing “bluntly” inept request to arrive to the service layer

Would really appreciate any feedback about the options