Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
My application have the following architecture:
Web service layer (wcf services)
Business logic layer
Data access layer
Where should I check permission? In Web services or in BL?
As the other answer I would recommend checking access in the service layer, but it of course depends on your needs. In many scenarios I have built services where only some clients where allowed to access the service which – of course – is checked by WCF using certificates from the caller or similar.
The user of the client then also has a set of credentials allowing access to specific part of the data (which is checked in the BLL) or specific methods/endpoints of the service, which is checked by either WCF or the BLL depending of the nature of the user credentials and authorization logics.
But I agree that the DAL should not be involved.