0

In an N-Layered architecture, a REST interface is exposing some resources. Clients need to be authenticated with Basic Authentication over TLS. Business logic is making sure the data is valid and acceptable by the system. Filters are applied to make sure a tenant can only see and change his data. If a service needs to manipulate the same data, would it be better to
1) have it use the same REST interface but apply service-level filters and use a technical account for authentication
or would it be preferable to
2) have the service account use the business (Domain) layer directly?`

What is your opinion or logic to use one over the other approach?

tobre
  • 1,231
  • 2
  • 16
  • 44

1 Answers1

0

As a default, I allow the business layer direct access, as this seems the simplest option. Only if there is a specific reason do I insist all requests pass through the REST layer's authentication.

Like most things, it depends on your business case.

Do you need to expose the exact same services to REST clients and the business layer? Or are there subtle differences?

Do you need to know whether the request to the service layer originates from a REST client or the business layer?

Do you want the REST layer to be a single-point-of-entry for security, logging and so on?

morsor
  • 903
  • 10
  • 23