First of all I use from the standard J2EE security subsystem just the authentication part. The authorization is made based on Permission objects just like in the J2SE security model.
I have some general security restrictions regarding user sessions in a j2ee aplication like access granted on specific work times, account expire restriction, ip based restriction, etc.
The question is: where to implement these security restrictions: in the web tier or in the ejb tier. At first, the web tier seems more attractive because:
- implements by default a session object
- I use Struts and I can easily implement a single point of access in a base Action
- I also need permission checks on web tier because I use limited view security pattern (display to user just what it can do)
my concerns are:
- bad design? work time restrictions, account restrictions is business logic and the web tier is specific to presentation logic.
- in some cases the web tier software is not secure (maybe installed in client machines - a usual way to implement disconnected clients)
- limited view pattern (for web based access) is just a user interface helper pattern not a real security pattern because some malicious http calls can be made even if the interface doesn't directly permit this so some security checks are always made.
please be aware that the question regards specific (mentioned here) security checks
please comment, thanks