Which Java modules get Spring Security

I have a classic Java SOA application, with a web UI module, web services module, a service module (Java API), a domain module and a persistence module. In a开发者_如何学Python sense, each of these modules has their own public API.

My understanding of Spring Security is that I can use web filters to handle the security of the web gui and web services, and method level security (via annotations) for the service module.

My question is this: should I bother to add method level security to the domain module and the persistence module or is that considered overkill?

If you secure the external API's it's normally not needed to secure additional internal layers such as the domain model or DAO persistence layer.

But all depends on you're security requirements. Adding security roles to you're methods in the internal API's will make it more secure and can be considered a good defensive practice against security holes in you’re exposed API.