resource request validation, service or business layer responsibility?

Assuming you have a Business Layer that you will be using for both front-end external facing web application, as well as back-end internal facing application. The external application will always contain the user's logged-in identity/profile in session. The back end application is only for internal administrators.

In a scenario where you have the following business layer method SensitiveInfoManager.GetResource(id). You can imagine that when external users call this method you would want some sort of validation to insure that the id that is passed in does in fact belong to the user that is requesting it. Assuming you have the right structure in the database where you will be able to establish a link from the requesting user to the resource they are requesting. Also you can imagine that a back-end website administrator should be able to call the same method, however that user is in no way tied to the resource, but by definition of being an internal administrator should simply be able to request whatever resource they want.

The question is how do you accomplish this with maximum reuse and best separation of concerns? Do you incorporate this validation into the business layer, setting some sort of flag at class level that says "validate me" or "don't validate me" depending on who the consumer is. Or do you front your business layer with a Service Layer, tasking it with authorization of the requested resources. Forcing the front-end application to channel request through the service layer, where the back-end application may 开发者_如何学Cgo to the Business Layer directly?

I think that the Service Layer is the most natural place for the Authorization process.

If however you decide to add the authorization functionality to the Business Layer, then I would create an interface IAuthorizationAuthority that contains all the functionality to check for permissions. I would create two classes that implement this interface (one for the external application and one for the admin application) and use a Dependency Injection library so that you can decide on application level which implementation should be used.