Apologies if this is the wrong place to ask, please point me somewhere else if so.
In Ch3, you add method level security to the VideoRepository delete method to ensure that videos can only be deleted by their owning username.
@PreAuthorize("#entity.username == authentication.name")
@Override
void delete(@NonNull VideoEntity entity);
I get what this is doing, and can see why it needs to be here, but this feels like we've "polluted" our repository with concerns coming from the web-layer? Our repository can't now be used in another context. I know the Spring Security FAQ recommends placing method level security at the service layer. (I tried that and of course we didn't have the full VideoEntity to compare the username with at that point.)
Can you elaborate - or point me to a resource - on this design decision? Why might it be considered the best choice? What are alternatives if my repo was used somewhere else where authentication wasn't available?
Many thanks.
Apologies if this is the wrong place to ask, please point me somewhere else if so.
In Ch3, you add method level security to the VideoRepository delete method to ensure that videos can only be deleted by their owning username.
I get what this is doing, and can see why it needs to be here, but this feels like we've "polluted" our repository with concerns coming from the web-layer? Our repository can't now be used in another context. I know the Spring Security FAQ recommends placing method level security at the service layer. (I tried that and of course we didn't have the full VideoEntity to compare the username with at that point.)
Can you elaborate - or point me to a resource - on this design decision? Why might it be considered the best choice? What are alternatives if my repo was used somewhere else where authentication wasn't available?
Many thanks.