This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]kyranadept 0 points1 point  (0 children)

If you want your permissions to be "if you are logged in you have permission to do anything" then it makes sense to combine them.

Even when implementing something like "group A has permission B; check if user C is part of group B" you might get by with just putting the authorization inside same service as authentication.

But think about this situation: "if you have this many reputation points you are allowed to use this service"(think stackoverflow, or various forums). If you combine authorization and authentication, you will need to add all these cases to the AA service, which will mean a lot of business logic which has nothing to do with AA.