Good practices access control and encapsulation

Hi, I have a simple application on which a user can edit user specific information in the db.

  1. If a user wants to add a credit card to his account. I have a button and on click I will call a createCreditCard method in the CreditCardService class. Should …

A: …I get the current user from UserService first and supply it to the method

or

B: …the parameters be empty and in the CreditCardService I get the current user through SecurityContextHolder.getContext().getAuthentication().getPrincipal()?

  1. I’m wondering where I should check if the user is allowed to make certain changes. So let’s say I have a transfer from Iban X to Iban Y… where would I check if the user is allowed to make a transfer from Iban A?

My guess is in the BankAccountService I get the logged in user like above (SecurityContextHolder.getContext().getAuthentication().getPrincipal()) and then I check if the Iban of the source account matches the iban of the user.

If you’re on the latest version of Vaadin, you can also inject AuthenticationContext as a helper Hello ?

If you’re on the latest version of Vaadin, you can also inject AuthenticationContext as a helper