| If it's "not a hard problem" - and I agree it isn't, and it's solved by Clojure's SQL libraries, why should the web framework deal with it in any way? And moving the problem actually helps, when the original place was the wrong place to solve the problem. Security is one problem when you write queries all over the place. The other two problems are data integrity, and maintenance. In a service layer you have exactly three concerns: 1) Validate abstract input (and permissions of the caller). 2) Perform the transaction. 3) Return abstract output (and/or errors). No routers, no controllers, no views, no templates, no CSRF, no XSS, no HTML escaping, no GET, no POST, no nothing. Just input, transaction, output. Pure data. Pure business logic. And suddenly things that seemed hard to get right, or things you had to repeat all over the place in your code, get done simply, and just once. And all your web code calls the service layer. All your iOS and Android app code - also calls the same service layer. And they're both secure because you need to get the service secure just once - then all interfaces (web, mobile, desktop, API) use the same service. And when you don't isolate the service, you'll be running SQL all over the place, and use every framework's souped up solutions to avoid SQLi. Which one do you feel is better? |
SOA is great for scalability, but not really that much of a boon for security (especially since you now have a problem of authentication between your frontend service and your backend service which is often ignored since it's behind the firewall and nobody is going to be snooping.) (Other than the NSA, GHCQ, and China.)