>I don't know about in Shawn's situation, but the reason we double-check whether we have a valid user using the BizObjects is because we have exposed our BizObjects via Web Services, so that they can be freely accessed ...

Well, who invited web services to the party? :)

Also, what "best practices" seem to be advocating these days is have a Service Layer (SOA) that you control which accesses your business layer. This Service Layer is what you expose to the "world".

Also, there is alot of working being done to allow Web Services to be securable and that is certainly a welcome addition. Just cause you want to create a web service, doesn't mean you want the world to use it.

How does your business layer verify "user". As shawn said, the code accessing your business layer could have a perfectly acceptable principle object, however, that doesn't mean it is code that you want accessing your business layer. Or, does your application run under a different security context than the Windows user?

BOb