In which layer should validation be performed?

Question

I am writing a webservice.

Typically the input will be an XML document and the output XML or JSON.

The application uses the MVC patter, having different layers

• Controllers: Receive XML and provide response (XML/JSON)
• Service: Business logic, transactions
• DAO: Query the datasource (a Database or maybe another webservice)

My understanding is that basic validation (ie: XML against XSD) should be done as soon as possible on the Controller layer.

After that, I still need to perform extra validation, some of such validations are basic, for example

• Date format must be correct
• User name cannot exceed X characters (maybe also to be performed on the XSD?)

As far as I understand, such basic validations should been done when unmarshalling the XML into a Java object. That would also happend in the controller layer (although the validation itself would be done by the Java object where the XML is unmarshalled into)

And finally I face the more "complex" validations examples

• The date should not be prior to 1950 (just a random example)
• If value A is bigger than B, then value C should not exceed D

Such "complex" valiations seems to be a perfect candidate for the javax.validation.Validator interface. And also feels like they should be done in the Controller layer.

The questions are

1. Is this approach correct? Should I also validate something at other layers?
2. Am I adding too much logic into controllers? Should I maybe move some validation to the Service layer where the business logic is?

Answer 1

Is this approach correct? Should I also validate something at other layers?

Yes, partially. It's seems correct to validate input data for correctness like date format, length etc. There is no need to push them to inner layers. They needs to be validated upfront.

There might be some validations according to the business rules, which needs to be done at service layer, like if the username/email already registered while adding user to the system, which will be done in service layer.

Am I adding too much logic into controllers? Should I maybe move some validation to the Service layer where the business logic is?

It isn't considered as logic from my perspective. Validating data into controller is different from adding business logic to it. You aren't altering/manupulating data, but checking for the correctness of the data.

As mentioned above, some validations which follows business rules needs to be implemented in the service layer.

Edit : As you have added web-service tag, imagine that you are calling a web service & then at server side, it came to know that the data has improper format. It might have saved a round trip, server time, network resource etc. if it had been validated earlier.