Question about authentication best practices via spring-security

All,

My goal is to have specific channels secured by spring-security. I realize that the spring-integration-security module provides the namespace integration for spring-security which provides method-level, role based authorizations. But before the authorizations can be used, a principal must have been logged in and a suitable SecurityContext set into the Thread's SecurityContextHolder.

I have two questions.

What's the best way to go about authenticating the principal before the flow of execution arrives at the method-level authorizations? Two ways pop into my head, but I would like feedback:

1) Set up a global channel interceptor which would perform this authentication well before getting to the channel that is secured by the authorizations check?
2) Create a service activator bean and connect the integration flow up to this and do the authentication within the bean

Are there other/better ways?

I could do #1, but then other channels that are unrelated to authorization would be included. There is one channel that I would like to have both authentication and authorization on, and the rest don't matter or don't need to know there is authentication going on.

#2 is possible also, but I'd like to keep cross cutting concerns like this orthogonal to the integration flow.

I can't add a channel interceptor to the channel in question because those actually run AFTER the method-level interception performed by spring-security.

Any thoughts?

Thanks,
Christian