@Aspect and spring security

[spcmdr]

Hi

I would like to mix @Aspect with spring security.
In my job the security is managed by project so I have methods like these :

Code:

public void addUser(Project project, User user)
public void addTask(Project project, Task task)
public void addDocument(Project project, Document document)
...

Instead of adding an annotation for permission in each method, I would like to use an aspect :

Code:

@Before("within(*.service..*)")
public void secure(JoinPoint joinPoint)
{
	if (!ArrayUtils.isEmpty(joinPoint.getArgs()) && joinPoint.getSignature() instanceof MethodSignature)
	{
		MethodSignature signature = (MethodSignature) joinPoint.getSignature();
		
		if ("project".equals(signature.getParameterNames()[0]) && joinPoint.getArgs()[0] instanceof Project)
		{
			Project project = (Project)joinPoint.getArgs()[0];
			User user = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
			
			//handle security
			break;
		}
	}
}

Is it even a good idea ?
Is there a clean why to add interceptor or filter to acheive this ?

Regards

[Rob Winch]

The reason you would typically add annotations to the methods explicitly is so that you can easily extract out arguments to the method, return values, etc and pass them to Spring Security to be evaluated. Since each method has different types of arguments, number of arguments, etc it can be difficult to apply blanket advice to all the methods.

Spring Security offers support for doing things like this using the protect-pointcut element for something simple like ensuring that the current user has a particular role in order to invoke the method.