Update . I found that annotation-based Spring 2.x controllers are terrible for AOP security because you cannot make assumptions about the prototype method due to the increased freedom in the parameters and return values. Prior to 2.x, you can intercept handleRequest and know that the first parameter was HttpServletRequest, and the return value was ModelAndView. This standard allowed you to write simple tips for each controller. Now, the methods associated with the requests can take anything and return strings, ModelAndViews, etc.
The original message . I have a set of existing aspects that implement the AOPAlliance MethodInterceptor running in Spring. They secure my webapp by intercepting .handleRequest. methods in the controllers and allow execution or redirection to the login page.
With new annotation-based controllers in Spring, the "handleRequest" method is no longer required; controller methods can be called what I want. This violates my existing security model. So how do I get from here:
<bean class="com.xxx.aspects.security.LoginAdvice" name="loginAdvice">
<property name="loginPath">
<value>/login.htm</value>
</property>
<property name="authenticationService" ref="authenticationService" />
</bean>
<bean name="loginAdvisor" class="org.springframework.aop.support.DefaultPointcutAdvisor">
<property name="advice" ref="loginAdvice" />
<property name="pointcut">
<bean class="org.springframework.aop.support.JdkRegexpMethodPointcut">
<property name="pattern">
<value>.*handleRequest.*</value>
</property>
</bean>
</property>
</bean>
<bean id="someProtectedController" class="org.springframework.aop.framework.ProxyFactoryBean">
<property name="target">
<ref local="someProtectedControllerTarget" />
</property>
<property name="interceptorNames">
<list>
<value>loginAdvisor</value>
<value>adminAdvisor</value>
</list>
</property>
</bean>
... the ability to reuse my existing aspects and apply them to all controllers or controller methods using annotations?