0

There is a Swing based multilayer Java application, each module has its back-end and front-end.

Now we want to add security using Spring Security. We have decided not to use AspectJ because of its overhead.

Is it possible to somehow inject the Spring method call authorization to Java Security Manager so that every method call in the back-end is intercepted (or delegated to) by the annotation-based model of Spring Security?

Note:

The application contains a huge number of packages and the objects are instantiated using new operator or by reflection techniques. It is not possible to revise all instantiations and change all objects to Spring beans. Java Security Manager intercepts all method calls regardless of how the object is constructed. This is the reason we need to inject somehow Spring Security Method authorization to Java Security Manager.

Mohammad Hamed
  • 51
  • 6

1 Answers1

1

Using Spring AOP does not require AspectJ, so as long as you configure your application using Spring you should have no problems using the native JDK support (it's the default anyway). I'm not sure if you tried it and it didn't work for you, so maybe some more specific information in the question would help here.

Java Security Manager is probably a needless distraction, but maybe if you could explain what you meant to do with that in some more detail it might help as well.

And, by the way, I'm not sure what the overhead is that you mention with AspectJ, but if you think it's significant I would recommend testing first because it certainly isn't a big difference at runtime for most applications. It can even be faster than other approaches.

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • The application contains a huge number of packages and the objects are instantiated using `new` operator or by reflection techniques. It is not possible to revise all instantiations and change all objects to Spring beans. We think Java Security Manager intercepts all method calls regardless of how the object is constructed. This is the reason we need to inject somehow Spring Security to Java Security Manager. – Mohammad Hamed Nov 19 '12 at 10:27
  • I see. As far as I know the Java SecurityManager is very much an opt-in for API designers - it is not an aspect-oriented programming model, and you have to call it explicitly in your application code if you want to add rules that are not baked into the JDK libraries. So your best choice is definitely AspectJ at this point. It should be a good experience these days with the tooling that is available. – Dave Syer Nov 19 '12 at 21:36