Spring Security (3) Implementation of Proxies

To create an  AOP proxy in Spring, you should use the ProxyFactoryBean. This gives complete control over the pointcuts and advice that will apply, and their ordering. However, there are simpler options that are preferable if you don’t need such control. Within the ProxyFactoryBean, you need to provide some property values.

proxyInterfaces – where you specify which interface you would like to create proxy for

interceptorNames – a list of inceptor names. The interceptor will be used to do some business before and after running the method.

target – A reference to the implementation class

<bean id="documentViewService" class="org.springframework.aop.framework.ProxyFactoryBean">

<property name="proxyInterfaces"


    <property name="interceptorNames">





    <property name="target">

        <ref bean="documentViewServiceImpl"/>




Then you can specify your interceptor class with the logic that you would like to add to the method while accessing, such as security check.


<bean id="documentViewServiceInterceptor"


    <property name="documentViewAccessDecisionManager">

        <ref local="documentViewAccessDecisionManager"/>


    <property name="accessDecisionManager">

        <ref local="documentViewAccessDecisionManager"/>


<property name="exemptMethods">







The interceptor class has predefined some properties, which includes the name of the method that should be excluded to apply the logic specified by the interceptor. In order to prevent some redundant work, you might want to exclude those methods before invoking them. To do this, you need to specify it inside the beforeInvocation() method.


public class DocumentViewServiceInterceptor extends MethodSecurityInterceptor implements Serializable {

private DocumentViewAccessDecisionManager documentViewAccessDecisionManager;

public InterceptorStatusToken beforeInvocation(Object object) {

            //skip the exempt methods


public Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {

Authentication authenticated = SecurityContextHolder.getContext().getAuthentication();

try {

    this.documentViewAccessDecisionManager.decide(authenticated, returnedObject, null);

} catch (InsufficientAuthenticationException e) {

               //your solution if user not authorised 





As you can see from the preceding code, we use documentViewAccessDecisionManager which implements AccessDecisionManager to decide whether user have the authorisation to access the current method. If user does not authorised to access, an InsufficientAuthenticationException will be thrown. If such an exception is caught in the interceptor class, you can specify your solution in the catch clause.





This entry was posted in Spring. Bookmark the permalink.

One Response to Spring Security (3) Implementation of Proxies

  1. 复飞 says:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s