I think the best way to doing server  side authorization is JAAS (Java Authentication and Authorization Service). The service  support by spring  and you have not any consider about authorization.

I think the best way for web  services authentication/authorization is WS Security standardized by W3C. It is distributed with axis  2 but you can add  it to your axis 1.x. just google it for details.



I don’t know how to intercept external objects  into Spring but there is ACGI Security developed for Spring that as I remember has URL based authorization which may help you to some extent.

You can use spring  2.0 aspectJ pointcut language without using aspectJ although Spring 2.0 isn't officially released(rc3 at the moment). You can also use Spring 1.2.x BeanNameAutoProxyCreator class to reach for your pointcut. Spring 2.0 is backward compatible to 1.2.x but I remember that I once migrated from 1.2.3 to 2.0-m2 a few month ago and spring MVC upload mechanism couldn't work but as far as I can see, Spring team has worked alot upon this backward compatibility. And I think you must face no major problem. In order not to reinvent the wheel, I suggest that you'd better take a look at Acegi as well...

Involvement of Spring and AOP aside, I'd like to highlight two patterns that are used for web-tier and business-tier components. In general (as it applies to your application) once there are multiple entry points to an application and once all of them require authentication and authorization, you can centralize AA enforcement and encapsulate security mechanisms using a facade or a controller in order to enforce the AA logic across all components and operation within your application.

encapsulating AA logic behind a common interface will make it lot easier to migrate this to any part of the enterprise.

there are different strategies to implementation of AA enforcement pattern and
I wish I had an electronic version of my catalog but anyway following could highlight some aspects of authentication and authorization enforcement patterns

https://netfiles.uiuc.edu/mhafiz/www/ResearchandPublications/secpatclassify.pdf

Note that customized implementation of such mechanisms introduces risks and issues  such not being aligned with J2EE standards while the spec recommends prevention from customized and developed implementation of security control mechanism as much as possible and leave the functionality to the framework. At the same time JAAS is highly recommended due to its alignment with standards.

Also when you define you own security control there is a high chance of leaving the application open to attacks.

if you decided to apply this approach, make sure you review the pattern completely and choose the best of that fulfills your application requirements.

I think you can look at acegi-security at following address
http://www.acegisecurity.org/