Application Security Aspects

Posted on March 21, 2005


I then presented a session on Application Security Aspects. I showed examples of how AOP can implement non-trivial application security requirements like Web application authentication, role-based and data-driven authorization, enable defense in depth (checking rules at each tier) and ensuring proper audit trails for any security decisions. A nice property of the AOP solution is it provides traceability from the design to the implementation and more understandability to end users.

AOP can also add value to data access security checks; I showed an example of checking the security context to restrict queries using TopLink APIs (which is much easier than parsing and modifying SQL strings!). It can also add value to filtering out UI entries the user isn’t entitled to see (fields or commands/buttons/links). The latter problem is often hard because of difficulty integrating with UI languages like JSP and because it’s hard to know what the boundaries of a UI control/section are in typical markup (unless developers use custom tags that define controls or add some kind of XML annotation – marker tags). Overall, AOP is a great way to implement a number of typically scattered security designs, and is a big help on implementing others, though there is more work required to make it easy. All of this is ripe for reusable aspects that do a lot more for you than checking JAAS permissions based on an annotation!

The slides for this presentation are available online at