Is it possible to merge AOP of Spring Security with Java Security Manager?

Question

There is a Swing based multilayer Java application, each module has its back-end and front-end.

Now we want to add security using Spring Security. We have decided not to use AspectJ because of its overhead.

Is it possible to somehow inject the Spring method call authorization to Java Security Manager so that every method call in the back-end is intercepted (or delegated to) by the annotation-based model of Spring Security?

Note:

The application contains a huge number of packages and the objects are instantiated using new operator or by reflection techniques. It is not possible to revise all instantiations and change all objects to Spring beans. Java Security Manager intercepts all method calls regardless of how the object is constructed. This is the reason we need to inject somehow Spring Security Method authorization to Java Security Manager.

Answer 1

Using Spring AOP does not require AspectJ, so as long as you configure your application using Spring you should have no problems using the native JDK support (it's the default anyway). I'm not sure if you tried it and it didn't work for you, so maybe some more specific information in the question would help here.

Java Security Manager is probably a needless distraction, but maybe if you could explain what you meant to do with that in some more detail it might help as well.

And, by the way, I'm not sure what the overhead is that you mention with AspectJ, but if you think it's significant I would recommend testing first because it certainly isn't a big difference at runtime for most applications. It can even be faster than other approaches.