BestHub
Sign in
Backend Development 10 min read

Four Ways to Implement a Generic Auth Whitelist in Spring Boot: AOP, Interceptor, ArgumentResolver, and Filter

This article explains four Spring‑Boot techniques—traditional AOP, HandlerInterceptor, HandlerMethodArgumentResolver, and Servlet Filter—to implement a reusable appkey whitelist validation, provides complete code examples for each, and clarifies their execution order within the request processing pipeline.

Selected Java Interview Questions
Selected Java Interview Questions
Selected Java Interview Questions
Four Ways to Implement a Generic Auth Whitelist in Spring Boot: AOP, Interceptor, ArgumentResolver, and Filter

The article introduces four approaches for implementing a generic authentication whitelist in a Spring Boot web framework: traditional AOP, Interceptor, ArgumentResolver, and Filter, each with example code and a brief discussion of extensibility.

Traditional AOP

Using Spring AOP, a custom @Aspect class defines a pointcut and a @Before advice that checks the whitelist before controller methods are invoked.

@Aspect
public class WhitelistAspect {
    @Before(value = "whitelistPointcut() && @annotation(whitelist)")
    public void checkAppkeyWhitelist(JoinPoint joinPoint, Whitelist whitelist) {
        checkWhitelist();
        // joinPoint.getArgs() can retrieve method arguments
        // whitelist provides annotation parameters
    }

    @Pointcut("@annotation(com.zhenbianshu.Whitelist)")
    public void whitelistPointCut() {}
}

Controllers annotate methods with @Whitelist to trigger the check.

Interceptor

Implementing HandlerInterceptor allows pre‑handle logic that can abort the request by returning false. The interceptor is registered via WebMvcConfigurerAdapter.

@Component
public class WhitelistInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        Whitelist whitelist = ((HandlerMethod) handler).getMethodAnnotation(Whitelist.class);
        // use request and whitelist to validate
        return true;
    }
    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {}
    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {}
}
@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new WhitelistInterceptor()).addPathPatterns("/*").order(1);
    }
}

ArgumentResolver

A custom HandlerMethodArgumentResolver creates an AuthParam object from the request and validates the whitelist inside resolveArgument. It is also registered via WebMvcConfigurerAdapter.

@Component
public class AuthParamResolver implements HandlerMethodArgumentResolver {
    @Override
    public boolean supportsParameter(MethodParameter parameter) {
        return parameter.getParameterType().equals(AuthParam.class);
    }
    @Override
    public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer, NativeWebRequest webRequest, WebDataBinderFactory binderFactory) throws Exception {
        Whitelist whitelist = parameter.getMethodAnnotation(Whitelist.class);
        // validate whitelist using webRequest
        return new AuthParam();
    }
}
@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
    @Override
    public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
        argumentResolvers.add(new AuthParamResolver());
    }
}

Filter

A servlet Filter runs before Spring’s dispatcher, checking the whitelist using raw ServletRequest and must explicitly invoke FilterChain.doFilter to continue processing.

public class WhitelistFilter implements javax.servlet.Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // perform whitelist check
        chain.doFilter(request, response);
    }
    @Override
    public void destroy() {}
}
@Configuration
public class FilterConfiguration {
    @Bean
    public FilterRegistrationBean someFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new WhitelistFilter());
        registration.addUrlPatterns("/*");
        registration.setName("whitelistFilter");
        registration.setOrder(1);
        return registration;
    }
}

Summary

The execution order is: Filter (Servlet level) → Interceptor → ArgumentResolver → AOP advice. The article demonstrates each method, discusses when to prefer one over another, and shows how to configure them in a Spring Boot project.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

aopbackend-developmentSpring BootInterceptorfilterArgumentResolver
Selected Java Interview Questions
Written by

Selected Java Interview Questions

A professional Java tech channel sharing common knowledge to help developers fill gaps. Follow us!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment