BestHub
search
Sign in
Backend Development 9 min read

Four Ways to Implement Generic Authentication in Spring Boot: AOP, Interceptor, ArgumentResolver, and Filter

This article explains four Spring‑Boot techniques—traditional AOP, HandlerInterceptor, custom HandlerMethodArgumentResolver, and Servlet Filter—to perform generic authentication with code examples and a final comparison of their execution order.

Top Architect
Top Architect
Top Architect
Four Ways to Implement Generic Authentication in Spring Boot: AOP, Interceptor, ArgumentResolver, and Filter

The author introduces four common ways to implement a generic authentication mechanism in a Spring‑Boot application: traditional AOP, Interceptor, ArgumentResolver, and Filter, and provides concrete code samples for each.

1. Traditional AOP

Using Spring AOP, a custom aspect class is defined with a pointcut that matches methods annotated with @Whitelist . The @Before advice checks the whitelist before the controller method executes.

@Aspect
public class WhitelistAspect {
    @Before(value = "whitelistPointcut() && @annotation(whitelist)")
    public void checkAppkeyWhitelist(JoinPoint joinPoint, Whitelist whitelist) {
        checkWhitelist();
        // can use joinPoint.getArgs() and whitelist annotation parameters
    }

    @Pointcut("@annotation(com.zhenbianshu.Whitelist)")
    public void whitelistPointcut() {}
}

The aspect is applied by adding @Whitelist on controller methods.

2. Interceptor

A HandlerInterceptor implementation can inspect the request before the controller is invoked. The preHandle method checks the whitelist and returns false to block the request.

@Component
public class WhitelistInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        Whitelist whitelist = ((HandlerMethod) handler).getMethodAnnotation(Whitelist.class);
        // whitelist validation logic
        return true;
    }
    // postHandle and afterCompletion omitted for brevity
}

The interceptor is registered in a WebMvcConfigurerAdapter subclass:

@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new WhitelistInterceptor()).addPathPatterns("/*").order(1);
    }
}

3. ArgumentResolver

A custom HandlerMethodArgumentResolver creates an AuthParam object from the request and validates the appkey against the whitelist.

@Component
public class AuthParamResolver implements HandlerMethodArgumentResolver {
    @Override
    public boolean supportsParameter(MethodParameter parameter) {
        return parameter.getParameterType().equals(AuthParam.class);
    }
    @Override
    public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer,
                                  NativeWebRequest webRequest, WebDataBinderFactory binderFactory) throws Exception {
        Whitelist whitelist = parameter.getMethodAnnotation(Whitelist.class);
        // validation logic
        return new AuthParam();
    }
}

The resolver is added via the same WebMvcConfigurerAdapter :

@Override
public void addArgumentResolvers(List
argumentResolvers) {
    argumentResolvers.add(new AuthParamResolver());
}

4. Filter

A standard Servlet Filter can perform the whitelist check before the request reaches Spring. It implements javax.servlet.Filter and must invoke chain.doFilter to continue processing.

public class WhitelistFilter implements javax.servlet.Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // whitelist check logic
        chain.doFilter(request, response);
    }
    // init and destroy omitted
}

The filter is registered with a FilterRegistrationBean :

@Configuration
public class FilterConfiguration {
    @Bean
    public FilterRegistrationBean someFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new WhitelistFilter());
        registration.addUrlPatterns("/*");
        registration.setName("whitelistFilter");
        registration.setOrder(1);
        return registration;
    }
}

Summary

The four mechanisms have distinct use cases and execution order: the Servlet Filter runs first, followed by the Spring Interceptor , then the ArgumentResolver , and finally the AOP @Aspect pointcut.

JavaaopSpring BootauthenticationInterceptorfilterArgumentResolver
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment