BestHub
search
Sign in
Backend Development 10 min read

Four Ways to Implement Generic Auth in Spring Boot: AOP, Interceptor, ArgumentResolver, and Filter

This article explains how to add a universal app‑key whitelist authentication feature to a Spring‑Boot web framework by using four different mechanisms—traditional AOP, HandlerInterceptor, custom HandlerMethodArgumentResolver, and a Servlet Filter—while comparing their execution order and extensibility.

IT Architects Alliance
IT Architects Alliance
IT Architects Alliance
Four Ways to Implement Generic Auth in Spring Boot: AOP, Interceptor, ArgumentResolver, and Filter

The article introduces four approaches for implementing a generic authentication (appkey whitelist) feature in a Spring‑Boot based web framework: traditional AOP, Spring Interceptor, custom ArgumentResolver, and a Servlet Filter, and provides example code for each.

Traditional AOP : Define an @Aspect class WhitelistAspect with a pointcut that matches methods annotated with @Whitelist . Use an @Before advice to invoke checkAppkeyWhitelist before the controller method runs.

@Aspect
public class WhitelistAspect {
    @Pointcut("@annotation(com.zhenbianshu.Whitelist)")
    public void whitelistPointCut() {}

    @Before(value = "whitelistPointcut() && @annotation(whitelist)")
    public void checkAppkeyWhitelist(JoinPoint joinPoint, Whitelist whitelist) {
        // check whitelist logic here
    }
}

Interceptor : Create a class WhitelistInterceptor that implements HandlerInterceptor , override preHandle to perform the whitelist check, and optionally override postHandle and afterCompletion . Register the interceptor in a WebMvcConfigurerAdapter implementation.

@Component
public class WhitelistInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        Whitelist whitelist = ((HandlerMethod) handler).getMethodAnnotation(Whitelist.class);
        // whitelist validation logic
        return true;
    }
    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) {}
    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) {}
}

@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new WhitelistInterceptor()).addPathPatterns("/*").order(1);
    }
}

ArgumentResolver : Define a custom parameter type AuthParam and an AuthParamResolver that implements HandlerMethodArgumentResolver . Implement supportsParameter to match AuthParam and resolveArgument to build the object and perform whitelist validation. Register the resolver in the same WebMvcConfigurerAdapter .

@Component
public class AuthParamResolver implements HandlerMethodArgumentResolver {
    @Override
    public boolean supportsParameter(MethodParameter parameter) {
        return parameter.getParameterType().equals(AuthParam.class);
    }
    @Override
    public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer mavContainer,
                                  NativeWebRequest webRequest, WebDataBinderFactory binderFactory) throws Exception {
        Whitelist whitelist = parameter.getMethodAnnotation(Whitelist.class);
        // whitelist validation logic
        return new AuthParam();
    }
}

@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
    @Override
    public void addArgumentResolvers(List
resolvers) {
        resolvers.add(new AuthParamResolver());
    }
}

Filter : Implement javax.servlet.Filter (e.g., WhitelistFilter ) with init , doFilter , and destroy . In doFilter perform the whitelist check and then call chain.doFilter(request, response) . Register the filter via a FilterRegistrationBean .

@Component
public class WhitelistFilter implements javax.servlet.Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // whitelist validation logic
        chain.doFilter(request, response);
    }
    @Override
    public void destroy() {}
}

@Configuration
public class FilterConfiguration {
    @Bean
    public FilterRegistrationBean
someFilterRegistration() {
        FilterRegistrationBean
registration = new FilterRegistrationBean<>();
        registration.setFilter(new WhitelistFilter());
        registration.addUrlPatterns("/*");
        registration.setName("whitelistFilter");
        registration.setOrder(1);
        return registration;
    }
}

The execution order is: Filter (Servlet level) runs first, followed by Interceptor, then ArgumentResolver, and finally the AOP advice, ensuring that each mechanism can be chosen based on its suitability and extensibility.

Each method can be extended—for example, the AOP pointcut can accept additional annotation attributes such as uid() , the interceptor can be ordered among multiple interceptors, and the resolver or filter can be customized to handle other authentication sources.

javaaopSpring BootauthenticationInterceptorfilterArgumentResolver
IT Architects Alliance
Written by

IT Architects Alliance

Discussion and exchange on system, internet, large‑scale distributed, high‑availability, and high‑performance architectures, as well as big data, machine learning, AI, and architecture adjustments with internet technologies. Includes real‑world large‑scale architecture case studies. Open to architects who have ideas and enjoy sharing.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment