The AOP In Enterprise Application Information Technology Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The most fundamental principle in software engineering is that the separation of concerns leads to a system that is simpler to understand and easier to maintain. Various methodologies and frameworks support this principle in some form. For instance, with OOP, by separating interfaces from their implementation and it helps to modularize the core concerns well. But for crosscutting concerns, OOP forces the core modules to embed the crosscutting concern's logic. Although the crosscutting concerns are independent of each other, using OOP leads to an implementation that no longer preserves independence in the implementation.OOP technology to solve these problems often causes system difficult to understand, achieve and maintain.

AOP is a new programming technology, which allows developers to focus on cross-cutting concerns. Aspect-oriented Programming (AOP) provides the abstraction in concern level by the horizontal mode, and it is a new programming model, which make the modularizing crosscutting concerns as aim in higher abstraction level. AOP is real because it's been widely used and adopted in enterprise applications, Web and Application servers, Application frameworks, Monitoring tools, Compilers and IDE Integration etc.,

AOP in Enterprise Application

Enterprise applications need to address many crosscutting functionalities: transaction management, security, auditing, service-level agreement, monitoring, concurrency control, improving application availability, error handling, and so on. Many enterprise applications use AOP to implement these functionalities. All the examples in given here are based on real-world problems and their AOP solutions. Virtually every project that uses Spring uses AOP. Many applications start with prewritten aspects supplied with Spring (primarily transaction management and security). But due to the AspectJ syntax, writing custom aspects is becoming a common task. After reaching the limits of Spring AOP, many applications move toward AspectJ weaving. The typical trigger point for this change is crosscutting of domain objects or other forms of deeper crosscutting functionalities. At that time, it's common to start with the AspectJ syntax (which is used with Spring's proxy-based AOP) along with the load-time weaver. Of course, applications that don't use Spring often use AspectJ weaving from the beginning.

The IT Industry sectors in which AspectJ is used in production (with proxy-based and bytecode-based AOP) range from financial companies (banking, trading, hedge funds) and health care to various web sites (e-commerce, customer care, content providers, and so on).The common notion is that If you're implementing enterprise applications and using AOP, you are in good company.

Spring AOP

Spring offers broad AOP support, integrated into its core container proxy-based and weaving-based. Spring aims to make enterprise application development as simple and productive as possible. Examples of this philosophy can be seen in Spring's approach to JDBC, ORM, JMX, dependency injection, and many other important areas of enterprise application development. Spring also distinguishes between making something simple, and making it simplistic. The elusive combination is to provide simplicity and power. One source of complexity in enterprise applications arises from the implementation of features and requirements that impact multiple parts of the application. Code relating to these features ends up scattered across the application code, making it harder to add, maintain, and understand. Spring makes it much simpler to implement such features in a modular manner, greatly simplifying the overall application code and in some cases making it tractable to implement requirements that otherwise would just be too painful to code.

2. Aspect-Oriented



AOP Concepts

Aspect-Oriented Programming (AOP) is the invention of a programming paradigm developed by the Xerox Palo Alto Research Center (Xerox PARC) in the 20th century. It allows developers to separate tasks that should not be entangled with the cross-cutting concerns, so as to provide better procedures for the encapsulation and interoperability. The core thought of AOP is to makes a complex system as combinations by a number of concerns to achieve. After demand researched, the concerns are divided into two parts: cross-cutting concerns and core business concerns. Core business concern is the needs of the business logic, business various subsystems, such as financial systems, personnel systems. And cross-cutting concern is the needs of the various subsystems business, may be involved in some of the public functions, such as log records, security and so on.

AOP AspectJ basic concepts

Aspect-Oriented Programming (AOP) complements Object-Oriented Programming (OOP) by providing another way of thinking about program structure. The key unit of modularity in OOP is the class, whereas in AOP the unit of modularity is the aspect. Aspects enable the modularization of concerns such as transaction management that cut across multiple types and objects.

AOP concepts are :

Aspect: A modularization of a concern that cuts across multiple objects. Transaction management is a good example of a crosscutting concern in J2EE applications. In Spring AOP, aspects are implemented using regular classes (the schema-based approach) or regular classes annotated with the @Aspect annotation (@AspectJ style).

Join point: A point during the execution of a program, such as the execution of a method or the handling of an exception. In Spring AOP, a join point always represents a method execution. Join point information is available in advice bodies by declaring a parameter of type org.aspectj.lang.JoinPoint.

Advice: Action taken by an aspect at a particular join point. Different types of advice include "around," "before" and "after" advice. Advice types are discussed below. Many AOP frameworks, including Spring, model an advice as an interceptor, maintaining a chain of interceptors "around" the join point.

Pointcut: A predicate that matches join points. Advice is associated with a pointcut expression and runs at any join point matched by the pointcut (for example, the execution of a method with a certain name). The concept of join points as matched by pointcut expressions is central to AOP: Spring uses the AspectJ pointcut language by default.

Introduction: (Also known as an inter-type declaration). Declaring additional methods or fields on behalf of a type. Spring AOP allows you to introduce new interfaces (and a corresponding implementation) to any proxied object. For example, you could use an introduction to make a bean implement an IsModified interface, to simplify caching.

Target object: Object being advised by one or more aspects. Also referred to as the advised object. Since Spring AOP is implemented using runtime proxies, this object will always be a proxied object.

AOP proxy: An object created by the AOP framework in order to implement the aspect contracts (advise method executions and so on). In the Spring Framework, an AOP proxy will be a JDK dynamic proxy or a CGLIB proxy. Proxy creation is transparent to users of the schema-based and @AspectJ styles of aspect declaration introduced in Spring 2.0.

Weaving: Linking aspects with other application types or objects to create an advised object. This can be done at compile time (using the AspectJ compiler, for example), load time, or at runtime. Spring AOP, like other pure Java AOP frameworks, performs weaving at runtime.

Detailed examination of AspectJ is available in [2, 3, 10, 11].

3. Literature Review

Aspect Oriented Software Development [Robert. Filman,Tzilla Elrad , Siobhán Clarke , Mehmet Aksit] Aspect-oriented programming (AOP) is an approach that provides more advanced modularization techniques. The main characteristic of this technology is the ability to specify both the behavior of one individual concern and the way this behavior is related to other concerns (the binding). One prominent tool is AspectJ. AspectJ extends Java with mechanisms for expressing advanced modularization capabilities. In AspectJ, a unit of modularization is called an aspect, and a unit of binding is a pointcut. Applying Aspect Oriented Programming to Security [John Viega, J.T.Bloch and Pravir Chandra] AOP is a new programming paradigm that explicitly promotes separation of concern. In the context of security, this would mean that the main program should not need to encode security information instead, it should be moved into a separate, independent piece of code. Toward a Reusable and Generic Security Aspect Library [Minhuan Huang, Chunlei Wang, Lufeng Zhang] Software security usually can be viewed as the combination of two critical factors: security mechanisms and tools constructed from various security technologies(e.g. encryption/decryption, authentication and authorization, etc), and applying these technologies to software in a globally consistent way. In fact, the modularization of security-related functions, such as access controlling, or defensive input checking, is hardly to achieve with nowadays mainstream software engineering technologies. Aspect Oriented Programming has been proposed as a promising approach for modularizing cross-cutting concerns in software. AOP provides another dimension of modularity, "aspect". On the importance of the separation-of-concerns principle in secure Software Engineering [Bart De Win, Frank Piessens, Wouter Joosen, Tine Verhanneman] Causes for software security problems are pervasiveness of security, unanticipated risks and change of environment etc., Security with AspectJ [EminË™Islam Tatlı] Security belongs to non-functional logic and separation of security logic from business logic can help better management of security. The security requirements are integrity, confidentiality and authentication. Security through AOP [Bart De Win, Bart Vanhaute and Bart De Decker] since many applications are too complex to be solved ad hoc, mechanisms are being developed to deal with different concerns separately. An interesting case of this separation is security.AOP promises to tackle security problem by offering several abstractions that help to reason about and specify the concerns one at a time.

AspectJ2EE = AOP + J2EE Towards an Aspect Based, Programmable and Extensible Middleware Framework [Tal Cohen and Joseph (Yossi) Gil ] AspectJ2EE is less general (and hence less complicated) than AspectJ, yet demonstrably powerful enough for the systematic development of large scale (and distributed) applications. The introduction of parameterized aspects makes aspects in AspectJ2EE more flexible and reusable than aspects in AspectJ. AspectJ2EE also generalizes the process of binding services to user applications in the application server into a novel deploy-time weaving of aspects. Deploytime weaving is superior to traditional weaving mechanisms, in that it preserves the object model, has a better management of aspect scope, and presents a more understandable and maintainable semantic model.

AOP in Java Enterprise Applications [Sebastian Kuligowski's], allows to separate domains of your enterprise application from each other (transactions, logging, db management, security and more) and apply every in defined places (point-cuts) in application without touching business code. Dynamic aspect weaving opens possibility of choosing these places at runtime and during application execution that some aspect should be inserted before some method because it needs in some specific conditions. But if application needs to modify behavior remotely, without restarting and recompilation, without having access to the deployment directory structure. Then it is possible with written aspects from different machine using Internet connection.


Spring security along with AOP can simplify the implementation of the classic crosscutting concern of securing enterprise application. The security aspect needs to do two things, firstly select join points that need authentication or authorization and then advise the selected join points to perform authentication and authorization.

aspect SecurityAspect {

private AccessDecisionManager accessManager;

pointcut secured() : ...

before() : secured() {

SecurityAttribute sa = ...




The interesting piece of code is the computation of the security attributes. In the conventional technique, each method creates a separate security attribute object. In an AOP solution, the same advice applies to all advised join points, yet each join point may require a different attribute. Therefore, the advice may need some cooperation from the advised code or some external configuration to compute a correct attribute at each join point. One way to achieve this collaboration is to use annotations and also security aspects can be applied using either the proxy-based or byte-code based AOP. The security aspect acts as a controller that mediates between the core system and the security subsystem.

Spring security

Security requirements vary widely, and many implementations exist to meet these needs. For example, an authentication requirement may vary from simple web-based authentication to a single sign-on solution. Storage for credentials (such as passwords) and authorities (typically roles such as ADMIN or USER) varies widely as well-from a simple text file to a database or Lightweight Directory Access Protocol (LDAP). These variations make the already complex topic of security even more so. The increased complexity warrants raising the level of abstraction. But creating such an abstraction isn't always an easy task, especially if security isn't your core expertise. This is where Spring Security comes into play. By providing an abstraction layer and an implementation for most commonly used security systems, you can create powerful, portable solutions. If a supplied implementation doesn't meet your needs, you can easily extend it by implementing a few interfaces. Furthermore, Spring Security provides ready-made solutions for a few common scenarios that allow you to implement certain security requirements by including just a few lines of configuration.

Security is an important consideration in modern, highly connected software systems. Most applications need to expose functionality through multiple interfaces to allow access to the business data and make complex integration possible. But they need to do so in a secured manner. It isn't a surprise that most enterprises spend substantial time, energy, and money to secure applications. Security consists of many components such as authentication, authorization, auditing, protection against web site attacks, and cryptography. In chapter 10, we discussed auditing that you can target for various purposes including security. In this chapter, we'll focus on authentication and authorization. Implementing security using conventional programming techniques requires you to modify multiple modules to add authentication and authorization code. For instance, to implement access control in an e-commerce system, you must invoke security code from methods of inventory control and procurement modules.

The security in conventional approach: the need to secure applications is common, and there are many ways to do so. Modern APIs such as Java Authentication and Authorization Service (JAAS) and Spring Security provide a layer of abstraction over the underlying mechanism and allow you to separate the configuration from the code. The overall goal of these APIs is to reduce complexity and provide agile implementations. Yet such APIs offer only a part of the solution, leaving you with the task of calling these APIs from many places in the code. There are two ways to security, where you explicitly invoke security APIs in appropriate places and the framework-based approach, where the application framework provides support for common security use cases.

Spring Security providing an abstraction layer and an implementation for most commonly used security systems, you can create powerful, portable solutions. If a supplied implementation doesn't meet your needs, you can easily extend it by implementing a few interfaces. Furthermore, Spring Security provides

ready-made solutions for a few common scenarios that allow you to implement certain security requirements by including just a few lines of configuration. We will show how Spring Security up close to reality through implementation of authentication and authorization.

Authentication is a process that verifies that the user (human or machine) is indeed whom they claim to be. For example, the system may challenge the user with a username and password. When the user enters that information, the system verifies it against the stored credentials. Spring Security supports authentication using a wide range of authentication schemes such as basic, forms, database, LDAP, JAAS, and single sign-on. You can also roll your own authentication to support the specific scheme that your organization is using (and still utilize the rest of the framework, including authorization).After the user credentials have been authenticated, the authenticated user (more generally known as the principal) is stored in the security context. Figure 1 show the overall structure used in Spring Security for authentication.

Figure 1: Authentication and Authorization in Spring Security

Authorization is a process that establishes whether an authenticated user has sufficient privileges to access certain resources. For example, only users with the admin privilege may access certain web pages or invoke certain business methods. Spring Security provides role-based and object-level authorization. To accommodate potentially complex custom requirements, it provides several components that you can customize. Figure 2 depicts the authorization sequence.

Figure 2: Spring Security authorization sequence

Implementing security using proxy based Spring AOP shown in Figure 3 which is similar to implementation of transaction management. Because of similarities due to the common use of AOP as the underlying mechanism. Spring AOP creates a proxy around the service beans, and the security advice ensures authorized access. Spring AOP works only with Spring beans.

Figure 3 Securing the service layer using proxy-based AOP and Spring Security.

Spring Security prebuilt solutions

Spring Security provides ready-made solutions that enable developers to secure applications with a few lines of configuration. These solutions target different parts of application: web, service layer, and domain objects

Web security

Securing web applications is a common task, therefore, Spring Security provides special support for this scenario. With namespace-based configuration, a few lines can configure URL level security that ensures that the user has the right authority to access the URLs. For example, the following Spring configuration provides authentication using a default login page and ensures that any URLs that end with "delete.htm" are accessible only by users with the ADMIN role. Other URLs are accessed only by users with the USER role.

<security: http auto-config="true">

<security: intercept-url pattern="/*delete.htm" access="ROLE_ADMIN"/>

<security: intercept-url pattern="/**" access="ROLE_USER"/>

</security: http>

... declaration of user service to provide username/password

Typically, you'll start with a simple snippet as shown, modify various attributes, and add additional elements to tailor to your specific needs. For many applications, it's sufficient to secure just the UI layer. But you may want to secure the service layer as well, to prevent any errors in the UI security configuration from compromising the system. It also allows secured access through non-web interfaces.

Service level security

Because most enterprise applications utilize a service layer as the exclusive way of accessing business functionality, it makes sense to secure this layer. Spring Security provides prebuilt aspects along with namespace-based configuration support to secure the service layer with minimal code (more precisely, you can secure any Spring bean, not just those in the service layer). It offers two options to specify the access-control information: through the XML-based configuration and through annotations.



AOP being a solution for implementing crosscutting concerns and Spring provides excellent, easy-to-use AOP capabilities. Spring AOP is now remarkably easy to use for the average Java developer with traditional object-oriented programming skills. This paper shows how Spring AOP can be effectively used to implement crosscutting concerns (Security, Logging and Transactionality etc.,) in a typical software project.

To implement security, Acegi is a popular and flexible security framework that can be used in enterprise applications.Acegi integrates well with Spring and uses Spring application contexts for all configurations. Using Acegi Security greatly simplifies implementing authorization. To start, it needs a POJO class that will implement the security concern as a Spring AOP aspect. As can be seen in the listing below, the implementation of method checkSecurity (…) involves using Acegi APIs and classes such as SecurityContextHolder for retrieving the authenticated user and the user's role. Using the user and his role, an application-specific authorization can be implemented:

package com.myorg.springaop.examples;

import org.acegisecurity.context.SecurityContextHolder;

import org.acegisecurity.userdetails.UserDetails;

import org.aspectj.lang.ProceedingJoinPoint;

public class MySecurityAspect


public Object checkSecurity(ProceedingJoinPoint call) throws Throwable


System.out.println ("from security aspect: checking method call for " + call.toShortString());

Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

String username = "";

if (obj instanceof UserDetails)

username = ((UserDetails) obj).getUsername ();


username = obj.toString();

//Do authorization check here

System.out.println ("from security aspect: authenticated user is "+username);

return call.proceed();



The important thing to note is the entire authorization check lies in a separate aspect (POJO class), which is distinct from the business logic code. This security aspect can be effectively applied to our business logic method using the following Spring configuration: first, register the regular Java class SecurityAspect with Spring as a Spring bean and next, specify the pointcut and advice:

The pointcut expression is execution(*com.myorg.springaop.examples.MyService*.*(..))

The advice type is "around," and the aspect method name is checkSecurity

The Spring configuration for the security aspect:

<bean id="SecurityAspect" class="com.myorg.springaop.examples.MySecurityAspect"/>

<aop: config>

<aop: aspect ref="SecurityAspect">

<aop: pointcut id="myCutSecurity"

expression="execution (* com.myorg.springaop.examples.MyService*.*(..))"/>

<aop: around pointcut-ref="myCutSecurity" method="checkSecurity"/>

</aop: aspect>


</aop: config>

Additionally, a Spring configuration is needed for configuring Acegi with Spring. The configuration uses an in-memory data access object (DAO) provider, in which case, the developer specifies the potential users and roles in the application as simple name-value pairs, as a part of the static Spring configuration file. This can easily be inferred from the following Spring configuration:

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">

<property name="providers">


<ref local="daoAuthenticationProvider"/>




<bean id="daoAuthenticationProvider"


<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>


<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">

<property name="userMap">


sk=mypassword, ROLE_TELLER

sudha=mypassword, disabled, ROLE_TELLER




6. Conclusion

Spring Security along with AOP can simplify the implementation of the classic crosscutting concern of securing enterprise application. Aspect-Oriented Programming (AOP) complements OOP by providing another way of thinking about program structure. While OO decomposes applications into a hierarchy of objects, AOP decomposes programs into aspects or concerns. This enables modularization of concerns such as enterprise security that would otherwise cut across multiple objects. The AOP technology, particularly for secure enterprises application development AOP research, can develop more space, not be limited to the code level. For the analysis and design, AOP will play a leading role in the future.

7. Acknowledgment