The RoleBasedAccessProtocol aspect has two abstract pointcuts that needs to be defined in the aspect XML definition:

Example on how to define the security aspect (f.e. authenticate on facade methods and authorize on service methods):

<aspect class="security.RoleBasedAccessProtocol" 
        container="org.codehaus.aware.container.SpringAspectContainer">
    <pointcut name="authenticationPoints" 
              expression="execution(* *..facade.*.*(..))"/>
    <pointcut name="authorizationPoints" 
              expression="execution(* *..service.*.*(..))"/>
</aspect>

AspectWerkz supports passing in parameters to aspects but since the definition of roles and permissions is hierachical it is hard to handle with key:value pairs only. Therefore this is a great showcase for the SpringAspectContainer in which we can define the security permissions using Spring.

Simply add something like this to your aware-config.xml and put it on the classpath:

<bean id="org.codehaus.aware.security.RoleBasedAccessProtocol"
    class="org.codehaus.aware.security.RoleBasedAccessProtocol"
    singleton="false"
    init-method="intialize">

    <property name="type">
        <value>JAAS</value>
    </property>

    <property name="roles">
        <list>
            <value>admin</value>
            <value>jboner</value>
        </list>
    </property>

    <property name="permissions">
        <list>
            <bean class="org.codehaus.aware.security.Permission">
                <property name="role">
                    <value>jboner</value>
                </property>
                <property name="className">
                    <value>org.codehaus.aware.security.SecurityHandlingTest</value>
                </property>
                <property name="methodName">
                    <value>authorizeMe1</value>
                </property>
            </bean>

            <bean class="org.codehaus.aware.security.Permission">
                <property name="role">
                    <value>jboner</value>
                </property>
                <property name="className">
                    <value>org.codehaus.aware.security.SecurityHandlingTest</value>
                </property>
                <property name="methodName">
                    <value>authorizeMe2</value>
                </property>
            </bean>
        </list>
    </property>

</bean>

So what is all this? If we take it step by step:

In the first section:

<bean id="org.codehaus.aware.security.RoleBasedAccessProtocol"
    class="org.codehaus.aware.security.RoleBasedAccessProtocol"
    singleton="false"
    init-method="intialize">

we are telling mapping the security aspect class to a name (in this case it is the same), then we tell Spring to use the prototype pattern and not instantiate the aspect as a singleton, finally the method that we should use to initialize the aspect.

In the next section:

<property name="type">
    <value>JAAS</value>
</property>

we tell the aspect to use the JAAS security scheme.

Then we define the roles that we want to use:

<property name="roles">
    <list>
        <value>admin</value>
        <value>jboner</value>
    </list>
</property>

And finally we define the permissions. This is similar to how it is done in EJB: We define one permission by specifying which method in which class we want authorization to take place, then we bind this to a role (one of the roles
previously define):

<property name="permissions">
    <list>
        <bean class="org.codehaus.aware.security.Permission">
            <property name="role">
                <value>jboner</value>
            </property>
            <property name="className">
                <value>foo.bar.Baz</value>
            </property>
            <property name="methodName">
                <value>authorizeMe1</value>
            </property>
        </bean>

        <bean class="org.codehaus.aware.security.Permission">
            <property name="role">
                <value>jboner</value>
            </property>
            <property name="className">
                <value>foo.bar.Baz</value>
            </property>
            <property name="methodName">
                <value>authorizeMe2</value>
            </property>
        </bean>
    </list>
</property>