...
Spring security has nice support for annotation-based authorization constraints. I would suggest we switch to it and secure the system at the controller tier layer by annotating our controller methods. Spring provides an expression language we can use to declare our constraints, and we can even implement new methods in that constraint language, so that Spring delegates to our own code to answer authorization questions. It would allow new developers to work with a technology that they have seen before, and that is documented.
...