I’m using spring MVC, and I have a custom authentication/security system that I had to build.

NOTE:  I know of spring security, but my requirements were to do this in a custom way so please not looking for suggestions about using spring's security modules.

When the user logs into the system, it creates a session cookie. When the user visits a page, a interceptor looks for the existance of that cookie, and looks up the session guid in mysql and if it is present that it loads some data and stores it in the request’s attributes.

Now for pages where the user has to be logged in, how can I restrict access at the controller level?

I could do this in an interceptor:

if url.contains("projects/") ...

If I want to restrict access to only logged in users in the ProjectController, but this isn’t really something I want to do.

But I am looking for maybe a annotation I could add at the controller level, or maybe somehow create a BaseController that all controllers that require a loggedin user will inherit from.

What are my options for something like this?

In ASP.NET, I created a baseController, and the controller has an event cycle, and in the before-action fired event I checked to see if the user was logged in.

So looking for suggestions for spring mvc?

Update

For example, in ASP.NET you have 2 methods, 1 that fires just before the controller’s action method and one that fires after:

Controller.OnActionExecuting 
Controller.OnActionExecuted

http://msdn.microsoft.com/en-us/library/system.web.mvc.controller.onactionexecuting.aspx

So in the OnActionExecuting, I can actually see exactly which controller I am in, and which action is about to get called in a programatic way, not by looking at the request URL and then doing string compares to see if it is a particular controller etc.

So in this event, I can simply check for things in cookies or in my request attributes etc.

This is a much more stable way to do it, does spring have anything similiar?