Involvement of Spring and AOP aside, I'd like to highlight two patterns that are used for web-tier and business-tier components. In general (as it applies to your application) once there are multiple entry points to an application and once all of them require authentication and authorization, you can centralize AA enforcement and encapsulate security mechanisms using a facade or a controller in order to enforce the AA logic across all components and operation within your application.

encapsulating AA logic behind a common interface will make it lot easier to migrate this to any part of the enterprise.

there are different strategies to implementation of AA enforcement pattern and
I wish I had an electronic version of my catalog but anyway following could highlight some aspects of authentication and authorization enforcement patterns

https://netfiles.uiuc.edu/mhafiz/www/ResearchandPublications/secpatclassify.pdf

Note that customized implementation of such mechanisms introduces risks and issues  such not being aligned with J2EE standards while the spec recommends prevention from customized and developed implementation of security control mechanism as much as possible and leave the functionality to the framework. At the same time JAAS is highly recommended due to its alignment with standards.

Also when you define you own security control there is a high chance of leaving the application open to attacks.

if you decided to apply this approach, make sure you review the pattern completely and choose the best of that fulfills your application requirements.