I'm quite new to the Spring Security framework, and especially ACLs. After a few hours of reading I think I grasped most of what I need to do to start securing my application.
However something bothers me: while it's very easy to find usage descriptions on how to read the ACL permissions (via @PreAuthorize for example), it starts getting confusing when you want to create and persist them.
The Spring Security manual tells us they don't want to bother with any standard but we are encouraged to use AOP. Many tutorials and answers here rather use the AclService directly inside their business code, destroying the "separation of concerns" principle in the process.
So what should I do ? How do the pros do ? Should I try defining pointcuts on custom annotations for creation/deletion of ACL entries ? Or should I "pollute" my code with ACL concerns ?