If in Chapter 4, Securing Spring MVC Applications, we used UserService to create the User object containing the GrantedAuthority. This chapter provided us with another mechanism to implement and utilize the access control rules of the application through an @Around advice. The first thing DeleteAuthorizeAspect does is extract the session attribute userId generated by the LoginAuthAspect of the previous recipe. At this point, aspects can interact with each other using session and request attributes. Now, after retrieving the empId of the currently logged in user, the delEmployee() advice will query the permission sets assigned to the user through LoginServiceImpl. The advice will only permit the deletion if one of the roles confirmed is ROLE_HR, otherwise this page will be shown on the screen: