I began with the implementation last week and I think that I understand your idea.
But why must I push the Security Manager ? ( your code: ctx.pushSecurityDomain(...) //push the SecurityManager and realm Mapping) I must push RealmMapping, thats clear. ( Because of the doesUserHaveRole method) But why the SecurityManager? And the other question is how to get references of SecurityManger and RealmMapping? Must I create a constructor pointcut for these objects, to access securityManager and realmMapping in my ProgrammaticSecurityInterceptor invoke method ? I think the ProgrammaticSecurityInterceptor must be integrated in the SecurityInterceptorChain.