Pretty interesting approach. I also tried something similar; however, I split CheckPolicy into two separate annotations — PreAuthorize and PostAuthorize (similar to the Spring Security annotations) — to differentiate when the policy logic is executed.

That said, I’m not a fan of using Spring Security’s PreAuthorize and PostAuthorize for smaller policies, as it ends up scattering policy definitions across different places (mixing SpEL and Java-based policies if you also use the custom annotations).

For externalized policy definitions, how would you parse YAML-based policies in Java to use them in a PDP?