Aop custom annotations for privilege control

1. Introduction

  1. What AOP is used for: It encapsulates logic or responsibilities that are not business related but are invoked jointly by business modules, such as transaction processing, log management, privilege control, exception handling, etc., to reduce duplicate code in the system, to reduce coupling between modules, and to facilitate future operability and maintainability.

  2. Concepts in AOP:

  • Aspect: refers to the abstraction of a cross-cutting point of interest, that is, a tangent. It is similar to a class, except that the two focuses are different. A class is the abstraction of the characteristics of an object, while a tangent is the abstraction of a cross-cutting point of interest.
  • Joint point: A join point is a point that is intercepted (it can be a method, an attribute, or when a class is initialized (it can be an Action layer, a Service layer, a dao layer).In spring, these points refer to methods, because spring only supports connection points of method types, which in fact can also be field or class constructors)
  • Pointcut: The so-called entry point refers to the definition that we want to intercept those joinpoints, that is, the set of joinpoints.
  • Advice: Notification refers to what you do after intercepting a joinpoint is notification. Notification is divided into pre-notification, post-notification, exception notification, final notification, surround notification
  • Target: The target object of the proxy
  • Weave: The process of applying aspects to a target object and resulting in the creation of a proxy object is called weaving.
  • Introduction: Introductions can dynamically add methods or fields to a class at run time without modifying its class code.
  1. The benefits of AOP include reduced module coupling, ease of system expansion, and better code reuse

2. Implementation

1. Add custom comments

 * Role filtering annotations
 * Call method: @RoleFilter(roleList = {"PM", "Owner"})
 * @CreatedBy: yangcan 2020/4/1 18:52
 * @Description:
@Target(ElementType.METHOD) // Act on Methods
@Retention(RetentionPolicy.RUNTIME) // Runtime valid
public @interface RoleFilter {
    String[] roleList();

2. Add Aop Class

 * Permission Control AOP
 * @CreatedBy: yangcan 2020/4/15 9:27
 * @Description:
public class RoleFilterAop {

    private ITestService testService;

    public void roleFilter() {

    public void before(JoinPoint joinPoint) throws Throwable {
        System.out.println("Aop before");
        RoleFilter roleFilter = ((MethodSignature) joinPoint.getSignature()).getMethod().getAnnotation(RoleFilter.class);
        if (roleFilter.roleList() == null || roleFilter.roleList().length == 0) {
            //Method does not have permission control
        List<String> roleList = Arrays.asList(roleFilter.roleList());
        List<Role> myPower = testService.getMyPower(SessionHelper.getCurrentUser().getAccount());
        // Implement your own logic
        if (myPower == null || myPower.isEmpty() || -> roleList.contains(d.getRoleName())) == false) {
            throw new BaseException("You do not have permission to do this");

    public void arround(ProceedingJoinPoint joinPoint) throws Throwable {
        System.out.println("Aop arround");

    public void after(JoinPoint joinPoint) throws Throwable {
        System.out.println("Aop after");

3. Use

    @ApiOperation(response = RetResult.class, value = "test RoleFilter Aop", notes = "test RoleFilter Aop")
    @GetMapping(value = "/testRoleFilterAop")
    @RoleFilter(roleList = {"PM", "Owner"})
    public RetResult testRoleFilterAop() throws Exception {

        return Result.success();

3. end

By adding a custom comment on the method that needs to be invoked and specifying which roles can access the method, you can dynamically control the custom permissions.

4. Guess

@RoleFilter(roleList = {"PM", "Owner"})

For this permission control is write-to-death and cannot be dynamically configured. Dynamic permission control of API can be achieved by adding @ApiGroup annotation, grouping APIs, storing the corresponding relationship between roles and ApiGroups in the database, dynamically obtaining role-APIGroup relationship in AOP and dynamic permission filtering, but this requires a lot of dynamic permission control at system initialization time.Privilege initialization work (for complex To B software).

Tags: Programming Spring Attribute Database

Posted on Tue, 14 Apr 2020 21:07:00 -0700 by Angerslave