feat[litemall-admin-api]：后端API访问需要校验权限

835fd6f8 · Junling Bu · 457b7ad9 · 835fd6f8 · 457b7ad9 · 457b7ad9
Commit 835fd6f8 authored Jan 01, 2019 by Junling Bu
--- a/doc/admin.md
+++ b/doc/admin.md
@@ -80,39 +80,9 @@
 ### 4.1.8 安全
-#### 4.1.8.1 Token
+这里的安全基于Shiro。
-管理员登录成功以后，后端会返回token，之后管理员的请求都会携带token。
+#### 4.1.8.1 认证
-见AdminWebMvcConfiguration类、LoginAdmin和LoginAdminHandlerMethodArgumentResolver类。
-管理后台后端服务每次请求都会检测是否存在HTTP头部域`X-Litemall-Admin-Token`。
-如果存在，则内部查询转换成LoginAdmin，然后作为请求参数。
-如果不存在，则作为null请求参数。
-而具体的后端服务controller中，则可以利用LoginAdmin来检查。
-例如管理员地址服务中：
-```
-@RestController
-@RequestMapping("/admin/address")
-@Validated
-public class AdminAddressController {
-    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       Integer userId, String name,
-                       @RequestParam(defaultValue = "1") Integer page,
-                       @RequestParam(defaultValue = "10") Integer limit,
-                       @Sort @RequestParam(defaultValue = "add_time") String sort,
-                       @Order @RequestParam(defaultValue = "desc") String order) {
-        if (adminId == null) {
-            return ResponseUtil.unlogin();
-        }
-        ...
-    }
-```
-如果检测`adminId`是null，则返回错误信息“管理员未登录”。
 #### 4.1.8.2 账号密码加盐
@@ -120,12 +90,17 @@ public class AdminAddressController {
 而如果用户采用了账号和密码的形式登录，那么后端需要把用户密码加盐。
+#### 4.1.8.3 权限管理
 ### 4.1.9 定时任务
-AdminOrderController类存在以下三个方法，其实是三个定时任务：
+job子包存在以下定时任务：
-* checkOrderUnpaid
+* OrderJob类
-* checkOrderUnconfirm
+  * checkOrderUnpaid
-* checkOrderComment
+  * checkOrderUnconfirm
+  * checkOrderComment
+* CouponJob类
+  * checkCouponExpired
 注意：
 > 虽然定时任务放在AdminOrderController类中，但是可能这里不是很合适，

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/annotation/LoginAdmin.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/annotation/LoginAdmin.java
-package org.linlinjava.litemall.admin.annotation;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-@Target(ElementType.PARAMETER)
-@Retention(RetentionPolicy.RUNTIME)
-public @interface LoginAdmin {
-}
--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/annotation/support/LoginAdminHandlerMethodArgumentResolver.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/annotation/support/LoginAdminHandlerMethodArgumentResolver.java
-package org.linlinjava.litemall.admin.annotation.support;
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.subject.Subject;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
-import org.linlinjava.litemall.db.domain.LitemallAdmin;
-import org.springframework.core.MethodParameter;
-import org.springframework.web.bind.support.WebDataBinderFactory;
-import org.springframework.web.context.request.NativeWebRequest;
-import org.springframework.web.method.support.HandlerMethodArgumentResolver;
-import org.springframework.web.method.support.ModelAndViewContainer;
-public class LoginAdminHandlerMethodArgumentResolver implements HandlerMethodArgumentResolver {
-    @Override
-    public boolean supportsParameter(MethodParameter parameter) {
-        return parameter.getParameterType().isAssignableFrom(Integer.class) && parameter.hasParameterAnnotation(LoginAdmin.class);
-    }
-    @Override
-    public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer container,
-                                  NativeWebRequest request, WebDataBinderFactory factory) throws Exception {
-        Subject currentUser = SecurityUtils.getSubject();
-        LitemallAdmin admin = (LitemallAdmin) currentUser.getPrincipal();
-        if (admin == null) {
-            throw new AuthenticationException();
-        }
-        return admin.getId();
-    }
-}
--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/config/AdminWebMvcConfigurer.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/config/AdminWebMvcConfigurer.java
-package org.linlinjava.litemall.admin.config;
-import org.linlinjava.litemall.admin.annotation.support.LoginAdminHandlerMethodArgumentResolver;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.method.support.HandlerMethodArgumentResolver;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import java.util.List;
-@Configuration
-public class AdminWebMvcConfigurer implements WebMvcConfigurer {
-    @Override
-    public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
-        argumentResolvers.add(new LoginAdminHandlerMethodArgumentResolver());
-    }
-}
--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/config/ShiroConfig.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/config/ShiroConfig.java
@@ -11,6 +11,7 @@ import org.linlinjava.litemall.admin.shiro.AdminWebSessionManager;
 import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -72,9 +73,9 @@ public class ShiroConfig {
    }
    @Bean
-    public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
+    @DependsOn("lifecycleBeanPostProcessor")
+    public static DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();
-        creator.setUsePrefix(true);
        return creator;
    }
 }
--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAdController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAdController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -27,9 +27,9 @@ public class AdminAdController {
    @Autowired
    private LitemallAdService adService;
-    @GetMapping("/list")
+    @RequiresPermissions("admin:ad:list")
-    public Object list(@LoginAdmin Integer adminId,
+    @RequestMapping("/list")
-                       String name, String content,
+    public Object list(String name, String content,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -55,8 +55,9 @@ public class AdminAdController {
        return null;
    }
+    @RequiresPermissions("admin:ad:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallAd ad) {
+    public Object create(@RequestBody LitemallAd ad) {
        Object error = validate(ad);
        if (error != null) {
            return error;
@@ -65,14 +66,16 @@ public class AdminAdController {
        return ResponseUtil.ok(ad);
    }
+    @RequiresPermissions("admin:ad:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallAd brand = adService.findById(id);
        return ResponseUtil.ok(brand);
    }
+    @RequiresPermissions("admin:ad:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallAd ad) {
+    public Object update(@RequestBody LitemallAd ad) {
        Object error = validate(ad);
        if (error != null) {
            return error;
@@ -84,8 +87,9 @@ public class AdminAdController {
        return ResponseUtil.ok(ad);
    }
+    @RequiresPermissions("admin:ad:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallAd ad) {
+    public Object delete(@RequestBody LitemallAd ad) {
        Integer id = ad.getId();
        if (id == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAddressController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAddressController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -52,9 +52,9 @@ public class AdminAddressController {
        return addressVo;
    }
+    @RequiresPermissions("admin:address:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(Integer userId, String name,
-                       Integer userId, String name,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAdminController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAdminController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.RegexUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;
@@ -16,7 +16,6 @@ import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import javax.validation.constraints.NotNull;
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -32,9 +31,9 @@ public class AdminAdminController {
    @Autowired
    private LitemallAdminService adminService;
+    @RequiresPermissions("admin:admin:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String username,
-                       String username,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -63,8 +62,9 @@ public class AdminAdminController {
        return null;
    }
+    @RequiresPermissions("admin:admin:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallAdmin admin) {
+    public Object create(@RequestBody LitemallAdmin admin) {
        Object error = validate(admin);
        if (error != null) {
            return error;
@@ -84,14 +84,16 @@ public class AdminAdminController {
        return ResponseUtil.ok(admin);
    }
+    @RequiresPermissions("admin:admin:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallAdmin admin = adminService.findById(id);
        return ResponseUtil.ok(admin);
    }
+    @RequiresPermissions("admin:admin:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallAdmin admin) {
+    public Object update(@RequestBody LitemallAdmin admin) {
        Object error = validate(admin);
        if (error != null) {
            return error;
@@ -114,8 +116,9 @@ public class AdminAdminController {
        return ResponseUtil.ok(admin);
    }
+    @RequiresPermissions("admin:admin:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallAdmin admin) {
+    public Object delete(@RequestBody LitemallAdmin admin) {
        Integer anotherAdminId = admin.getId();
        if (anotherAdminId == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAuthController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAuthController.java
@@ -3,9 +3,12 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.authc.*;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.LockedAccountException;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.annotation.RequiresAuthentication;
 import org.apache.shiro.subject.Subject;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
 import org.linlinjava.litemall.core.util.JacksonUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.db.domain.LitemallAdmin;
@@ -60,20 +63,20 @@ public class AdminAuthController {
    /*
     *
     */
+    @RequiresAuthentication
    @PostMapping("/logout")
-    public Object login(@LoginAdmin Integer adminId) {
+    public Object login() {
        Subject currentUser = SecurityUtils.getSubject();
        currentUser.logout();
        return ResponseUtil.ok();
    }
+    @RequiresAuthentication
    @GetMapping("/info")
-    public Object info(@LoginAdmin Integer adminId) {
+    public Object info() {
-        LitemallAdmin admin = adminService.findById(adminId);
+        Subject currentUser = SecurityUtils.getSubject();
-        if (admin == null) {
+        LitemallAdmin admin = (LitemallAdmin) currentUser.getPrincipal();
-            return ResponseUtil.badArgumentValue();
-        }
        Map<String, Object> data = new HashMap<>();
        data.put("name", admin.getUsername());
@@ -83,6 +86,7 @@ public class AdminAuthController {
        List<String> roles = new ArrayList<>();
        roles.add("admin");
        data.put("roles", roles);
+        data.put("perms", "*");
        data.put("introduction", "admin introduction");
        return ResponseUtil.ok(data);
    }

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminBrandController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminBrandController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminBrandController {
    @Autowired
    private LitemallBrandService brandService;
+    @RequiresPermissions("admin:brand:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String id, String name,
-                       String id, String name,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -62,8 +62,9 @@ public class AdminBrandController {
        return null;
    }
+    @RequiresPermissions("admin:brand:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallBrand brand) {
+    public Object create(@RequestBody LitemallBrand brand) {
        Object error = validate(brand);
        if (error != null) {
            return error;
@@ -72,14 +73,16 @@ public class AdminBrandController {
        return ResponseUtil.ok(brand);
    }
+    @RequiresPermissions("admin:brand:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallBrand brand = brandService.findById(id);
        return ResponseUtil.ok(brand);
    }
+    @RequiresPermissions("admin:brand:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallBrand brand) {
+    public Object update(@RequestBody LitemallBrand brand) {
        Object error = validate(brand);
        if (error != null) {
            return error;
@@ -90,8 +93,9 @@ public class AdminBrandController {
        return ResponseUtil.ok(brand);
    }
+    @RequiresPermissions("admin:brand:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallBrand brand) {
+    public Object delete(@RequestBody LitemallBrand brand) {
        Integer id = brand.getId();
        if (id == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCategoryController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCategoryController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminCategoryController {
    @Autowired
    private LitemallCategoryService categoryService;
+    @RequiresPermissions("admin:category:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String id, String name,
-                       String id, String name,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -66,8 +66,9 @@ public class AdminCategoryController {
        return null;
    }
+    @RequiresPermissions("admin:category:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallCategory category) {
+    public Object create(@RequestBody LitemallCategory category) {
        Object error = validate(category);
        if (error != null) {
            return error;
@@ -76,14 +77,16 @@ public class AdminCategoryController {
        return ResponseUtil.ok(category);
    }
+    @RequiresPermissions("admin:category:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallCategory category = categoryService.findById(id);
        return ResponseUtil.ok(category);
    }
+    @RequiresPermissions("admin:category:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallCategory category) {
+    public Object update(@RequestBody LitemallCategory category) {
        Object error = validate(category);
        if (error != null) {
            return error;
@@ -95,8 +98,9 @@ public class AdminCategoryController {
        return ResponseUtil.ok();
    }
+    @RequiresPermissions("admin:category:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallCategory category) {
+    public Object delete(@RequestBody LitemallCategory category) {
        Integer id = category.getId();
        if (id == null) {
            return ResponseUtil.badArgument();
@@ -105,8 +109,9 @@ public class AdminCategoryController {
        return ResponseUtil.ok();
    }
+    @RequiresPermissions("admin:category:list")
    @GetMapping("/l1")
-    public Object catL1(@LoginAdmin Integer adminId) {
+    public Object catL1() {
        // 所有一级分类目录
        List<LitemallCategory> l1CatList = categoryService.queryL1();
        List<Map<String, Object>> data = new ArrayList<>(l1CatList.size());

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCollectController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCollectController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,10 @@ public class AdminCollectController {
    @Autowired
    private LitemallCollectService collectService;
+    @RequiresPermissions("admin:collect:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String userId, String valueId,
-                       String userId, String valueId,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCommentController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCommentController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -25,9 +25,9 @@ public class AdminCommentController {
    @Autowired
    private LitemallCommentService commentService;
+    @RequiresPermissions("admin:comment:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String userId, String valueId,
-                       String userId, String valueId,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -41,8 +41,9 @@ public class AdminCommentController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:comment:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallComment comment) {
+    public Object delete(@RequestBody LitemallComment comment) {
        Integer id = comment.getId();
        if (id == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCouponController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCouponController.java
@@ -2,16 +2,14 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
 import org.linlinjava.litemall.db.domain.LitemallCoupon;
 import org.linlinjava.litemall.db.domain.LitemallCouponUser;
-import org.linlinjava.litemall.db.domain.LitemallTopic;
 import org.linlinjava.litemall.db.service.LitemallCouponService;
 import org.linlinjava.litemall.db.service.LitemallCouponUserService;
-import org.linlinjava.litemall.db.service.LitemallTopicService;
 import org.linlinjava.litemall.db.util.CouponConstant;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.util.StringUtils;
@@ -34,9 +32,9 @@ public class AdminCouponController {
    @Autowired
    private LitemallCouponUserService couponUserService;
+    @RequiresPermissions("admin:coupon:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String name, Short type, Short status,
-                       String name, Short type, Short status,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -50,9 +48,9 @@ public class AdminCouponController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:coupon:list")
    @GetMapping("/listuser")
-    public Object listuser(@LoginAdmin Integer adminId,
+    public Object listuser(Integer userId, Integer couponId, Short status,
-                       Integer userId, Integer couponId, Short status,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -74,8 +72,9 @@ public class AdminCouponController {
        return null;
    }
+    @RequiresPermissions("admin:coupon:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallCoupon coupon) {
+    public Object create(@RequestBody LitemallCoupon coupon) {
        Object error = validate(coupon);
        if (error != null) {
            return error;
@@ -91,14 +90,16 @@ public class AdminCouponController {
        return ResponseUtil.ok(coupon);
    }
+    @RequiresPermissions("admin:coupon:read")
    @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
        LitemallCoupon coupon = couponService.findById(id);
        return ResponseUtil.ok(coupon);
    }
+    @RequiresPermissions("admin:coupon:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallCoupon coupon) {
+    public Object update(@RequestBody LitemallCoupon coupon) {
        Object error = validate(coupon);
        if (error != null) {
            return error;
@@ -109,8 +110,9 @@ public class AdminCouponController {
        return ResponseUtil.ok(coupon);
    }
+    @RequiresPermissions("admin:coupon:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallCoupon coupon) {
+    public Object delete(@RequestBody LitemallCoupon coupon) {
        couponService.deleteById(coupon.getId());
        return ResponseUtil.ok();
    }

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminDashbordController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminDashbordController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.db.service.LitemallGoodsProductService;
 import org.linlinjava.litemall.db.service.LitemallGoodsService;
@@ -32,8 +32,9 @@ public class AdminDashbordController {
    @Autowired
    private LitemallOrderService orderService;
+    @RequiresPermissions("admin:dashboard:info")
    @GetMapping("")
-    public Object info(@LoginAdmin Integer adminId) {
+    public Object info() {
        int userTotal = userService.count();
        int goodsTotal = goodsService.count();
        int productTotal = productService.count();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminFeedbackController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminFeedbackController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -32,9 +32,9 @@ public class AdminFeedbackController {
    @Autowired
    private LitemallFeedbackService feedbackService;
+    @RequiresPermissions("admin:feedback:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(Integer userId, String username,
-                       Integer userId, String username,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminFootprintController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminFootprintController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminFootprintController {
    @Autowired
    private LitemallFootprintService footprintService;
+    @RequiresPermissions("admin:footprint:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String userId, String goodsId,
-                       String userId, String goodsId,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminGoodsController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminGoodsController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.admin.dao.GoodsAllinone;
 import org.linlinjava.litemall.admin.util.CatVo;
 import org.linlinjava.litemall.core.qcode.QCodeService;
@@ -59,9 +59,9 @@ public class AdminGoodsController {
    @Autowired
    private QCodeService qCodeService;
+    @RequiresPermissions("admin:goods:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String goodsSn, String name,
-                       String goodsSn, String name,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -161,8 +161,9 @@ public class AdminGoodsController {
     * 因此这里会拒绝管理员编辑商品，如果订单或购物车中存在商品。
     * 所以这里可能需要重新设计。
     */
+    @RequiresPermissions("admin:goods:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody GoodsAllinone goodsAllinone) {
+    public Object update(@RequestBody GoodsAllinone goodsAllinone) {
        Object error = validate(goodsAllinone);
        if (error != null) {
            return error;
@@ -232,8 +233,9 @@ public class AdminGoodsController {
        return ResponseUtil.ok();
    }
+    @RequiresPermissions("admin:goods:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallGoods goods) {
+    public Object delete(@RequestBody LitemallGoods goods) {
        Integer id = goods.getId();
        if (id == null) {
            return ResponseUtil.badArgument();
@@ -259,8 +261,9 @@ public class AdminGoodsController {
        return ResponseUtil.ok();
    }
+    @RequiresPermissions("admin:goods:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody GoodsAllinone goodsAllinone) {
+    public Object create(@RequestBody GoodsAllinone goodsAllinone) {
        Object error = validate(goodsAllinone);
        if (error != null) {
            return error;
@@ -321,9 +324,9 @@ public class AdminGoodsController {
        return ResponseUtil.ok();
    }
+    @RequiresPermissions("admin:goods:list")
    @GetMapping("/catAndBrand")
-    public Object list2(@LoginAdmin Integer adminId) {
+    public Object list2() {
        // http://element-cn.eleme.io/#/zh-CN/component/cascader
        // 管理员设置“所属分类”
        List<LitemallCategory> l1CatList = categoryService.queryL1();
@@ -364,8 +367,9 @@ public class AdminGoodsController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:goods:read")
    @GetMapping("/detail")
-    public Object detail(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object detail(@NotNull Integer id) {
        LitemallGoods goods = goodsService.findById(id);
        List<LitemallGoodsProduct> products = productService.queryByGid(id);
        List<LitemallGoodsSpecification> specifications = specificationService.queryByGid(id);

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminGrouponController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminGrouponController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -36,9 +36,9 @@ public class AdminGrouponController {
    @Autowired
    private LitemallGrouponService grouponService;
+    @RequiresPermissions("admin:groupon:read")
    @GetMapping("/listRecord")
-    public Object listRecord(@LoginAdmin Integer adminId,
+    public Object listRecord(String grouponId,
-                             String grouponId,
                             @RequestParam(defaultValue = "1") Integer page,
                             @RequestParam(defaultValue = "10") Integer limit,
                             @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -72,9 +72,9 @@ public class AdminGrouponController {
        return ResponseUtil.ok(data);
    }
+    @RequiresPermissions("admin:groupon:delete")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String goodsId,
-                       String goodsId,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -109,8 +109,9 @@ public class AdminGrouponController {
        return null;
    }
+    @RequiresPermissions("admin:groupon:update")
    @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallGrouponRules grouponRules) {
+    public Object update(@RequestBody LitemallGrouponRules grouponRules) {
        Object error = validate(grouponRules);
        if (error != null) {
            return error;
@@ -132,9 +133,9 @@ public class AdminGrouponController {
        return ResponseUtil.ok();
    }
+    @RequiresPermissions("admin:groupon:create")
    @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallGrouponRules grouponRules) {
+    public Object create(@RequestBody LitemallGrouponRules grouponRules) {
        Object error = validate(grouponRules);
        if (error != null) {
            return error;
@@ -154,9 +155,9 @@ public class AdminGrouponController {
        return ResponseUtil.ok(grouponRules);
    }
+    @RequiresPermissions("admin:groupon:delete")
    @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallGrouponRules grouponRules) {
+    public Object delete(@RequestBody LitemallGrouponRules grouponRules) {
        Integer id = grouponRules.getId();
        if (id == null) {
            return ResponseUtil.badArgument();

--- a/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminHistoryController.java
+++ b/litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminHistoryController.java
@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -26,9 +26,9 @@ public class AdminHistoryController {
    @Autowired
    private LitemallSearchHistoryService searchHistoryService;
+    @RequiresPermissions("admin:history:list")
    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
+    public Object list(String userId, String keyword,
-                       String userId, String keyword,
                       @RequestParam(defaultValue = "1") Integer page,
                       @RequestParam(defaultValue = "10") Integer limit,
                       @Sort @RequestParam(defaultValue = "add_time") String sort,