feat[litemall-admin-api]：后端API访问需要校验权限

doc/admin.md

@@ -80,39 +80,9 @@
 
 ### 4.1.8 安全
 
-#### 4.1.8.1 Token
-
-管理员登录成功以后，后端会返回token，之后管理员的请求都会携带token。
-
-见AdminWebMvcConfiguration类、LoginAdmin和LoginAdminHandlerMethodArgumentResolver类。
-
-管理后台后端服务每次请求都会检测是否存在HTTP头部域`X-Litemall-Admin-Token`。
-如果存在，则内部查询转换成LoginAdmin，然后作为请求参数。
-如果不存在，则作为null请求参数。
-
-而具体的后端服务controller中，则可以利用LoginAdmin来检查。
-
-例如管理员地址服务中：
-```
-@RestController
-@RequestMapping("/admin/address")
-@Validated
-public class AdminAddressController {
-    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       Integer userId, String name,
-                       @RequestParam(defaultValue = "1") Integer page,
-                       @RequestParam(defaultValue = "10") Integer limit,
-                       @Sort @RequestParam(defaultValue = "add_time") String sort,
-                       @Order @RequestParam(defaultValue = "desc") String order) {
-        if (adminId == null) {
-            return ResponseUtil.unlogin();
-        }
-        
-        ...
-    }
-```
-如果检测`adminId`是null，则返回错误信息“管理员未登录”。
+这里的安全基于Shiro。
+
+#### 4.1.8.1 认证
 
 #### 4.1.8.2 账号密码加盐
 
@@ -120,12 +90,17 @@ public class AdminAddressController {
 
 而如果用户采用了账号和密码的形式登录，那么后端需要把用户密码加盐。
 
+#### 4.1.8.3 权限管理
+
 ### 4.1.9 定时任务
 
-AdminOrderController类存在以下三个方法，其实是三个定时任务：
-* checkOrderUnpaid
-* checkOrderUnconfirm
-* checkOrderComment
+job子包存在以下定时任务：
+* OrderJob类
+  * checkOrderUnpaid
+  * checkOrderUnconfirm
+  * checkOrderComment
+* CouponJob类
+  * checkCouponExpired
 
 注意：
 > 虽然定时任务放在AdminOrderController类中，但是可能这里不是很合适，

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/annotation/LoginAdmin.java

@@ -1,13 +0,0 @@
-package org.linlinjava.litemall.admin.annotation;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-
-@Target(ElementType.PARAMETER)
-@Retention(RetentionPolicy.RUNTIME)
-public @interface LoginAdmin {
-
-}

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/annotation/support/LoginAdminHandlerMethodArgumentResolver.java

@@ -1,33 +0,0 @@
-package org.linlinjava.litemall.admin.annotation.support;
-
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.authc.AuthenticationException;
-import org.apache.shiro.subject.Subject;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
-import org.linlinjava.litemall.db.domain.LitemallAdmin;
-import org.springframework.core.MethodParameter;
-import org.springframework.web.bind.support.WebDataBinderFactory;
-import org.springframework.web.context.request.NativeWebRequest;
-import org.springframework.web.method.support.HandlerMethodArgumentResolver;
-import org.springframework.web.method.support.ModelAndViewContainer;
-
-
-public class LoginAdminHandlerMethodArgumentResolver implements HandlerMethodArgumentResolver {
-
-    @Override
-    public boolean supportsParameter(MethodParameter parameter) {
-        return parameter.getParameterType().isAssignableFrom(Integer.class) && parameter.hasParameterAnnotation(LoginAdmin.class);
-    }
-
-    @Override
-    public Object resolveArgument(MethodParameter parameter, ModelAndViewContainer container,
-                                  NativeWebRequest request, WebDataBinderFactory factory) throws Exception {
-        Subject currentUser = SecurityUtils.getSubject();
-        LitemallAdmin admin = (LitemallAdmin) currentUser.getPrincipal();
-        if (admin == null) {
-            throw new AuthenticationException();
-        }
-
-        return admin.getId();
-    }
-}

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/config/AdminWebMvcConfigurer.java

@@ -1,16 +0,0 @@
-package org.linlinjava.litemall.admin.config;
-
-import org.linlinjava.litemall.admin.annotation.support.LoginAdminHandlerMethodArgumentResolver;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.web.method.support.HandlerMethodArgumentResolver;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-
-import java.util.List;
-
-@Configuration
-public class AdminWebMvcConfigurer implements WebMvcConfigurer {
-    @Override
-    public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
-        argumentResolvers.add(new LoginAdminHandlerMethodArgumentResolver());
-    }
-}

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/config/ShiroConfig.java

@@ -11,6 +11,7 @@ import org.linlinjava.litemall.admin.shiro.AdminWebSessionManager;
 import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
 
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -72,9 +73,9 @@ public class ShiroConfig {
     }
 
     @Bean
-    public static DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
+    @DependsOn("lifecycleBeanPostProcessor")
+    public static DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
         DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator();
-        creator.setUsePrefix(true);
         return creator;
     }
 }

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAdController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -27,9 +27,9 @@ public class AdminAdController {
     @Autowired
     private LitemallAdService adService;
 
-    @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String name, String content,
+    @RequiresPermissions("admin:ad:list")
+    @RequestMapping("/list")
+    public Object list(String name, String content,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -55,8 +55,9 @@ public class AdminAdController {
         return null;
     }
 
+    @RequiresPermissions("admin:ad:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallAd ad) {
+    public Object create(@RequestBody LitemallAd ad) {
         Object error = validate(ad);
         if (error != null) {
             return error;
@@ -65,14 +66,16 @@ public class AdminAdController {
         return ResponseUtil.ok(ad);
     }
 
+    @RequiresPermissions("admin:ad:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallAd brand = adService.findById(id);
         return ResponseUtil.ok(brand);
     }
 
+    @RequiresPermissions("admin:ad:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallAd ad) {
+    public Object update(@RequestBody LitemallAd ad) {
         Object error = validate(ad);
         if (error != null) {
             return error;
@@ -84,8 +87,9 @@ public class AdminAdController {
         return ResponseUtil.ok(ad);
     }
 
+    @RequiresPermissions("admin:ad:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallAd ad) {
+    public Object delete(@RequestBody LitemallAd ad) {
         Integer id = ad.getId();
         if (id == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAddressController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -52,9 +52,9 @@ public class AdminAddressController {
         return addressVo;
     }
 
+    @RequiresPermissions("admin:address:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       Integer userId, String name,
+    public Object list(Integer userId, String name,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAdminController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.RegexUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;
@@ -16,7 +16,6 @@ import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.constraints.NotNull;
-import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -32,9 +31,9 @@ public class AdminAdminController {
     @Autowired
     private LitemallAdminService adminService;
 
+    @RequiresPermissions("admin:admin:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String username,
+    public Object list(String username,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -63,8 +62,9 @@ public class AdminAdminController {
         return null;
     }
 
+    @RequiresPermissions("admin:admin:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallAdmin admin) {
+    public Object create(@RequestBody LitemallAdmin admin) {
         Object error = validate(admin);
         if (error != null) {
             return error;
@@ -84,14 +84,16 @@ public class AdminAdminController {
         return ResponseUtil.ok(admin);
     }
 
+    @RequiresPermissions("admin:admin:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallAdmin admin = adminService.findById(id);
         return ResponseUtil.ok(admin);
     }
 
+    @RequiresPermissions("admin:admin:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallAdmin admin) {
+    public Object update(@RequestBody LitemallAdmin admin) {
         Object error = validate(admin);
         if (error != null) {
             return error;
@@ -114,8 +116,9 @@ public class AdminAdminController {
         return ResponseUtil.ok(admin);
     }
 
+    @RequiresPermissions("admin:admin:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallAdmin admin) {
+    public Object delete(@RequestBody LitemallAdmin admin) {
         Integer anotherAdminId = admin.getId();
         if (anotherAdminId == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminAuthController.java

@@ -3,9 +3,12 @@ package org.linlinjava.litemall.admin.web;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.authc.*;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.LockedAccountException;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.authz.annotation.RequiresAuthentication;
 import org.apache.shiro.subject.Subject;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
 import org.linlinjava.litemall.core.util.JacksonUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.db.domain.LitemallAdmin;
@@ -60,20 +63,20 @@ public class AdminAuthController {
     /*
      *
      */
+    @RequiresAuthentication
     @PostMapping("/logout")
-    public Object login(@LoginAdmin Integer adminId) {
+    public Object login() {
         Subject currentUser = SecurityUtils.getSubject();
         currentUser.logout();
         return ResponseUtil.ok();
     }
 
 
+    @RequiresAuthentication
     @GetMapping("/info")
-    public Object info(@LoginAdmin Integer adminId) {
-        LitemallAdmin admin = adminService.findById(adminId);
-        if (admin == null) {
-            return ResponseUtil.badArgumentValue();
-        }
+    public Object info() {
+        Subject currentUser = SecurityUtils.getSubject();
+        LitemallAdmin admin = (LitemallAdmin) currentUser.getPrincipal();
 
         Map<String, Object> data = new HashMap<>();
         data.put("name", admin.getUsername());
@@ -83,6 +86,7 @@ public class AdminAuthController {
         List<String> roles = new ArrayList<>();
         roles.add("admin");
         data.put("roles", roles);
+        data.put("perms", "*");
         data.put("introduction", "admin introduction");
         return ResponseUtil.ok(data);
     }

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminBrandController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminBrandController {
     @Autowired
     private LitemallBrandService brandService;
 
+    @RequiresPermissions("admin:brand:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String id, String name,
+    public Object list(String id, String name,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -62,8 +62,9 @@ public class AdminBrandController {
         return null;
     }
 
+    @RequiresPermissions("admin:brand:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallBrand brand) {
+    public Object create(@RequestBody LitemallBrand brand) {
         Object error = validate(brand);
         if (error != null) {
             return error;
@@ -72,14 +73,16 @@ public class AdminBrandController {
         return ResponseUtil.ok(brand);
     }
 
+    @RequiresPermissions("admin:brand:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallBrand brand = brandService.findById(id);
         return ResponseUtil.ok(brand);
     }
 
+    @RequiresPermissions("admin:brand:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallBrand brand) {
+    public Object update(@RequestBody LitemallBrand brand) {
         Object error = validate(brand);
         if (error != null) {
             return error;
@@ -90,8 +93,9 @@ public class AdminBrandController {
         return ResponseUtil.ok(brand);
     }
 
+    @RequiresPermissions("admin:brand:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallBrand brand) {
+    public Object delete(@RequestBody LitemallBrand brand) {
         Integer id = brand.getId();
         if (id == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCategoryController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminCategoryController {
     @Autowired
     private LitemallCategoryService categoryService;
 
+    @RequiresPermissions("admin:category:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String id, String name,
+    public Object list(String id, String name,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -66,8 +66,9 @@ public class AdminCategoryController {
         return null;
     }
 
+    @RequiresPermissions("admin:category:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallCategory category) {
+    public Object create(@RequestBody LitemallCategory category) {
         Object error = validate(category);
         if (error != null) {
             return error;
@@ -76,14 +77,16 @@ public class AdminCategoryController {
         return ResponseUtil.ok(category);
     }
 
+    @RequiresPermissions("admin:category:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallCategory category = categoryService.findById(id);
         return ResponseUtil.ok(category);
     }
 
+    @RequiresPermissions("admin:category:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallCategory category) {
+    public Object update(@RequestBody LitemallCategory category) {
         Object error = validate(category);
         if (error != null) {
             return error;
@@ -95,8 +98,9 @@ public class AdminCategoryController {
         return ResponseUtil.ok();
     }
 
+    @RequiresPermissions("admin:category:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallCategory category) {
+    public Object delete(@RequestBody LitemallCategory category) {
         Integer id = category.getId();
         if (id == null) {
             return ResponseUtil.badArgument();
@@ -105,8 +109,9 @@ public class AdminCategoryController {
         return ResponseUtil.ok();
     }
 
+    @RequiresPermissions("admin:category:list")
     @GetMapping("/l1")
-    public Object catL1(@LoginAdmin Integer adminId) {
+    public Object catL1() {
         // 所有一级分类目录
         List<LitemallCategory> l1CatList = categoryService.queryL1();
         List<Map<String, Object>> data = new ArrayList<>(l1CatList.size());

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCollectController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,10 @@ public class AdminCollectController {
     @Autowired
     private LitemallCollectService collectService;
 
+
+    @RequiresPermissions("admin:collect:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String userId, String valueId,
+    public Object list(String userId, String valueId,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCommentController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -25,9 +25,9 @@ public class AdminCommentController {
     @Autowired
     private LitemallCommentService commentService;
 
+    @RequiresPermissions("admin:comment:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String userId, String valueId,
+    public Object list(String userId, String valueId,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -41,8 +41,9 @@ public class AdminCommentController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:comment:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallComment comment) {
+    public Object delete(@RequestBody LitemallComment comment) {
         Integer id = comment.getId();
         if (id == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminCouponController.java

@@ -2,16 +2,14 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
 import org.linlinjava.litemall.db.domain.LitemallCoupon;
 import org.linlinjava.litemall.db.domain.LitemallCouponUser;
-import org.linlinjava.litemall.db.domain.LitemallTopic;
 import org.linlinjava.litemall.db.service.LitemallCouponService;
 import org.linlinjava.litemall.db.service.LitemallCouponUserService;
-import org.linlinjava.litemall.db.service.LitemallTopicService;
 import org.linlinjava.litemall.db.util.CouponConstant;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.util.StringUtils;
@@ -34,9 +32,9 @@ public class AdminCouponController {
     @Autowired
     private LitemallCouponUserService couponUserService;
 
+    @RequiresPermissions("admin:coupon:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String name, Short type, Short status,
+    public Object list(String name, Short type, Short status,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -50,9 +48,9 @@ public class AdminCouponController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:coupon:list")
     @GetMapping("/listuser")
-    public Object listuser(@LoginAdmin Integer adminId,
-                       Integer userId, Integer couponId, Short status,
+    public Object listuser(Integer userId, Integer couponId, Short status,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -74,8 +72,9 @@ public class AdminCouponController {
         return null;
     }
 
+    @RequiresPermissions("admin:coupon:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallCoupon coupon) {
+    public Object create(@RequestBody LitemallCoupon coupon) {
         Object error = validate(coupon);
         if (error != null) {
             return error;
@@ -91,14 +90,16 @@ public class AdminCouponController {
         return ResponseUtil.ok(coupon);
     }
 
+    @RequiresPermissions("admin:coupon:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallCoupon coupon = couponService.findById(id);
         return ResponseUtil.ok(coupon);
     }
 
+    @RequiresPermissions("admin:coupon:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallCoupon coupon) {
+    public Object update(@RequestBody LitemallCoupon coupon) {
         Object error = validate(coupon);
         if (error != null) {
             return error;
@@ -109,8 +110,9 @@ public class AdminCouponController {
         return ResponseUtil.ok(coupon);
     }
 
+    @RequiresPermissions("admin:coupon:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallCoupon coupon) {
+    public Object delete(@RequestBody LitemallCoupon coupon) {
         couponService.deleteById(coupon.getId());
         return ResponseUtil.ok();
     }

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminDashbordController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.db.service.LitemallGoodsProductService;
 import org.linlinjava.litemall.db.service.LitemallGoodsService;
@@ -32,8 +32,9 @@ public class AdminDashbordController {
     @Autowired
     private LitemallOrderService orderService;
 
+    @RequiresPermissions("admin:dashboard:info")
     @GetMapping("")
-    public Object info(@LoginAdmin Integer adminId) {
+    public Object info() {
         int userTotal = userService.count();
         int goodsTotal = goodsService.count();
         int productTotal = productService.count();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminFeedbackController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -32,9 +32,9 @@ public class AdminFeedbackController {
     @Autowired
     private LitemallFeedbackService feedbackService;
 
+    @RequiresPermissions("admin:feedback:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       Integer userId, String username,
+    public Object list(Integer userId, String username,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminFootprintController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminFootprintController {
     @Autowired
     private LitemallFootprintService footprintService;
 
+    @RequiresPermissions("admin:footprint:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String userId, String goodsId,
+    public Object list(String userId, String goodsId,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminGoodsController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.admin.dao.GoodsAllinone;
 import org.linlinjava.litemall.admin.util.CatVo;
 import org.linlinjava.litemall.core.qcode.QCodeService;
@@ -59,9 +59,9 @@ public class AdminGoodsController {
     @Autowired
     private QCodeService qCodeService;
 
+    @RequiresPermissions("admin:goods:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String goodsSn, String name,
+    public Object list(String goodsSn, String name,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -161,8 +161,9 @@ public class AdminGoodsController {
      * 因此这里会拒绝管理员编辑商品，如果订单或购物车中存在商品。
      * 所以这里可能需要重新设计。
      */
+    @RequiresPermissions("admin:goods:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody GoodsAllinone goodsAllinone) {
+    public Object update(@RequestBody GoodsAllinone goodsAllinone) {
         Object error = validate(goodsAllinone);
         if (error != null) {
             return error;
@@ -232,8 +233,9 @@ public class AdminGoodsController {
         return ResponseUtil.ok();
     }
 
+    @RequiresPermissions("admin:goods:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallGoods goods) {
+    public Object delete(@RequestBody LitemallGoods goods) {
         Integer id = goods.getId();
         if (id == null) {
             return ResponseUtil.badArgument();
@@ -259,8 +261,9 @@ public class AdminGoodsController {
         return ResponseUtil.ok();
     }
 
+    @RequiresPermissions("admin:goods:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody GoodsAllinone goodsAllinone) {
+    public Object create(@RequestBody GoodsAllinone goodsAllinone) {
         Object error = validate(goodsAllinone);
         if (error != null) {
             return error;
@@ -321,9 +324,9 @@ public class AdminGoodsController {
         return ResponseUtil.ok();
     }
 
-
+    @RequiresPermissions("admin:goods:list")
     @GetMapping("/catAndBrand")
-    public Object list2(@LoginAdmin Integer adminId) {
+    public Object list2() {
         // http://element-cn.eleme.io/#/zh-CN/component/cascader
         // 管理员设置“所属分类”
         List<LitemallCategory> l1CatList = categoryService.queryL1();
@@ -364,8 +367,9 @@ public class AdminGoodsController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:goods:read")
     @GetMapping("/detail")
-    public Object detail(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object detail(@NotNull Integer id) {
         LitemallGoods goods = goodsService.findById(id);
         List<LitemallGoodsProduct> products = productService.queryByGid(id);
         List<LitemallGoodsSpecification> specifications = specificationService.queryByGid(id);

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminGrouponController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -36,9 +36,9 @@ public class AdminGrouponController {
     @Autowired
     private LitemallGrouponService grouponService;
 
+    @RequiresPermissions("admin:groupon:read")
     @GetMapping("/listRecord")
-    public Object listRecord(@LoginAdmin Integer adminId,
-                             String grouponId,
+    public Object listRecord(String grouponId,
                              @RequestParam(defaultValue = "1") Integer page,
                              @RequestParam(defaultValue = "10") Integer limit,
                              @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -72,9 +72,9 @@ public class AdminGrouponController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:groupon:delete")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String goodsId,
+    public Object list(String goodsId,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -109,8 +109,9 @@ public class AdminGrouponController {
         return null;
     }
 
+    @RequiresPermissions("admin:groupon:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallGrouponRules grouponRules) {
+    public Object update(@RequestBody LitemallGrouponRules grouponRules) {
         Object error = validate(grouponRules);
         if (error != null) {
             return error;
@@ -132,9 +133,9 @@ public class AdminGrouponController {
         return ResponseUtil.ok();
     }
 
-
+    @RequiresPermissions("admin:groupon:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallGrouponRules grouponRules) {
+    public Object create(@RequestBody LitemallGrouponRules grouponRules) {
         Object error = validate(grouponRules);
         if (error != null) {
             return error;
@@ -154,9 +155,9 @@ public class AdminGrouponController {
         return ResponseUtil.ok(grouponRules);
     }
 
-
+    @RequiresPermissions("admin:groupon:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallGrouponRules grouponRules) {
+    public Object delete(@RequestBody LitemallGrouponRules grouponRules) {
         Integer id = grouponRules.getId();
         if (id == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminHistoryController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -26,9 +26,9 @@ public class AdminHistoryController {
     @Autowired
     private LitemallSearchHistoryService searchHistoryService;
 
+    @RequiresPermissions("admin:history:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String userId, String keyword,
+    public Object list(String userId, String keyword,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminIssueController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -27,9 +27,9 @@ public class AdminIssueController {
     @Autowired
     private LitemallIssueService issueService;
 
+    @RequiresPermissions("admin:issue:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String question,
+    public Object list(String question,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -55,8 +55,9 @@ public class AdminIssueController {
         return null;
     }
 
+    @RequiresPermissions("admin:issue:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallIssue issue) {
+    public Object create(@RequestBody LitemallIssue issue) {
         Object error = validate(issue);
         if (error != null) {
             return error;
@@ -65,14 +66,16 @@ public class AdminIssueController {
         return ResponseUtil.ok(issue);
     }
 
+    @RequiresPermissions("admin:issue:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallIssue issue = issueService.findById(id);
         return ResponseUtil.ok(issue);
     }
 
+    @RequiresPermissions("admin:issue:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallIssue issue) {
+    public Object update(@RequestBody LitemallIssue issue) {
         Object error = validate(issue);
         if (error != null) {
             return error;
@@ -84,8 +87,9 @@ public class AdminIssueController {
         return ResponseUtil.ok(issue);
     }
 
+    @RequiresPermissions("admin:issue:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallIssue issue) {
+    public Object delete(@RequestBody LitemallIssue issue) {
         Integer id = issue.getId();
         if (id == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminKeywordController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -27,9 +27,9 @@ public class AdminKeywordController {
     @Autowired
     private LitemallKeywordService keywordService;
 
+    @RequiresPermissions("admin:keyword:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String keyword, String url,
+    public Object list(String keyword, String url,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -55,8 +55,9 @@ public class AdminKeywordController {
         return null;
     }
 
+    @RequiresPermissions("admin:keyword:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallKeyword keywords) {
+    public Object create(@RequestBody LitemallKeyword keywords) {
         Object error = validate(keywords);
         if (error != null) {
             return error;
@@ -65,14 +66,16 @@ public class AdminKeywordController {
         return ResponseUtil.ok(keywords);
     }
 
+    @RequiresPermissions("admin:keyword:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallKeyword brand = keywordService.findById(id);
         return ResponseUtil.ok(brand);
     }
 
+    @RequiresPermissions("admin:keyword:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallKeyword keywords) {
+    public Object update(@RequestBody LitemallKeyword keywords) {
         Object error = validate(keywords);
         if (error != null) {
             return error;
@@ -83,8 +86,9 @@ public class AdminKeywordController {
         return ResponseUtil.ok(keywords);
     }
 
+    @RequiresPermissions("admin:keyword:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallKeyword keyword) {
+    public Object delete(@RequestBody LitemallKeyword keyword) {
         Integer id = keyword.getId();
         if (id == null) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminOrderController.java

@@ -6,19 +6,20 @@ import com.github.binarywang.wxpay.exception.WxPayException;
 import com.github.binarywang.wxpay.service.WxPayService;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.notify.NotifyService;
 import org.linlinjava.litemall.core.notify.NotifyType;
-import org.linlinjava.litemall.core.util.CharUtil;
 import org.linlinjava.litemall.core.util.JacksonUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
-import org.linlinjava.litemall.db.domain.*;
+import org.linlinjava.litemall.db.domain.LitemallComment;
+import org.linlinjava.litemall.db.domain.LitemallOrder;
+import org.linlinjava.litemall.db.domain.LitemallOrderGoods;
+import org.linlinjava.litemall.db.domain.UserVo;
 import org.linlinjava.litemall.db.service.*;
 import org.linlinjava.litemall.db.util.OrderUtil;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.transaction.PlatformTransactionManager;
 import org.springframework.transaction.TransactionDefinition;
 import org.springframework.transaction.TransactionStatus;
@@ -60,9 +61,9 @@ public class AdminOrderController {
     @Autowired
     private NotifyService notifyService;
 
+    @RequiresPermissions("admin:order:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       Integer userId, String orderSn,
+    public Object list(Integer userId, String orderSn,
                        @RequestParam(required = false) List<Short> orderStatusArray,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
@@ -78,8 +79,9 @@ public class AdminOrderController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:order:read")
     @GetMapping("/detail")
-    public Object detail(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object detail(@NotNull Integer id) {
         LitemallOrder order = orderService.findById(id);
         List<LitemallOrderGoods> orderGoods = orderGoodsService.queryByOid(id);
         UserVo user = userService.findUserVoById(order.getUserId());
@@ -108,8 +110,9 @@ public class AdminOrderController {
      * @param body    订单信息，{ orderId：xxx }
      * @return 订单退款操作结果
      */
+    @RequiresPermissions("admin:order:refund")
     @PostMapping("refund")
-    public Object refund(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object refund(@RequestBody String body) {
         Integer orderId = JacksonUtil.parseInteger(body, "orderId");
         String refundMoney = JacksonUtil.parseString(body, "refundMoney");
         if (orderId == null) {
@@ -205,8 +208,9 @@ public class AdminOrderController {
      * 成功则 { errno: 0, errmsg: '成功' }
      * 失败则 { errno: XXX, errmsg: XXX }
      */
+    @RequiresPermissions("admin:order:ship")
     @PostMapping("ship")
-    public Object ship(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object ship(@RequestBody String body) {
         Integer orderId = JacksonUtil.parseInteger(body, "orderId");
         String shipSn = JacksonUtil.parseString(body, "shipSn");
         String shipChannel = JacksonUtil.parseString(body, "shipChannel");
@@ -250,8 +254,9 @@ public class AdminOrderController {
      * 成功则 { errno: 0, errmsg: '成功' }
      * 失败则 { errno: XXX, errmsg: XXX }
      */
+    @RequiresPermissions("admin:order:reply")
     @PostMapping("reply")
-    public Object reply(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object reply(@RequestBody String body) {
         Integer commentId = JacksonUtil.parseInteger(body, "commentId");
         if (commentId == null || commentId == 0) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminProfileController.java

@@ -2,7 +2,9 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authz.annotation.RequiresAuthentication;
+import org.apache.shiro.subject.Subject;
 import org.linlinjava.litemall.core.util.JacksonUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;
@@ -16,7 +18,6 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import static org.linlinjava.litemall.admin.util.AdminResponseCode.ADMIN_ALTER_NOT_ALLOWED;
 import static org.linlinjava.litemall.admin.util.AdminResponseCode.ADMIN_INVALID_ACCOUNT;
 
 @RestController
@@ -28,8 +29,9 @@ public class AdminProfileController {
     @Autowired
     private LitemallAdminService adminService;
 
+    @RequiresAuthentication
     @PostMapping("/password")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody String body) {
+    public Object create(@RequestBody String body) {
         String oldPassword = JacksonUtil.parseString(body, "oldPassword");
         String newPassword = JacksonUtil.parseString(body, "newPassword");
         if (StringUtils.isEmpty(oldPassword)) {
@@ -39,7 +41,8 @@ public class AdminProfileController {
             return ResponseUtil.badArgument();
         }
 
-        LitemallAdmin admin = adminService.findAdmin(adminId);
+        Subject currentUser = SecurityUtils.getSubject();
+        LitemallAdmin admin = (LitemallAdmin) currentUser.getPrincipal();
 
         BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
         if (!encoder.matches(oldPassword, admin.getPassword())) {

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminRegionController.java

@@ -2,7 +2,6 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -30,14 +29,13 @@ public class AdminRegionController {
     private LitemallRegionService regionService;
 
     @GetMapping("/clist")
-    public Object clist(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object clist(@NotNull Integer id) {
         List<LitemallRegion> regionList = regionService.queryByPid(id);
         return ResponseUtil.ok(regionList);
     }
 
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String name, Integer code,
+    public Object list(String name, Integer code,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort(accepts = {"id"}) @RequestParam(defaultValue = "id") String sort,

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStatController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.admin.util.StatVo;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.db.service.StatService;
@@ -24,8 +24,9 @@ public class AdminStatController {
     @Autowired
     private StatService statService;
 
+    @RequiresPermissions("admin:stat:user")
     @GetMapping("/user")
-    public Object statUser(@LoginAdmin Integer adminId) {
+    public Object statUser() {
         List<Map> rows = statService.statUser();
         String[] columns = new String[]{"day", "users"};
         StatVo statVo = new StatVo();
@@ -34,8 +35,9 @@ public class AdminStatController {
         return ResponseUtil.ok(statVo);
     }
 
+    @RequiresPermissions("admin:stat:order")
     @GetMapping("/order")
-    public Object statOrder(@LoginAdmin Integer adminId) {
+    public Object statOrder() {
         List<Map> rows = statService.statOrder();
         String[] columns = new String[]{"day", "orders", "customers", "amount", "pcr"};
         StatVo statVo = new StatVo();
@@ -45,8 +47,9 @@ public class AdminStatController {
         return ResponseUtil.ok(statVo);
     }
 
+    @RequiresPermissions("admin:stat:goods")
     @GetMapping("/goods")
-    public Object statGoods(@LoginAdmin Integer adminId) {
+    public Object statGoods() {
         List<Map> rows = statService.statGoods();
         String[] columns = new String[]{"day", "orders", "products", "amount"};
         StatVo statVo = new StatVo();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.storage.StorageService;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
@@ -32,9 +32,9 @@ public class AdminStorageController {
     @Autowired
     private LitemallStorageService litemallStorageService;
 
+    @RequiresPermissions("admin:storage:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String key, String name,
+    public Object list(String key, String name,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -48,8 +48,9 @@ public class AdminStorageController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:storage:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestParam("file") MultipartFile file) throws IOException {
+    public Object create(@RequestParam("file") MultipartFile file) throws IOException {
         String originalFilename = file.getOriginalFilename();
         String url = storageService.store(file.getInputStream(), file.getSize(), file.getContentType(), originalFilename);
         Map<String, Object> data = new HashMap<>();
@@ -57,8 +58,9 @@ public class AdminStorageController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:storage:read")
     @PostMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallStorage storageInfo = litemallStorageService.findById(id);
         if (storageInfo == null) {
             return ResponseUtil.badArgumentValue();
@@ -66,16 +68,18 @@ public class AdminStorageController {
         return ResponseUtil.ok(storageInfo);
     }
 
+    @RequiresPermissions("admin:storage:delete")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallStorage litemallStorage) {
+    public Object update(@RequestBody LitemallStorage litemallStorage) {
         if (litemallStorageService.update(litemallStorage) == 0) {
             return ResponseUtil.updatedDataFailed();
         }
         return ResponseUtil.ok(litemallStorage);
     }
 
+    @RequiresPermissions("admin:storage:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallStorage litemallStorage) {
+    public Object delete(@RequestBody LitemallStorage litemallStorage) {
         String key = litemallStorage.getKey();
         if (StringUtils.isEmpty(key)) {
             return ResponseUtil.badArgument();

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminTopicController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.validator.Order;
 import org.linlinjava.litemall.core.validator.Sort;
@@ -28,9 +28,9 @@ public class AdminTopicController {
     @Autowired
     private LitemallTopicService topicService;
 
+    @RequiresPermissions("admin:topic:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String title, String subtitle,
+    public Object list(String title, String subtitle,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -60,8 +60,9 @@ public class AdminTopicController {
         return null;
     }
 
+    @RequiresPermissions("admin:topic:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallTopic topic) {
+    public Object create(@RequestBody LitemallTopic topic) {
         Object error = validate(topic);
         if (error != null) {
             return error;
@@ -70,14 +71,16 @@ public class AdminTopicController {
         return ResponseUtil.ok(topic);
     }
 
+    @RequiresPermissions("admin:topic:read")
     @GetMapping("/read")
-    public Object read(@LoginAdmin Integer adminId, @NotNull Integer id) {
+    public Object read(@NotNull Integer id) {
         LitemallTopic topic = topicService.findById(id);
         return ResponseUtil.ok(topic);
     }
 
+    @RequiresPermissions("admin:topic:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallTopic topic) {
+    public Object update(@RequestBody LitemallTopic topic) {
         Object error = validate(topic);
         if (error != null) {
             return error;
@@ -88,8 +91,9 @@ public class AdminTopicController {
         return ResponseUtil.ok(topic);
     }
 
+    @RequiresPermissions("admin:topic:delete")
     @PostMapping("/delete")
-    public Object delete(@LoginAdmin Integer adminId, @RequestBody LitemallTopic topic) {
+    public Object delete(@RequestBody LitemallTopic topic) {
         topicService.deleteById(topic.getId());
         return ResponseUtil.ok();
     }

litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminUserController.java

@@ -2,7 +2,7 @@ package org.linlinjava.litemall.admin.web;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.linlinjava.litemall.admin.annotation.LoginAdmin;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.linlinjava.litemall.core.util.RegexUtil;
 import org.linlinjava.litemall.core.util.ResponseUtil;
 import org.linlinjava.litemall.core.util.bcrypt.BCryptPasswordEncoder;
@@ -31,9 +31,9 @@ public class AdminUserController {
     @Autowired
     private LitemallUserService userService;
 
+    @RequiresPermissions("admin:user:list")
     @GetMapping("/list")
-    public Object list(@LoginAdmin Integer adminId,
-                       String username, String mobile,
+    public Object list(String username, String mobile,
                        @RequestParam(defaultValue = "1") Integer page,
                        @RequestParam(defaultValue = "10") Integer limit,
                        @Sort @RequestParam(defaultValue = "add_time") String sort,
@@ -47,8 +47,9 @@ public class AdminUserController {
         return ResponseUtil.ok(data);
     }
 
+    @RequiresPermissions("admin:user:list")
     @GetMapping("/username")
-    public Object username(@LoginAdmin Integer adminId, @NotEmpty String username) {
+    public Object username(@NotEmpty String username) {
         int total = userService.countSeletive(username, null, null, null, null, null);
         if (total == 0) {
             return ResponseUtil.ok("不存在");
@@ -78,8 +79,9 @@ public class AdminUserController {
         return null;
     }
 
+    @RequiresPermissions("admin:user:create")
     @PostMapping("/create")
-    public Object create(@LoginAdmin Integer adminId, @RequestBody LitemallUser user) {
+    public Object create(@RequestBody LitemallUser user) {
         Object error = validate(user);
         if (error != null) {
             return error;
@@ -107,8 +109,9 @@ public class AdminUserController {
         return ResponseUtil.ok(user);
     }
 
+    @RequiresPermissions("admin:user:update")
     @PostMapping("/update")
-    public Object update(@LoginAdmin Integer adminId, @RequestBody LitemallUser user) {
+    public Object update(@RequestBody LitemallUser user) {
         Object error = validate(user);
         if (error != null) {
             return error;