Design and Implementation of a Permission System with Unified Login, RBAC Management, and Backend Authorization

The permission system solves two core problems: front‑end rendering of menus after user login and backend authorization that blocks unauthorized API calls.

Key supporting functions include user management (single sign‑on across sub‑domains), permission management (role, menu, data, and user‑role bindings), and backend authorization that integrates with the access layer.

Unified login works by planting a top‑level cookie (e.g., *.zhuanspirit.com ) that is shared across sub‑domains; Nginx validates the cookie against Redis entries ( sso_uid , sso_code ) and redirects unauthenticated users to the login page.

The permission management module follows a classic RBAC model but extends it so that users can be directly bound to menus or data, increasing flexibility. The database schema includes tables for users, systems, menus, data, roles, and their association tables.

Backend authorization is implemented as an SDK that uses aspect‑oriented programming to intercept request URLs or permission codes; if the logged‑in user lacks the required permission, an error response is returned.

AuthResult res = authentication.check(new AppCodeAuthParmBuilder(APP_CODE, CODE, request));

The core method requires three parameters: APP_CODE (system identifier), CODE (permission code, optional), and request (the HttpServletRequest from which cookies and URL are extracted).

@Component
public class ZZLockInterceptor implements HandlerInterceptor {
    @Resource
    private Authentication authentication;
    private static final String APP_CODE = "arch_ipms";
    private static final String CODE = "ro_zzlock";

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        AuthResult res = authentication.check(new AppCodeAuthParmBuilder(APP_CODE, CODE, request));
        if (res.isSuccess() && res.getCode() == ResultCodeEnum.SUCCESS.getCode()) {
            return true;
        } else {
            UserDTO user = authentication.parseUser(request);
            logger.info("menu zzlock_get user {} auth result code {} msg {}", user.getLoginName(), res.getCode(), res.getMsg());
            response.getWriter().write("user: " + user.getLoginName() + " no auth");
            response.getWriter().close();
        }
        return false;
    }
}

In summary, the article presents the backend implementation of the ZHUANZHUAN permission system, detailing how unified login identifies users, how permission data is stored and managed, and how backend authorization is enforced through a Spring interceptor SDK.