Implementing Permission Validation in Spring MVC Using Custom Annotations

The article discusses permission validation in a Spring MVC project, describing the typical user, role, and resource tables with many‑to‑many relationships and the need to verify a user's authority in an interceptor after a request arrives.

It outlines three possible methods: (1) checking the request URI against allowed operations, which is cumbersome; (2) inspecting the handler method name and its RequestMapping annotation; and (3) defining a custom annotation to mark operations.

Example of a method‑level custom annotation:

@Retention(RUNTIME)
@Target(METHOD)
public @interface MyOperation {
    String value() default ""; // default empty
}

Controller using the annotation:

@Controller("testController")
public class TestController {
    @MyOperation("用户修改") // main point
    @RequestMapping("test")
    @ResponseBody
    public String test(String id) {
        return "Hello,2018!" + id;
    }
}

Interceptor that reads the annotation:

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
        throws Exception {
    System.out.println("进入拦截器");
    if (handler instanceof HandlerMethod) {
        HandlerMethod h = (HandlerMethod) handler;
        System.out.println("用户想执行的操作是:" + h.getMethodAnnotation(MyOperation.class).value());
        // perform permission check here
    }
    return HandlerInterceptor.super.preHandle(request, response, handler);
}

For class‑level annotations, the same @interface can target TYPE and be retrieved with

h.getMethod().getDeclaringClass().getAnnotation(MyOperation.class)

. The article also notes that using RequestMapping directly (instead of shortcuts like GetMapping) can avoid the need for a custom annotation.