Designing a Flexible Permission Control System with Java Annotations and Spring AOP

In software development, permission control ensures data security and compliance, and frequent changes by management can disrupt development, making a flexible, extensible system essential.

1. Basic Concepts of Permission Control

Defines organization-level and personal permissions, hierarchical structures, scopes, and the relationship between roles and permissions.

2. System Requirement Analysis

Describes complex permission requirements such as organization permissions, personal permissions, quantity limits, and special role permissions, and outlines business rules and a flowchart.

3. Database Design

Proposes tables: Organizations , Users , Roles , Permissions , and association tables Role_Permissions , User_Roles , Organization_Permissions to store hierarchy and limits.

4. Annotation Design

Defines three annotations used to mark methods that require permission, role, or quantity‑limit checks.

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface PermissionRequired {
    String[] value();
}

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface RoleRequired {
    String[] value();
}

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
public @interface LimitRequired {
    String value();
}

5. Aspect Implementation

Uses Spring AOP to create a PermissionAspect that intercepts annotated methods, checks organization, personal, limit, and special‑role permissions, and throws an AccessDeniedException when checks fail.

@Aspect
@Component
public class PermissionAspect {

    @Pointcut("@annotation(permissionRequired)")
    public void permissionPointcut(PermissionRequired permissionRequired) {}

    @Before("permissionPointcut(permissionRequired)")
    public void checkPermission(JoinPoint joinPoint, PermissionRequired permissionRequired) {
        // obtain current user and verify permissions
    }

    // other checks for role, limit, etc.
}

6. Business Logic Implementation

Implements three services: UserService (fetch user data and permissions), RoleService (fetch role data and permissions), and PermissionService (core checks for permission, role, and limits).

@Service
public class UserService {
    // methods to get user and permissions
}

@Service
public class RoleService {
    // methods to get role and permissions
}

@Service
public class PermissionService {
    // hasPermission, hasRole, isLimitExceeded, hasSpecialRole
}

7. Conclusion

The annotation‑and‑AOP approach provides flexibility, maintainability, reusability, and strong security, while introducing complexity, performance overhead, and reliance on correct implementation; future work includes caching, dynamic updates, fine‑grained ABAC, auditing, UI management, and MFA integration.