    package com.hsfw.backyard.biz.security.authority;
    import java.lang.annotation.*;
     * 数据权限过滤自定义注解
     * @Description
     * @Author: liucq
     * @Date: 2018/12/14
    public @interface UserPermissionAop {
        String value() default "";


    package com.hsfw.backyard.biz.security.authority.util;
    import java.lang.reflect.Constructor;
    import java.lang.reflect.Field;
    import java.lang.reflect.Method;
    public class ReflectUtil {
         * 利用反射获取指定对象的指定属性
         * @param obj       目标对象
         * @param fieldName 目标属性
         * @return 目标属性的值
        public static Object getFieldValue(Object obj, String fieldName) {
            Object result = null;
            Field field = ReflectUtil.getField(obj, fieldName);
            if (field != null) {
                try {
                    result = field.get(obj);
                } catch (IllegalArgumentException e) {
                    // TODO Auto-generated catch block
                } catch (IllegalAccessException e) {
                    // TODO Auto-generated catch block
            return result;
         * 利用反射获取指定对象里面的指定属性
         * @param obj       目标对象
         * @param fieldName 目标属性
         * @return 目标字段
        private static Field getField(Object obj, String fieldName) {
            Field field = null;
            for (Class<?> clazz = obj.getClass(); clazz != Object.class; clazz = clazz.getSuperclass()) {
                try {
                    field = clazz.getDeclaredField(fieldName);
                } catch (NoSuchFieldException e) {
                    // 这里不用做处理,子类没有该字段可能对应的父类有,都没有就返回null。
            return field;
         * 利用反射设置指定对象的指定属性为指定的值
         * @param obj        目标对象
         * @param fieldName  目标属性
         * @param fieldValue 目标值
        public static void setFieldValue(Object obj, String fieldName, String fieldValue) {
            Field field = ReflectUtil.getField(obj, fieldName);
            if (field != null) {
                try {
                    field.set(obj, fieldValue);
                } catch (IllegalArgumentException e) {
                    // TODO Auto-generated catch block
                } catch (IllegalAccessException e) {
                    // TODO Auto-generated catch block
         * 根据文件路径 获取反射对象并执行对应方法
         * @author GaoYuan
         * @date 2018/4/17 上午9:51
        public static Object reflectByPath(String path) {
            try {
                String className = path.substring(0, path.lastIndexOf("."));
                String methodName = path.substring(path.lastIndexOf(".") + 1, path.length());
                // 获取字节码文件对象
                Class c = Class.forName(className);
                Constructor con = c.getConstructor();
                Object obj = con.newInstance();
                // public Method getMethod(String name,Class<?>... parameterTypes)
                // 第一个参数表示的方法名,第二个参数表示的是方法的参数的class类型
                Method method = c.getMethod(methodName);
                // 调用obj对象的 method 方法
                return method.invoke(obj);
            } catch (Exception e) {
            return null;
    package com.hsfw.backyard.biz.security.authority.util;//package com.foruo.sc.permission.example.util;
    import com.hsfw.backyard.biz.security.authority.UserPermissionAop;
    import org.apache.ibatis.mapping.MappedStatement;
    import java.lang.reflect.Method;
    public class PermissionUtils {
        public static UserPermissionAop getPermissionByDelegate(MappedStatement mappedStatement) {
            UserPermissionAop permissionAop = null;
            try {
                String id = mappedStatement.getId();
                String className = id.substring(0, id.lastIndexOf("."));
                String methodName = id.substring(id.lastIndexOf(".") + 1, id.length());
                final Class cls = Class.forName(className);
                final Method[] method = cls.getMethods();
                for (Method me : method) {
                    if (me.getName().equals(methodName) && me.isAnnotationPresent(UserPermissionAop.class)) {
                        permissionAop = me.getAnnotation(UserPermissionAop.class);
            } catch (Exception e) {
            return permissionAop;


    package com.hsfw.backyard.biz.security.authority.mybatis;
    import com.hsfw.backyard.biz.ContextHolder;
    import com.hsfw.backyard.biz.model.sys.User;
    import com.hsfw.backyard.biz.security.authority.UserPermissionAop;
    import com.hsfw.backyard.biz.security.authority.util.PermissionUtils;
    import com.hsfw.backyard.biz.security.authority.util.ReflectUtil;
    import com.hsfw.backyard.dal.mapper.model.UserDataManageDO;
    import org.apache.ibatis.executor.statement.RoutingStatementHandler;
    import org.apache.ibatis.executor.statement.StatementHandler;
    import org.apache.ibatis.mapping.BoundSql;
    import org.apache.ibatis.mapping.MappedStatement;
    import org.apache.ibatis.plugin.*;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.springframework.stereotype.Component;
    import java.sql.Connection;
    import java.util.List;
    import java.util.Properties;
            @Signature(type = StatementHandler.class, method = "prepare", args = {Connection.class, Integer.class})
    public class PrepareInterceptor implements Interceptor {
        private static final Logger log = LoggerFactory.getLogger(PrepareInterceptor.class);
        public Object plugin(Object target) {
            return Plugin.wrap(target, this);
        public void setProperties(Properties properties) {
        public Object intercept(Invocation invocation) throws Throwable {
            if (log.isInfoEnabled()) {
                log.info("进入 PrepareInterceptor 拦截器...");
            if (invocation.getTarget() instanceof RoutingStatementHandler) {
                RoutingStatementHandler handler = (RoutingStatementHandler) invocation.getTarget();
                StatementHandler delegate = (StatementHandler) ReflectUtil.getFieldValue(handler, "delegate");
                MappedStatement mappedStatement = (MappedStatement) ReflectUtil.getFieldValue(delegate, "mappedStatement");
                BoundSql boundSql = delegate.getBoundSql();
                ReflectUtil.setFieldValue(boundSql, "sql", permissionSql(boundSql.getSql(), mappedStatement));
            return invocation.proceed();
         * 权限sql包装,以及是否需要包装
         * @param sql
         * @return
        protected String permissionSql(String sql, MappedStatement mappedStatement) {
            UserPermissionAop permissionAop = PermissionUtils.getPermissionByDelegate(mappedStatement);
            StringBuilder sbSql = new StringBuilder(sql);
            if (permissionAop != null) {
                String id = mappedStatement.getId();
                String methodName = id.substring(id.lastIndexOf(".") + 1, id.length());
                if (methodName.equals("countByCondition") || methodName.equals("pageByCondition")) {
                    return getAppendSql(sbSql, methodName);
            return sbSql.toString();
         * sql拼接
         * @param sbSql
         * @param methodName
         * @return
        public String getAppendSql(StringBuilder sbSql, String methodName) {
            User user = ContextHolder.user();
            List<UserDataManageDO> managedUserList = user.getUserDatalist();
            String findUserList = String.valueOf(user.getId());
            for (int i = 0; i < managedUserList.size(); i++) {
                findUserList.concat("," + String.valueOf(managedUserList.get(i).getManagedUserId()));
            if (methodName.equals("countByCondition")) {
                sbSql = sbSql.append(" and operate_user_id in (" + findUserList + ")  ");
            } else {
                sbSql = new StringBuilder("select * from (").append(sbSql).append(" ) temp where temp.operate_user_id in (" + findUserList + ")  ");
            return sbSql.toString();
    package com.hsfw.backyard.biz.security.authority.mybatis;
    import com.hsfw.backyard.biz.security.authority.UserPermissionAop;
    import com.hsfw.backyard.biz.security.authority.util.PermissionUtils;
    import com.hsfw.backyard.biz.security.authority.util.ReflectUtil;
    import org.apache.ibatis.executor.resultset.ResultSetHandler;
    import org.apache.ibatis.mapping.MappedStatement;
    import org.apache.ibatis.plugin.*;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.springframework.stereotype.Component;
    import java.lang.reflect.Method;
    import java.sql.Statement;
    import java.util.ArrayList;
    import java.util.Properties;
            @Signature(type = ResultSetHandler.class, method = "handleResultSets", args = {Statement.class})
    public class ResultInterceptor implements Interceptor {
         * 日志
        private static final Logger log = LoggerFactory.getLogger(ResultInterceptor.class);
        public Object plugin(Object target) {
            return Plugin.wrap(target, this);
        public void setProperties(Properties properties) {
        public Object intercept(Invocation invocation) throws Throwable {
            if (log.isInfoEnabled()) {
                log.info("进入 ResultInterceptor 拦截器...");
            ResultSetHandler resultSetHandler1 = (ResultSetHandler) invocation.getTarget();
            MappedStatement mappedStatement = (MappedStatement) ReflectUtil.getFieldValue(resultSetHandler1, "mappedStatement");
            UserPermissionAop permissionAop = PermissionUtils.getPermissionByDelegate(mappedStatement);
            Object result = invocation.proceed();
            if (permissionAop != null) {
                if (result instanceof ArrayList) {
                    ArrayList resultList = (ArrayList) result;
                    for (int i = 0; i < resultList.size(); i++) {
                        Object oi = resultList.get(i);
                        Class c = oi.getClass();
                        Class[] types = {String.class};
                        Method method = c.getMethod("setRegionCd", types);
                        // 调用obj对象的 method 方法
                        method.invoke(oi, "");
                        if (log.isInfoEnabled()) {
            return result;
