How does the RESTFUL interface provided by the back end control the rights in the separation of the front and back ends?

  java, question

We have a problem today.

I have a system based on role-based authority control.
The front end naturally controls the view that should be displayed according to the role.
However, in order to prevent others from accessing directly with httpclient, the background must also control the corresponding permissions.
When interacting, all I know is who the user is
So I can know his role.

Then I want to know how to control at the code level.
How do I control a role to access only one type of url?

My idea is
1. The background needs to maintain the url of the whole system (i.e. the interface provided)
2. Maintain the views needed by the system (menus, buttons, etc., because the use of interfaces is basically bound to the views)
3. View and role binding, user and role binding

This is very troublesome
1. The workload of maintaining the url of the whole system is extremely large.
2. The workload of maintaining the interface URL corresponding to the view is also very large.
3. The RESTFUL interface based on resources has many parameters on url. Regularization is more complicated and there are many situations

Later, I saw in SHIRO that permission control can be carried out in this way

In the interface, such as springmvc interface

@RequireRoles("admin")
 @RequestMapping("/{id}")
 public void get(){
 xxx
 bracket

How can I do this? The roles required for direct interfaces are intercepted at the interface layer by Annotation, and the workload is greatly reduced. However, the roles in the currently seen schemes can only be hardcode. They cannot be dynamically obtained from the database.

So there are three questions.
1) How do you deal with this situation
2) Is my plan with a very heavy workload reasonable? Is there any way to improve it?
3) Is it possible for 3)shiro to directly control the role permissions at the interface layer and obtain the required roles from the database?

Great Xia, thank you very much!

-The following supplements-
The front and back end have passed the token verification, which is certain. What I want to ask is actually after the token verification has passed
Then I have the data
1. URL currently visited
2. Current User, Role of Current User

I think it is rather troublesome to maintain URL for roles. I would like to ask if there is a better solution.

Role-based permission control is not a good method, see this article for details:https://stormpath.com/blog/ne …

My project is also based on shiro, not role-based, but permission. In short, this is the case:

  1. Each url, menu, and button is a resource with a corresponding permission.

  2. The role has permission (several)

  3. The way to judge whether this role can obtain resources is very simple, just see if this role has corresponding resource permission.

  4. Only permission is from Hard coding here.