# Auth And Company Optimization Implementation Plan > **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. **Goal:** Replace the remaining Shiro authorization layer with project-owned Redis token authentication and add company CRUD APIs. **Architecture:** Keep the existing UUID token, Redis session storage, and `CompanyContext` tenant injection. Add project-owned `@RequireAuth` and `@RequireRole` annotations plus a Spring MVC `AuthInterceptor`, then remove Shiro config/classes/dependencies. Add `CompanyService` and `CompanyController` for `sys_company` management. **Tech Stack:** Java 21, Spring Boot 3.1.5, Spring MVC HandlerInterceptor, RedisTemplate, MyBatis-Plus, JUnit 5, Mockito, AssertJ. --- ### Task 1: Replace Shiro With Custom Auth Interceptor **Files:** - Create: `src/main/java/com/label/annotation/RequireAuth.java` - Create: `src/main/java/com/label/annotation/RequireRole.java` - Create: `src/main/java/com/label/interceptor/AuthInterceptor.java` - Create: `src/main/java/com/label/common/auth/TokenPrincipal.java` - Create: `src/main/java/com/label/common/context/UserContext.java` - Modify: `src/main/java/com/label/config/ShiroConfig.java` - Modify: `src/main/java/com/label/common/shiro/TokenFilter.java` - Modify: `src/main/java/com/label/common/shiro/BearerToken.java` - Modify: `src/main/java/com/label/common/shiro/UserRealm.java` - Modify: `src/main/java/com/label/controller/*.java` - Modify: `src/main/java/com/label/service/*.java` - Modify: `pom.xml` - Test: `src/test/java/com/label/unit/AuthInterceptorTest.java` - [x] Write failing tests for token loading, TTL refresh, role hierarchy, and context cleanup. - [x] Implement annotations, principal, context, and interceptor. - [x] Register the interceptor via Spring MVC config. - [x] Replace controller `@RequiresRoles` usage with `@RequireRole`. - [x] Remove Shiro-only classes, tests, dependencies, and exception handling. - [x] Run `mvn -q "-Dtest=AuthInterceptorTest,OpenApiAnnotationTest" test` and `mvn -q -DskipTests compile`. ### Task 2: Add Company Management **Files:** - Create: `src/main/java/com/label/service/CompanyService.java` - Create: `src/main/java/com/label/controller/CompanyController.java` - Modify: `src/main/java/com/label/mapper/SysUserMapper.java` - Test: `src/test/java/com/label/unit/CompanyServiceTest.java` - Test: `src/test/java/com/label/unit/OpenApiAnnotationTest.java` - [x] Write failing tests for create/list/update/status/delete behavior. - [x] Implement service validation and duplicate checks. - [x] Implement admin-only controller endpoints under `/api/companies`. - [x] Run `mvn -q "-Dtest=CompanyServiceTest,OpenApiAnnotationTest" test` and `mvn -q -DskipTests compile`. ### Task 3: Configuration And Verification **Files:** - Modify: `src/main/resources/application.yml` - Modify: `src/test/java/com/label/unit/ApplicationConfigTest.java` - [x] Rename `shiro.auth.*` config to `auth.*`. - [x] Update safe defaults and type-aliases package. - [x] Run targeted unit tests and compile. - [x] Run `mvn clean test` once and record any external environment blockers. ### Verification Notes - `mvn -q "-Dtest=LabelBackendApplicationTests,ApplicationConfigTest,AuthInterceptorTest,CompanyServiceTest,OpenApiAnnotationTest" test` passed. - `mvn -q -DskipTests compile` passed. - `mvn clean test` compiled main/test sources and passed unit tests, then failed only because 10 Testcontainers integration tests could not find a valid Docker environment.