Internal API (xlyEntry)
The xlyEntry service hosts the SPA's runtime API. It is the largest of
the three tiers — its controllers compile into the same WAR as the
framework's metadata-driven runtime, and most calls hit one of a handful
of universal endpoints that read or write any module.
This API is not a stable contract for external callers. Endpoint shapes change as the framework changes. External integrations belong on the External API. This page exists for maintainers and SPA-extension authors.
For the request-lifecycle and code-level walkthrough, see the Maintainer runtime chapter. This page is the catalog of HTTP entry points.
The universal CRUD surface — /business/*
| Endpoint | Method | Purpose |
|---|---|---|
/business/getModelBysId/{moduleId} |
GET | Returns the form layout for a module — the five-key composite (formData, gdsformconst, gdsjurisdiction, billnosetting, report). |
/business/getBusinessDataByFormcustomId/{formId} |
POST | Returns rows of business data for a form, paginated. Branches to getBusinessDataByGroup when sGroupList is set. |
/business/getBusinessDataByIndex |
POST | First / last / next / previous-record navigation. |
/business/addBusinessData |
POST | Single insert. |
/business/addUpdateDelBusinessData |
POST | Bundled add+update+delete in one transactional call. The frontend names the target table directly via sTable. |
/business/getSelectDataBysControlId/{sId} |
POST | Dropdown population for a single control, by control sId. |
/business/getSelectLimit/{sId} |
POST | Paginated variant of the dropdown call. |
These endpoints are documented in detail by Slice 1
(getModelBysId + grid load + save) and
Slice 3 (the view-backed read variant). The
handler classes are in
xlyEntry/src/main/java/com/xly/web/businessweb/.
Metadata-management endpoints
For builder-side actions (creating modules, defining forms, declaring
virtual tables) there is a parallel surface in
xlyEntry/src/main/java/com/xly/web/systemweb/:
| Endpoint root | Controller | Purpose |
|---|---|---|
/gdsmodule/* |
GdsmoduleController |
Module-tree CRUD, including getModuleTreePro, addGdsmodule, updateGdsmodule. |
/gdsconfigform/* |
GdsconfigformController |
Form-master and form-slave metadata CRUD. |
/gdsconfigtb/* |
GdsconfigtbController |
Virtual-table master/slave metadata CRUD. |
Specialised runtime endpoints
| Endpoint root | Controller | Purpose |
|---|---|---|
/configform/* |
BusinessConfigformController |
Per-user / per-group display customization. |
/treegrid/* |
BusinessTreeGridController |
Tree-grid endpoints (the proc-backed path is implemented in this branch). |
/procedureCall/* |
GenericProcedureCallController |
Generic stored-procedure invocation by name + parameters — see generic procedure dispatch. |
/panel/* |
ConfigformPanelController |
Panel-layout persistence in gdsconfigformpanel. |
/checkFlow/* |
CheckFlowController |
Activiti workflow surface (approve / reject / view) — only meaningful in deployments that run a flow. |
Reporting and printing
The print surface lives under xlyEntry/src/main/java/com/xly/web/report/:
-
PrintReportController— current jxls / iText print path. -
PrintReportControllerOld— legacy print path retained for older templates.
The frontend's "打印" / "导出" buttons hit these controllers, which load a
template from sysreport, run the matching view-backed query, and stream
a binary file back. See Slice 3
for the flow.
Authentication
Every controller method that participates in business data is annotated
with @Authorization and receives a resolved UserInfo via
@CurrentUser. The session-to-UserInfo mapping is the framework's
own (cookie + Redis-backed session); see
the multi-tenancy concept page.
A request that reaches a controller without authentication does not
get past @Authorization; if it does (e.g., an unannotated method),
that method also bypasses the universal tenant injection in
RequestAddParamUtil — and is therefore a multi-tenant bug.
What this API is not
- Not stable — endpoint shapes change with the framework.
- Not authenticated for outside callers — there is no API-key flow here; cookies/sessions are not what an integrator wants.
- Not documented for self-service — the surface is too large and too generic to publish as an OpenAPI doc. External integrators get the curated External API instead.