/*增强版:利用spring容器初始化dao的bean,再用init方法获取系统context得到该dao从而实现RBAC模型下对动作权限的管理 */
package com.gpPlatform.utils;
/* 检验管理员是否已经登录及是否拥有权限的过滤器*/
import java.util.List;
import java.util.Map;
import java.util.Iterator;
import java.util.Set;
import java.util.Date;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import com.gpPlatform.IConstants;
import com.gpPlatform.services.ResourceDao;
import com.gpPlatform.forms.AdminForm;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.FileSystemXmlApplicationContext;
public class SecurityCheckFilter implements Filter{
private List<String> notFilterURL;
private ResourceDao resourcedao= null;
private Map<String,String> permits;
private String getPermitId(String action_url){ //根据Map获取动作资源id
this.permits= resourcedao.getResourceList();
String rid_visited="NO_MATCH";
Set<String> key = permits.keySet(); //获取权限集map键集合
for(Iterator<String> it=key.iterator();it.hasNext();){
String k= it.next();
if(k.equals(action_url)){
rid_visited=permits.get(k);
break;
}
}
return rid_visited;
}
private boolean isPIdExist(AdminForm aform,String rid,boolean init){
boolean flag=!init;
if(!flag){
String[] pArray= aform.getPermitList();
for(String pid:pArray){
System.out.println(pid);
if(pid.equals(rid))
return true;
}
}
return flag;
}
public void init(FilterConfig filterconfig) throws ServletException{ //获取系统context以传递属性
String configpath= "F:/tomcat 5.5.2/Tomcat 5.5/webapps/gpplatform/WEB-INF/appContext.xml";
ApplicationContext context= new FileSystemXmlApplicationContext(configpath);
IConstants iconstant=(IConstants)context.getBean("constants");
resourcedao= (ResourceDao)context.getBean("resourcedao"); //不可setter直接注入,filter servlet容器先于spring生成
notFilterURL = iconstant.getNotFilterURL();
System.out.println("There are "+notFilterURL.size()+" urls free of filtering");
}
public void doFilter(ServletRequest req, ServletResponse res, //改写doFilter方法检验
FilterChain chain)throws IOException, ServletException{
HttpServletRequest request= (HttpServletRequest) req;
HttpSession session= request.getSession();
AdminForm aform= (AdminForm)session.getAttribute(IConstants.CURR_ADMIN_KEY);
boolean flag1= true;
boolean flag2= true;
String str= request.getServletPath();
if(str.indexOf(".jsp")!=-1||str.indexOf(".do")!=-1){
for(String url:notFilterURL){
if(str.equals(url)){
flag1= false;
break;
}
}
}
else
flag1= false;
if(str.indexOf(".do")!=-1&&request.getParameter("method")!=null&&!request.getParameter("method").equals("readInfo"))
str += "?method="+request.getParameter("method"); //获取一般的动作参数
else
flag2= false;
System.out.println("action str is "+str+" "+flag1+" "+flag2);
if(flag1){
if(aform==null){ //对不在免除过滤路径集合中的url进行过滤
System.out.println("<=======You haven't Logged in yet!=======>"+(new Date()).toString());
request.setAttribute(IConstants.LOGIN_ERROR_KEY, "抱歉,您还没有登陆本系统%>_<%");
request.getRequestDispatcher("/adminLog.jsp").forward(req, res);
}
else{
if(!this.isPIdExist(aform, this.getPermitId(str), flag2)){
System.out.println("<======You don't hava such permit!======>"+(new Date()).toString());
request.setAttribute(IConstants.PERMIT_ERROR_KEY,"抱歉,您不具备当前功能的权限⊙﹏⊙ ");
request.getRequestDispatcher("/errorPage.jsp").forward(req, res);
}
else{
chain.doFilter(req, res);
return;
}
}
}
else{
chain.doFilter(req, res);
return;
}
}
public void destroy(){}
}
回复 更多评论