Posted on 2010-06-17 13:42
java小爬虫 阅读(3026)
评论(9) 编辑 收藏
针对合法的登陆,(一)和(二)的解决方案,已经解决了用户针对模块和功能点的权限控制问题。但是如果用户如果在地址栏手动写入以前已经识记的URL地址,那么用户就可以获取他所没有
的权限而进行相关的操作。为了解决这个问题,提出了以下方案:
把系统中的某一模块下所有链接地址全部录入数据库,然后根据请求地址和数据库已记录的地址进行对比,以此进行控制权限的判断。
一:把链接地址存入数据库
把系统中用到的地址存入PAGE_OPERATION_TABLE,其中PAGE_ID为某一系统功能点的入口PAGE,OPERATION_IS_VALID判断是否需要进行权限判断。
二:对系统的ACTION进行拦截。
*Action如果继承自DispatchAction,则重写*Action的execute()方法。
@Override
public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response)
throws Exception {
return super.execute(mapping, form, request, response);
} 配置拦截器:
<bean id="myInterceptor"
class="net.better_best.www.utils.AopPriviledge">
</bean>
<aop:config>
<aop:aspect id="aop" ref="myInterceptor">
<aop:pointcut
expression="execution ( org.apache.struts.action.ActionForward net.better_best.www.*.action.*.*(..))"
id="mycut" />
<aop:around pointcut-ref="mycut" method="doBasicProfiling" />
</aop:aspect>
</aop:config> 实现拦截方法:
package net.better_best.www.utils;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.struts.action.ActionMapping;
import org.aspectj.lang.ProceedingJoinPoint;
public class AopPriviledge {
@SuppressWarnings("unchecked")
/**//*
* aop拦截,环绕通知,实现权限拦截; String name:根据name判断管理员或会员;n代表管理员,m代表会员,n或m的值代表特定的操作;
*/
public Object doBasicProfiling(ProceedingJoinPoint pjp) throws Throwable {
Object[] obj = pjp.getArgs();
ActionMapping mapping = (ActionMapping) obj[0];
HttpServletRequest request = (HttpServletRequest) obj[2];
String mappingName = "";
if (SessionUtil.getSessionManager(request) != null && request.getParameter("n")!=null) {
mappingName = "error_manager";
String requestPath = mapping.getPath()+ ".do?"+ request.getQueryString().substring(0,request.getQueryString().indexOf("&"));
List priviledgeList = (List) request.getSession().getAttribute("managerPriviledge");
if (priviledgeList.contains(requestPath.trim())) {
return priviledge(pjp, request);
} else {
return mapping.findForward(mappingName);
}
} else if (SessionUtil.getSessionUser(request) != null && request.getParameter("m")!=null) {
mappingName = "error_user";
Collection userPriviledge = (Collection) request.getSession().getAttribute("userPriviledge");
if (userPriviledge.contains(mapping.getPath().trim())) {
return priviledge(pjp, request);
} else {
return mapping.findForward(mappingName);
}
} else if (SessionUtil.getSessionUser(request) == null && request.getParameter("m")!=null) {
return mapping.findForward("userindex");
} else if (SessionUtil.getSessionManager(request) == null&& request.getParameter("n")!=null) {
return mapping.findForward("index");
} else
return mapping.findForward("priviledge_error");
}
/**//*
* 实现真正的权限拦截; String value :某一个权限值,为pageId; List<PageTable> module:
* PageTable的集合,为某一用户的某一模块所具有的页面功能集; String mappingName:代表页面URL,程序异常跳转之;
*/
private Object priviledge(ProceedingJoinPoint pjp,
HttpServletRequest request) throws Throwable {
Object result = null;
long begintime = new Date().getTime();
result = pjp.proceed();
long endtime = new Date().getTime();
long time = endtime - begintime;
System.out.println("====================================================================================================================");
System.out.println(pjp.getTarget().getClass().getSimpleName() + " "+ request.getQueryString() + " 耗时 " + time+ " ms");
System.out.println("====================================================================================================================");
return result;
}
}
缓存权限:
List priviledgeList = pageService.getPriviledgeForManager(""+manager.getManagerNroleId());
request.getSession().setAttribute("managerPriviledge", priviledgeList); 以上步骤是针对URL写入的权限控制的解决方案进行了大致的记录。