Posted on 2010-06-17 13:42
java小爬蟲 閱讀(3034)
評論(9) 編輯 收藏
?? ??? 針對合法的登陸,(一)和(二)的解決方案,已經解決了用戶針對模塊和功能點的權限控制問題。但是如果用戶如果在地址欄手動寫入以前已經識記的URL地址,那么用戶就可以獲取他所沒有
的權限而進行相關的操作。為了解決這個問題,提出了以下方案:
?????? 把系統中的某一模塊下所有鏈接地址全部錄入數據庫,然后根據請求地址和數據庫已記錄的地址進行對比,以此進行控制權限的判斷。
???????
?????一:把鏈接地址存入數據庫
?????? 把系統中用到的地址存入PAGE_OPERATION_TABLE,其中PAGE_ID為某一系統功能點的入口PAGE,OPERATION_IS_VALID判斷是否需要進行權限判斷。
??? 二:對系統的ACTION進行攔截。
??? *Action如果繼承自DispatchAction,則重寫*Action的execute()方法。
???
@Override
????public?ActionForward?execute(ActionMapping?mapping,?ActionForm?form,
????????????HttpServletRequest?request,?HttpServletResponse?response)
????????????throws?Exception?
{
????????return?super.execute(mapping,?form,?request,?response);
????}????? 配置攔截器:
?????
????<bean?id="myInterceptor"
????????class="net.better_best.www.utils.AopPriviledge">
????</bean>
????<aop:config>
????????<aop:aspect?id="aop"?ref="myInterceptor">
????????????<aop:pointcut
????????????????expression="execution?(?org.apache.struts.action.ActionForward?net.better_best.www.*.action.*.*(..))"
????????????????id="mycut"?/>
????????????<aop:around?pointcut-ref="mycut"?method="doBasicProfiling"?/>
????????</aop:aspect>
????</aop:config> ???? 實現攔截方法:
???
package?net.better_best.www.utils;
import?java.util.Collection;
import?java.util.Date;
import?java.util.List;
import?javax.servlet.http.HttpServletRequest;
import?org.apache.struts.action.ActionMapping;
import?org.aspectj.lang.ProceedingJoinPoint;
public?class?AopPriviledge?{
????@SuppressWarnings("unchecked")
????/**//*
?????*?aop攔截,環繞通知,實現權限攔截;?String?name:根據name判斷管理員或會員;n代表管理員,m代表會員,n或m的值代表特定的操作;
?????*/
????public?Object?doBasicProfiling(ProceedingJoinPoint?pjp)?throws?Throwable?{
????????Object[]?obj?=?pjp.getArgs();
????????ActionMapping?mapping?=?(ActionMapping)?obj[0];
????????HttpServletRequest?request?=?(HttpServletRequest)?obj[2];
????????String?mappingName?=?"";
????????if?(SessionUtil.getSessionManager(request)?!=?null?&&?request.getParameter("n")!=null)?{
????????????mappingName?=?"error_manager";
????????????String?requestPath?=?mapping.getPath()+?".do?"+?request.getQueryString().substring(0,request.getQueryString().indexOf("&"));
????????????List?priviledgeList?=?(List)?request.getSession().getAttribute("managerPriviledge");
????????????if?(priviledgeList.contains(requestPath.trim()))?{
????????????????return?priviledge(pjp,?request);
????????????}?else?{
????????????????return?mapping.findForward(mappingName);
????????????}
????????}?else?if?(SessionUtil.getSessionUser(request)?!=?null?&&?request.getParameter("m")!=null)?{
????????????mappingName?=?"error_user";
????????????Collection?userPriviledge?=?(Collection)?request.getSession().getAttribute("userPriviledge");
????????????if?(userPriviledge.contains(mapping.getPath().trim()))?{
????????????????return?priviledge(pjp,?request);
????????????}?else?{
????????????????return?mapping.findForward(mappingName);
????????????}
????????}?else?if?(SessionUtil.getSessionUser(request)?==?null?&&?request.getParameter("m")!=null)?{
????????????return?mapping.findForward("userindex");
????????}?else?if?(SessionUtil.getSessionManager(request)?==?null&&?request.getParameter("n")!=null)?{
????????????return?mapping.findForward("index");
????????}?else
????????????return?mapping.findForward("priviledge_error");
????}
????/**//*
?????*?實現真正的權限攔截;?String?value?:某一個權限值,為pageId;?List<PageTable>?module:
?????*?PageTable的集合,為某一用戶的某一模塊所具有的頁面功能集;?String?mappingName:代表頁面URL,程序異常跳轉之;
?????*/
????private?Object?priviledge(ProceedingJoinPoint?pjp,
????????????HttpServletRequest?request)?throws?Throwable?{
????????Object?result?=?null;
????????long?begintime?=?new?Date().getTime();
????????result?=?pjp.proceed();
????????long?endtime?=?new?Date().getTime();
????????long?time?=?endtime?-?begintime;
????????System.out.println("====================================================================================================================");
????????System.out.println(pjp.getTarget().getClass().getSimpleName()?+?"?????"+?request.getQueryString()?+?"??????耗時??????????"?+?time+?"??????????ms");
????????System.out.println("====================================================================================================================");
????????return?result;
????}
}
緩存權限:
??List?priviledgeList?=?pageService.getPriviledgeForManager(""+manager.getManagerNroleId());
???????????request.getSession().setAttribute("managerPriviledge",?priviledgeList); 以上步驟是針對URL寫入的權限控制的解決方案進行了大致的記錄。