在这里,我们通过一个简单的例子来演示如何用Interceptor来验证权限。
我们假设你的程序中已经写好了每个用户的权限,如A用户的权限是InsertUser.action,,,,或者更多,一个权限字符串。
在xwork.xml配置Interceptor,配置InsertUser.action.
OK !
下面是验证步骤:
1.用户访问InsertUser.action,触发Interceptor
2.在Interceptor中我们需要获取HttpSession来取得当前用户,查询当前用户具有的权限String.将它转换为String[],
3.获取当前用户访问的url :通过HttpServletRequest来获取url ,再处理以后的url为xxx.action.
4.判断该url是否与当前用户权限String[]中某一个String 一致。
5.一致 就继续执行该Action,否则就return "error";
好 ,下面是Interceptor的代码
[code]
public class SecurityInterceptor implements Interceptor {
private static final long serialVersionUID = 1L;
private Logger log = Logger.getLogger(this.getClass());
public void destroy() {
log.info(">>>>>>>>>>>>>>>>>>>>>>>结束拦截器!!!!<<<<<<<<<<<<<<<<<<<<<");
}
public void init() {
log.info(">>>>>>>>>>>>>>>>>>>>>>>开始初始化拦截器!!!!<<<<<<<<<<<<<<<<<<<<<");
}
public String intercept(ActionInvocation invocation) throws Exception {
String strFullPath = ServletActionContext.getServletContext()
.getRealPath("/");
strFullPath = strFullPath + "WEB-INF//applicationContext.xml";
ApplicationContext ac = new FileSystemXmlApplicationContext(strFullPath);
SecurityDAOImpl security = (SecurityDAOImpl) ac.getBean("securityDAO");
// Bean容器中无法配置Interceptor,所以SecurityDAOImpl中无法获得SessionFactory 必须读取配置文件
HttpServletRequest request = ServletActionContext.getRequest();
HttpSession session = request.getSession();
UserInfo user = (UserInfo) session.getAttribute("UserLoginInfo");// 获取session中存放的用户信息
boolean flag = false;
if (user != null) {
log
.info(">>>>>>>>>>>>>>>>>>>>>>>当前用户" + user.getUserName()
+ " 进入" + invocation.getAction()
+ ",开始操作!!!!!<<<<<<<<<<<<<<<<<<<<");
log
.info(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>判断当前用户权限开始<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<!!!!!");
String url = "";
url = Constant.ChangeUrl.getUrl(request.getRequestURL().toString());
List list = null;
if (url != null) {
list = security.getSecurityByUser(user);// 获取用户权限 如1,2,3,4
if (list != null) {
if (list.size() > 0 && list.get(0) != null) {
String[] str = ((String) list.get(0)).split(";");// 获得用户权限数组为数字字符串
String[] strTemp = null;
for (int i = 0; i < str.length; i++) {
if (str[i] != null && str[i] != "") {
strTemp = Constant.SecurityList
.getNameBySecurity(
Integer.parseInt(str[i]))
.split(",");// 这里是分割每个权限字符串
if (strTemp != null) {
for (int j = 0; j < strTemp.length; j++) {
//就只有这1句是来验证url是否相等
if (url.equalsIgnoreCase(strTemp[j])) {
flag = true;
break;
}
}
}
}
}
}
}
}
} else {
log.info("您尚未登录或者登录失效!,请重新登录");
request.setAttribute("noLogin", "noLogin");
}
if (flag) {
log
.info(">>>>>>>>>>>>>>>>>>验证成功,你有访问权限!!!!开始操作!!!<<<<<<<<<<<<<<<<<<<<<");
return invocation.invoke();
} else {
log.info(">>>>>>>>>>>>>>>>>>您没有访问权限!!<<<<<<<<<<<<<<<<<<<<<");
return "error";
}
}
}
[/code]
中间部分都是查询数据库中用户权限,再进行分割。只有最后2句是最重要的
return invocation.invoke(); 这里指继续执行action
return "error"; 直接跳转到错误页面。
OK! 现在我们来看看 xwork.xml的配置。
[code]
<xwork>
<include file="webwork-default.xml"></include>
<package name="default" extends="webwork-default">
<interceptors>
<interceptor name="params"
class="com.opensymphony.xwork.interceptor.ParametersInterceptor" />
<interceptor name="SecurityInterceptor"
class="com.xxx.xxx.SecurityInterceptor" />
<interceptor name="logger"
class="com.opensymphony.xwork.interceptor.LoggingInterceptor" />
<interceptor-stack name="testStack">
<interceptor-ref name="SecurityInterceptor" />
<interceptor-ref name="params" />
<interceptor-ref name="logger" />
</interceptor-stack>
</interceptors>
<global-results>
<result name="login" type="dispatcher">
<param name="location">/login.jsp</param>
</result>
<result name="error" type="dispatcher">
<param name="location">/error.jsp</param>
</result>
</global-results>
<action name="InsertUser.action" class="xxx"
method="xxx">
<result name="success">/user/addSecurityGroup.jsp</result>
<interceptor-ref name="testStack"></interceptor-ref>
</action>
[/code]
这里也用了webwork自带的Interceptor ,其中params是必须的,由于采用了Interceptor,可能你提交给Action的参数也拦截掉了,无法获得到参数,而params可以将参数带给Action.
logger是做日志的,在Action进入之前和结束以后均会写一条日志,如:before xxx action , after xxx action.
我们假设你的程序中已经写好了每个用户的权限,如A用户的权限是InsertUser.action,,,,或者更多,一个权限字符串。
在xwork.xml配置Interceptor,配置InsertUser.action.
OK !
下面是验证步骤:
1.用户访问InsertUser.action,触发Interceptor
2.在Interceptor中我们需要获取HttpSession来取得当前用户,查询当前用户具有的权限String.将它转换为String[],
3.获取当前用户访问的url :通过HttpServletRequest来获取url ,再处理以后的url为xxx.action.
4.判断该url是否与当前用户权限String[]中某一个String 一致。
5.一致 就继续执行该Action,否则就return "error";
好 ,下面是Interceptor的代码
[code]
public class SecurityInterceptor implements Interceptor {
private static final long serialVersionUID = 1L;
private Logger log = Logger.getLogger(this.getClass());
public void destroy() {
log.info(">>>>>>>>>>>>>>>>>>>>>>>结束拦截器!!!!<<<<<<<<<<<<<<<<<<<<<");
}
public void init() {
log.info(">>>>>>>>>>>>>>>>>>>>>>>开始初始化拦截器!!!!<<<<<<<<<<<<<<<<<<<<<");
}
public String intercept(ActionInvocation invocation) throws Exception {
String strFullPath = ServletActionContext.getServletContext()
.getRealPath("/");
strFullPath = strFullPath + "WEB-INF//applicationContext.xml";
ApplicationContext ac = new FileSystemXmlApplicationContext(strFullPath);
SecurityDAOImpl security = (SecurityDAOImpl) ac.getBean("securityDAO");
// Bean容器中无法配置Interceptor,所以SecurityDAOImpl中无法获得SessionFactory 必须读取配置文件
HttpServletRequest request = ServletActionContext.getRequest();
HttpSession session = request.getSession();
UserInfo user = (UserInfo) session.getAttribute("UserLoginInfo");// 获取session中存放的用户信息
boolean flag = false;
if (user != null) {
log
.info(">>>>>>>>>>>>>>>>>>>>>>>当前用户" + user.getUserName()
+ " 进入" + invocation.getAction()
+ ",开始操作!!!!!<<<<<<<<<<<<<<<<<<<<");
log
.info(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>判断当前用户权限开始<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<!!!!!");
String url = "";
url = Constant.ChangeUrl.getUrl(request.getRequestURL().toString());
List list = null;
if (url != null) {
list = security.getSecurityByUser(user);// 获取用户权限 如1,2,3,4
if (list != null) {
if (list.size() > 0 && list.get(0) != null) {
String[] str = ((String) list.get(0)).split(";");// 获得用户权限数组为数字字符串
String[] strTemp = null;
for (int i = 0; i < str.length; i++) {
if (str[i] != null && str[i] != "") {
strTemp = Constant.SecurityList
.getNameBySecurity(
Integer.parseInt(str[i]))
.split(",");// 这里是分割每个权限字符串
if (strTemp != null) {
for (int j = 0; j < strTemp.length; j++) {
//就只有这1句是来验证url是否相等
if (url.equalsIgnoreCase(strTemp[j])) {
flag = true;
break;
}
}
}
}
}
}
}
}
} else {
log.info("您尚未登录或者登录失效!,请重新登录");
request.setAttribute("noLogin", "noLogin");
}
if (flag) {
log
.info(">>>>>>>>>>>>>>>>>>验证成功,你有访问权限!!!!开始操作!!!<<<<<<<<<<<<<<<<<<<<<");
return invocation.invoke();
} else {
log.info(">>>>>>>>>>>>>>>>>>您没有访问权限!!<<<<<<<<<<<<<<<<<<<<<");
return "error";
}
}
}
[/code]
中间部分都是查询数据库中用户权限,再进行分割。只有最后2句是最重要的
return invocation.invoke(); 这里指继续执行action
return "error"; 直接跳转到错误页面。
OK! 现在我们来看看 xwork.xml的配置。
[code]
<xwork>
<include file="webwork-default.xml"></include>
<package name="default" extends="webwork-default">
<interceptors>
<interceptor name="params"
class="com.opensymphony.xwork.interceptor.ParametersInterceptor" />
<interceptor name="SecurityInterceptor"
class="com.xxx.xxx.SecurityInterceptor" />
<interceptor name="logger"
class="com.opensymphony.xwork.interceptor.LoggingInterceptor" />
<interceptor-stack name="testStack">
<interceptor-ref name="SecurityInterceptor" />
<interceptor-ref name="params" />
<interceptor-ref name="logger" />
</interceptor-stack>
</interceptors>
<global-results>
<result name="login" type="dispatcher">
<param name="location">/login.jsp</param>
</result>
<result name="error" type="dispatcher">
<param name="location">/error.jsp</param>
</result>
</global-results>
<action name="InsertUser.action" class="xxx"
method="xxx">
<result name="success">/user/addSecurityGroup.jsp</result>
<interceptor-ref name="testStack"></interceptor-ref>
</action>
[/code]
这里也用了webwork自带的Interceptor ,其中params是必须的,由于采用了Interceptor,可能你提交给Action的参数也拦截掉了,无法获得到参数,而params可以将参数带给Action.
logger是做日志的,在Action进入之前和结束以后均会写一条日志,如:before xxx action , after xxx action.