上面这篇文章中是通过赋予admin账户URL来禁止其他用户访问,这样过于死板,现在用赋予每个角色可以访问的URL,然后将用户与URL绑定,来进行URL访问控制,前面的文章 根据角色加载菜单的思路(推荐使用) 是通过角色控制菜单是否显示,但是仅仅那样是不够的,还要通过控制URL的访问来进一步进行URL访问控制
@RequestMapping("urlAdd.json")
public String urlAdd(ModelMap modelMap, HttpServletRequest request) {
String urlType = request.getParameter("urlType");
String urlResource = request.getParameter("urlResource");
String menuName = request.getParameter("menuName");
if (urlType == null || "".equals(urlType)) {
urlType = "默认角色";
}
if (urlResource == null) {
urlResource = "";
}
String[] urlList = urlResource.split(";");
String[] menuList = menuName.split(";");
int len = urlList.length;
boolean bool = false;
//首先看角色是否重复,角色名不可重复
int countRole = filterService.confirmRole(urlType);
if(countRole>0)
{
modelMap.put("status", bool);
modelMap.put("menu", urlType);
return "JSON";
}
//先添加角色表,因为角色只要添加一次,资源添加多次。
bool = filterService.psRoleAdd(urlType);
if(bool)//角色插入成功,再插入资源
{
for(int i=0;i<len;i++)
{
String resouceId = filterService.confirmUrlResource(urlList[i]);//确认这个url是否存在
if(resouceId.equals(""))//没有这个资源需添加
{
bool = filterService.urlAdd(urlType, urlList[i], menuList[i], true);
}
else//只需添加role_resource关系表
{
bool = filterService.urlAdd(urlType, urlList[i], menuList[i], false);
}
}
}
modelMap.put("status", bool);
return "JSON";
}
/**
* 确认该角色名是否已经存在
* */
public int confirmRole(String roleName){
String sql = "select count(*) from ps_role where role_name='"+roleName+"' ";
return urlJdbcTemplate.queryForInt(sql);
}
/*
* 确认该URL是否存在
* */
public String confirmUrlResource(String urlResource){
String sql = "select t1.id from ps_resource t1 where t1.value = ? ";
String sourceId = getId(sql, urlResource, "id");
return sourceId;
}
public boolean urlAdd(String urlType, String urlResource, String menuName, boolean isFull) {//添加url
String sqlResouce = " INSERT INTO PS_RESOURCE(VALUE,SUMMARY) VALUES(?,?) ";
String sqlRoleResource = " INSERT INTO PS_ROLE_RESOURCE(ROLE_ID,RESOURCE_ID) VALUES(?,?) ";
String sqlResourceId = " SELECT ID FROM PS_RESOURCE WHERE VALUE= ? ";
String sqlRoleId = "SELECT ID FROM PS_ROLE WHERE ROLE_NAME = ? ";
boolean bool;
try {
if(isFull)
{
//插入资源表
urlJdbcTemplate.update(sqlResouce, urlResource, menuName);
}
//获取刚刚插入资源表和角色表的ID,插入资源角色关联表
String resourceId = getId(sqlResourceId, urlResource, "ID");
String roleId = getId(sqlRoleId, urlType, "ID");
urlJdbcTemplate.update(sqlRoleResource, roleId, resourceId);
bool = true;
} catch (Exception e) {
bool = false;
}
return bool;
}
@RequestMapping("roleAdd.json")
public String roleAdd(ModelMap modelMap, HttpServletRequest request) {
String roleIdentity = request.getParameter("roleIdentity");
String role = request.getParameter("role");
String roleId = request.getParameter("roleId");
if (role == null || "".equals(role)) {
role = "默认角色";
}
if (roleIdentity == null) {
roleIdentity = "";
}
boolean bool = false;
int count = filterService.confirmRoleId(roleIdentity);//确认这个用户id是否存在
if(count == 0)
{
bool = filterService.roleAdd(roleIdentity, role, roleId);
}
modelMap.put("status", bool);
return "JSON";
}
/*
* 确认该用户否存在
* */
public int confirmRoleId(String roleIdentity){
String sql = " SELECT COUNT(*) FROM PS_MEMBER WHERE USER_NAME = '"+roleIdentity+"'";
return urlJdbcTemplate.queryForInt(sql);
}
/**
* @param roleIdentity
* @param role
* @return
*/
public boolean roleAdd(String roleIdentity, String role, String roleId) {//添加用户
String sql = " INSERT INTO PS_MEMBER(USER_NAME,PASSWORD) VALUES(?,?) ";
String sqlId1 = " SELECT ID FROM PS_MEMBER WHERE USER_NAME = ? ";
//String sqlId2 = " SELECT id FROM PS_ROLE WHERE ROLE_NAME = ? ";
String sql2 = " INSERT INTO PS_MEMBER_ROLE(MEMBER_ID,ROLE_ID) VALUES(?,?) ";
boolean bool;
try {
urlJdbcTemplate.update(sql, roleIdentity, "1");
String memberId = getId(sqlId1, roleIdentity, "ID");
//String roleId = getId(sqlId2, role, "id");
urlJdbcTemplate.update(sql2, memberId, roleId);
bool = true;
} catch (Exception e) {
bool = false;
}
return bool;
}
3、最后登录时过滤URL,具体怎样设置配置文件可参考
public boolean queryURL(String url, String user_id, List<String> user_role) {//url权限管理
boolean permit = false;
boolean noFilter = true;//不需要拦截
Pattern p = Pattern.compile("\\.do");//需要过滤的后缀(*.do、*.json)
Matcher m = p.matcher(url);
while (m.find()) {
noFilter = false;
}
// p = Pattern.compile("\\.json");
// m = p.matcher(url);
// while (m.find()) {
// noFilter = false;
// }
if ("anonymousUser".equals(user_id) || noFilter) {//如果是用户登录,或者不是(*.do、*.json)
return true;//不需要拦截
}
if (user_role.contains("ROLE_VISITOR") && !"/ps_admin/index.do".equals(url)) {//如果是访客且不是/admin/index.do,拦截。
return false;//拦截
}
//首先只要用户角色是admin,所有的url都可以访问,另外所有的用户都可以访问/ps_admin/index.do
if (user_role.contains("ROLE_ADMIN") || "/ps_admin/index.do".equals(url))
{
return true;
}
//然后再看哪些角色可以访问哪些URL
List<String> list;
Object[] roleObject = getObjectOfRole(user_role);
String sql = " select t1.value from ps_resource t1,ps_role_resource t2,ps_role t3 where t1.id=t2.resource_id and t2.role_id=t3.id and t3.role_name= ? ";
list = urlJdbcTemplate.query(sql, roleObject, new RowMapper<String>() {
@Override
public String mapRow(ResultSet rs, int i) throws SQLException {
return rs.getString("VALUE");
}
});
if (list.contains(url)) {//每个角色只能访问属于他的url
permit = true;//允许
}
return permit;
}