struts2的基于拦截器的权限设计

阅读更多

1、struts-config.xml中的配置

			
			
				
				
			
		

		
			/index.jsp
		

2、拦截类

package com.gd.interceptor;

import java.util.Map;

import javax.servlet.ServletContext;

import org.apache.commons.lang.StringUtils;
import org.apache.struts2.ServletActionContext;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

import com.gd.po.Userinfo;
import com.gd.service.ISecurityPermissionManager;
import com.gd.service.ISecurityUserManager;
import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;

public class AdminInterceptor extends AbstractInterceptor {
	
	private static final long serialVersionUID = 7426957840297915277L;
	@Override
	public String intercept(ActionInvocation ai) throws Exception {
		Map session = ai.getInvocationContext().getSession();
		if (session == null) {
			return Action.LOGIN;
		}
		Userinfo user = (Userinfo) session.get("user");
		if (user == null) {
			return Action.LOGIN;
		}
		
		// 用户访问Action权限判断
		if (!actionAuthority(ai, session)) {
			return Action.LOGIN;
		}

		return ai.invoke();
	}
	public boolean actionAuthority(ActionInvocation ai, Map session) {
		// 用户访问Action权限判断
		ServletContext sc = ServletActionContext.getServletContext();
		String permission = ai.getProxy().getActionName().toLowerCase() + "." + ai.getProxy().getMethod().toLowerCase();
		ApplicationContext context = WebApplicationContextUtils.getWebApplicationContext(sc);
		ISecurityUserManager securityUserManager = (ISecurityUserManager) context.getBean("securityUserManager");
		ISecurityPermissionManager securityPermissionManager = (ISecurityPermissionManager) context.getBean("securityPermissionManager");
		if(!securityPermissionManager.checkIsRepeatPermission(permission)){
			return true;
		}
		if(securityUserManager!=null){
			Userinfo userInfo=(Userinfo)session.get("user");
			return securityUserManager.checkPrivilege(userInfo.getUserName(),permission);
		}
		return true;
	}
}

在以上拦截类中。系统会拦截到类似于loginAction.islogin这样的请求，在配置中我们将这样的请求手动录入数据库，然后根据当前用户查询该请求是否授权于用户（该块功能自己设计，比较简单），在用户登录时即将这样授权用户的请求数据取出放入session,在页面中用fn标签进行这样的判断：

		 		
病例自学
		 	

如果授权了，则该功能链接显示并能使用。