本文详细阐述了如何通过扩展StrutsActionMapping类来实现权限管理,并展示了修改后的struts-config.xml配置文件,包括如何在登录动作中获取用户权限并将其与Struts配置中的权限映射进行匹配,确保用户只能访问其被授权的操作。
From: http://www.onjava.com/pub/a/onjava/2004/02/18/strutssecurity.html
1. Extending the Struts ActionMapping class
public class StrutsPermissionMapping
extends ActionMapping {
private Integer actionId = null;
private String label = null;
private String canBeMadeAvailable = null;
private String canBeMadeEditable = null;
private String group = null;
private String role = null;
public StrutsPermissionMapping() {
super();
}
public Integer getActionId() {
return actionId;
}
public void setActionId(Integer id) {
this.actionId = id;
}
...
}
2. 修改后的struts-config.xml
<struts-config>
<form-beans>
<form-bean name="computeForm"
type="com.shiftat.oreilly.web.ComputeForm"/>
...
</form-beans>
<action-mappings>
<action
path="/compute"
type="com.shiftat.oreilly.web.ComputeAction"
name="computeForm"
scope="session"
input="/jsp/compute.jsp"
className=
"com.shiftat.struts.StrutsPermissionMapping"
unknown="false"
validate="false">
<set-property property="actionId"
value="160" />
<set-property property="label"
value="compute"/>
<set-property property="canBeMadeAvailable"
value="true"/>
<set-property property="canBeMadeEditable"
value="false"/>
<set-property property="group"
value="4"/>
<set-property property="role"
value="4"/>
<forward name="succes"
path="/jsp/result.jsp"
redirect="false"/>
</action>
...
</action-mappings>
</struts-config>
3. in the login action
3.1 Retrieves the user permissions from the datastore.
3.2 Retrieves the StrutsPermissionMappings from the Struts configuration.
3.3 Iterates over the user permissions and retrieves the corresponding StrutsPermissionMappings.
3.4 Stores each of the corresponding StrutsPermissionMappings in a new Map in the context for that user.
Map userActionPermissionMap
= retrievePortalUserActionPermissionMap(userId);
Map strutsConfigMap
= StrutsConfigurationHelperAction
.retrieveStrutsActionMapping(this, request);
Map userActionNamePermissionMap = new HashMap();
if (userActionPermissionMap.keySet() != null
&& userActionPermissionMap.keySet().size() >0) {
Iterator it
= userActionPermissionMap.keySet().iterator();
while (it.hasNext()){
Integer actionId = (Integer)it.next();
Integer permissionId
= (Integer)userActionPermissionMap
.get(actionId);
StrutsPermissionMapping mapping
= (StrutsPermissionMapping)strutsConfigMap
.get(actionId);
String actionPath
= strutsPermissionMapping.getPath();
userActionNamePermissionMap
.put(actionPath, permissionId);
}
}
context
.setAttribute("permissionmap",
userActionNamePermissionMap);
public class StrutsConfigurationHelperAction {
private static SortedMap actionMappingMap = null;
private static ModuleConfig mConfig = null;
public static SortedMap
retrieveStrutsActionMapping(Action action,
HttpServletRequest request) {
if (actionMappingMap == null){
actionMappingMap = new TreeMap();
mConfig = (ModuleConfig)request.
getAttribute(Globals.MODULE_KEY);
if (mConfig == null){
mConfig = (ModuleConfig)action.
getServlet().getServletContext().
getAttribute(Globals.MODULE_KEY);
}
if (mConfig != null){
ActionConfig[] acfg
= mConfig.findActionConfigs();
for (int i=0; i < acfg.length; i++){
ActionConfig actionConfig = acfg[i];
if (actionConfig instanceof
StrutsPermissionMapping){
StrutsPermissionMapping amp =
(StrutsPermissionMapping)
actionConfig;
actionMappingMap
.put(amp.getActionId(),amp);
} else {
//Regular ActionMapping
//without security attributes
}
}
} else {
System.err.println
("No Struts configuration !");
}
}
return actionMappingMap;
}
}
4. The check that the user has the necessary permission to call a certain action in the application can easily be done in a ServletFilter
扫一扫
556
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
