|
锁定老贴子 主题:[讨论] 小型项目中权限控制处理
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
|
|
|---|---|
| 作者 | 正文 |
|
时间:2005-01-13
不知道大家遇到过这种问题没有,系统中做权限控制。好,我来说我经常用到的弱智(自己感觉是)的方法。
用户登陆->链接数据库验证->取出相应的权限值->讲用户信息(用户信息中包括用户权限)->用户访问子系统->子系统判断用户是否有权限->if(有)访问else滚。 基本简单的方法,不知道大家有什么不同的看法^_^[/i] 声明:JavaEye文章版权属于作者,受法律保护。没有作者书面许可不得转载。
|
| 返回顶楼 | |
|
时间:2005-01-13
基本上,说了等于没说。
|
| 返回顶楼 | |
|
时间:2005-01-13
那您发表一下意见
|
| 返回顶楼 | |
|
时间:2005-01-13
现在更多的时候,权限的存放已经不是单一在数据库中,比如properties文件,比如XML文件等等。对于菜单按钮的权限和字段级的权限还是应该分别对待,可以统一部署的统一部署到外部文件中,这样维护起来方便,比如页面的增删改查的按钮级权限。
暂时就这么多想法。 |
| 返回顶楼 | |
|
时间:2005-01-13
将权限的信息简单地放到文件中是最不安全的做法,因为文件的访问是很难限制的,简单地讲用户完全可以绕开程序的控制而直接访问到文件(因为文件的产生的位置肯定是与web应用具有相对的固定位置),其次,如果文件的加密,太 简单等于没有加密,太复杂就纯粹给自己添加烦恼了,试想一下,如果properties文件的value大多加密,还用properties文件有什么意义。
|
| 返回顶楼 | |
|
时间:2005-01-13
工程是有不能被外部直接访问的目录设置的呀,比如WEB-INF。
|
| 返回顶楼 | |
|
时间:2005-01-13
使用代理模式呀,很好的做法,jive也是这样做的.下面贴一个在STRUTS1.2.6中的做法,代码如下:
此代码为STRUST+SPRING+HIBERNATE程序代码自动生成器生成,没有调试过. [code:1] package common.spring.web; import common.spring.pojo.User; import org.apache.struts.action.*; import javax.servlet.http.*; import java.util.List; import org.apache.log4j.Logger; import common.spring.util.Security; /** * <p>Title: 权限管理---代理模式</p> * * <p>Description: * 权限状态码: * 系统超时 * 没有登录 * 没有权限 * 读写 * 只读 * 超级用户 * * * </p> * * <p>Copyright: Copyright (c) 2004-2008</p> * * <p>Company: </p> * * @author 段洪杰 * @version 1.0 */ public class UserProxyAction extends UserAction { Security security=new Security(); private static Logger log = Logger.getLogger(UserProxyAction.class); String moduleName = "用户"; //本模块名称,必须和Constant类中定义变量一致 /** * 录入一条信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward set(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.set(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 查看信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward view(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("只读") || result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.view(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 删除记录 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward remove(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.remove(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 显示修改记录信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward update(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.update(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 修改记录信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward modify(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.modify(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 按用列所有记录信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward list(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("只读") || result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.list(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 查询记录信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception */ public ActionForward search(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("只读") || result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.search(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } /** * 按用户注册名列所有记录信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception public ActionForward listByRegisterName(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("只读") || result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.listByRegisterName(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } */ /** * 按用户注册查询记录信息 * @param mapping ActionMapping * @param form ActionForm * @param request HttpServletRequest * @param response HttpServletResponse * @return ActionForward * @throws Exception public ActionForward searchByRegisterName(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { String result = security.check(mapping, form, request, response, moduleName); //取出权限状态码 if (result.equals("只读") || result.equals("读写") || result.equals("超级用户")) { //有读写权,只读权,超级用户 return super.searchByRegisterName(mapping, form, request, response); } else { //无权,返回状态信息 return security.checkForward(mapping, form, request, response, result); } } */ } [/code:1] |
| 返回顶楼 | |
|
时间:2005-01-14
这样用代理?-_-!!!,那要写2倍数量的Action....
|
| 返回顶楼 | |
|
时间:2005-01-14
我的项目目前也是楼主的方法。这样不可避免的是把权限和业务逻辑粘连在一起。
有人提出用AOP来解决,似乎看到一点曙光,但我还没有实际经验。 |
| 返回顶楼 | |
|
时间:2005-01-14
AOP用起来烦,
|
| 返回顶楼 | |
