/*增強版:利用spring容器初始化dao的bean,再用init方法獲取系統(tǒng)context得到該dao從而實現(xiàn)RBAC模型下對動作權限的管理 */
package com.gpPlatform.utils;
/* 檢驗管理員是否已經登錄及是否擁有權限的過濾器*/
import java.util.List;
import java.util.Map;
import java.util.Iterator;
import java.util.Set;
import java.util.Date;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import com.gpPlatform.IConstants;
import com.gpPlatform.services.ResourceDao;
import com.gpPlatform.forms.AdminForm;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.FileSystemXmlApplicationContext;
public class SecurityCheckFilter implements Filter{
private List<String> notFilterURL;
private ResourceDao resourcedao= null;
private Map<String,String> permits;
private String getPermitId(String action_url){ //根據(jù)Map獲取動作資源id
this.permits= resourcedao.getResourceList();
String rid_visited="NO_MATCH";
Set<String> key = permits.keySet(); //獲取權限集map鍵集合
for(Iterator<String> it=key.iterator();it.hasNext();){
String k= it.next();
if(k.equals(action_url)){
rid_visited=permits.get(k);
break;
}
}
return rid_visited;
}
private boolean isPIdExist(AdminForm aform,String rid,boolean init){
boolean flag=!init;
if(!flag){
String[] pArray= aform.getPermitList();
for(String pid:pArray){
System.out.println(pid);
if(pid.equals(rid))
return true;
}
}
return flag;
}
public void init(FilterConfig filterconfig) throws ServletException{ //獲取系統(tǒng)context以傳遞屬性
String configpath= "F:/tomcat 5.5.2/Tomcat 5.5/webapps/gpplatform/WEB-INF/appContext.xml";
ApplicationContext context= new FileSystemXmlApplicationContext(configpath);
IConstants iconstant=(IConstants)context.getBean("constants");
resourcedao= (ResourceDao)context.getBean("resourcedao"); //不可setter直接注入,filter servlet容器先于spring生成
notFilterURL = iconstant.getNotFilterURL();
System.out.println("There are "+notFilterURL.size()+" urls free of filtering");
}
public void doFilter(ServletRequest req, ServletResponse res, //改寫doFilter方法檢驗
FilterChain chain)throws IOException, ServletException{
HttpServletRequest request= (HttpServletRequest) req;
HttpSession session= request.getSession();
AdminForm aform= (AdminForm)session.getAttribute(IConstants.CURR_ADMIN_KEY);
boolean flag1= true;
boolean flag2= true;
String str= request.getServletPath();
if(str.indexOf(".jsp")!=-1||str.indexOf(".do")!=-1){
for(String url:notFilterURL){
if(str.equals(url)){
flag1= false;
break;
}
}
}
else
flag1= false;
if(str.indexOf(".do")!=-1&&request.getParameter("method")!=null&&!request.getParameter("method").equals("readInfo"))
str += "?method="+request.getParameter("method"); //獲取一般的動作參數(shù)
else
flag2= false;
System.out.println("action str is "+str+" "+flag1+" "+flag2);
if(flag1){
if(aform==null){ //對不在免除過濾路徑集合中的url進行過濾
System.out.println("<=======You haven't Logged in yet!=======>"+(new Date()).toString());
request.setAttribute(IConstants.LOGIN_ERROR_KEY, "抱歉,您還沒有登陸本系統(tǒng)%>_<%");
request.getRequestDispatcher("/adminLog.jsp").forward(req, res);
}
else{
if(!this.isPIdExist(aform, this.getPermitId(str), flag2)){
System.out.println("<======You don't hava such permit!======>"+(new Date()).toString());
request.setAttribute(IConstants.PERMIT_ERROR_KEY,"抱歉,您不具備當前功能的權限⊙﹏⊙ ");
request.getRequestDispatcher("/errorPage.jsp").forward(req, res);
}
else{
chain.doFilter(req, res);
return;
}
}
}
else{
chain.doFilter(req, res);
return;
}
}
public void destroy(){}
}
回復 更多評論