SpringMVC用户与权限验证

一、先写一个拦截器（新建一个Class，实现HandlerInterceptor接口，他会重写3个方法）

package com.hd.common.interceptor;

import java.util.ArrayList;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;

public class ValidationInterceptor implements HandlerInterceptor{

@Override
public void afterCompletion(HttpServletRequest arg0,
HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
//主要是执行完方法，做资源的释放
System.out.println("会在请求Controller方法执行完毕后执行");

}

@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, ModelAndView arg3) throws Exception {

System.out.println("会在请求Controller方法执行完毕后，跳转到下个页面(请求)之前执行");

}

@Override
public boolean preHandle(HttpServletRequest req,
HttpServletResponse resp,
Object obj) throws Exception {

System.out.println("会在请求Controller方法之前执行");

if(req.getSession().getAttribute("userid")==null){
resp.sendRedirect("login.html");
return false;
}

//是否有该权限("获取调用方法上面的注解值")
RequestMapping rm=null;
String[] v = rm.value();
//从数据库查询出来的权限值 根据userid查数据库权限
ArrayList list = new ArrayList<String>();
list.add("/save.do");
list.add("/find.do");
//匹配注解上的值/save.do
if(list.contains(v)){
//代表有权限
return true;
}

return true;
}
}

在SpringMVC的配置文件中配置

<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd">

<!-- 公共配置 扫描所有模块的控制器，给所有的控制器加入后缀.jsp -->

<context:component-scan
base-package="com.hd.controll"/>
<bean id="dao" class="com.hd.dao.UserDao"/>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/> <!-- 拦截任意包、子包下所有.do请求， -->
<mvc:exclude-mapping path="/isLogin.do"/><!-- 不拦截某些.do请求， -->
<bean class="com.hd.common.interceptor.ValidationInterceptor"/> <!--把自定义拦截器配置进来 -->
</mvc:interceptor>
</mvc:interceptors>

</beans>

二、aop配置校验

1)先写一个验证的方法

package com.hd.common.aop;

import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.ArrayList;

import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.aspectj.lang.ProceedingJoinPoint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.context.ContextLoader;
import org.springframework.web.context.ServletContextAware;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.context.support.ServletContextAwareProcessor;

import com.hd.controll.HandlerController;
import com.sun.mail.iap.ResponseInputStream;

public class HandlerValidation{
/**
* 校验用户登录与权限
* ProceedingJoinPoint:可以获取配置文件中aop:aspect标签下所有的配置对象
* @return
* @throws Throwable
*/
public Object validation(ProceedingJoinPoint join) throws Throwable{
System.out.println("调用控制器的方法时，通知到了该方法");
ArrayList list = new ArrayList<String>();
list.add("user_save");
list.add("user_update");
list.add("user_delete");
list.add("user_find");

// HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
// HttpSession s = r`equest.getSession();
// ServletWebRequest servletWebRequest=new ServletWebRequest(request);
// HttpServletResponse response=servletWebRequest.getResponse();
//获取请求的控制器
Class c = join.getTarget().getClass();
//获取请求的方法
String methodname = join.getSignature().getName();
//将方法字符串转化成Method对象
Method method = c.getMethod(methodname);
//获取请求方法上的注解对象
Permission p = method.getAnnotation(Permission.class);
if(p!=null){
//获取到的权限值与数据库中权限值匹配
if(list.contains(p.privilege()))
return join.proceed();//继续执行
}
return null;
// if(s.getAttribute("userid")==null){
// request.
// response.sendRedirect("login.html");
// return null;
// }

// return join.proceed();//继续执行
}

}

<------------------------------------------------------------------------------------------------

package com.hd.common.aop;

import java.lang.annotation.*; 

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface Permission{

/**权限值*/
String privilege();
}

2）在SpringMVC中配置aop插入校验的方法

<?xml version="1.0" encoding="UTF-8"?>
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd">

<!-- 公共配置 扫描所有模块的控制器，给所有的控制器加入后缀.jsp -->

<context:component-scan
base-package="com.hd.controll"/>

<bean id="dao" class="com.hd.dao.UserDao"/>

<!-- 验证权限类 -->
<bean id="handlervalidation" class="com.hd.common.aop.HandlerValidation"/>

<aop:config>
<!-- 将验证处理类捆绑到切入点mycut上，
当mycut里面的方法运行之前，会先通知中的method属性对应的方法 -->
<aop:aspect id="val" ref="handlervalidation">

<!--execution需要验证的方法位置，！execution不需要验证的方法-->
<aop:pointcut id="mycut" expression="execution(* com.hd.controll.*.*(..)) and !execution(* com.hd.controll.*.login*(..))" />
<aop:before method="validation" pointcut-ref="mycut"/>
</aop:aspect>
</aop:config>

</beans>