一种基于struts2 拦截器 和 log4j的轻量级crm权限及行为跟踪方式
拦截器
public class CrmTokenInterceptor extends AbstractInterceptor
{
private static final long serialVersionUID = -6027604464670201140L;
private static final org.apache.log4j.Logger LOGGER = org.apache.log4j.Logger.getLogger(CrmTokenInterceptor.class);
@Autowired
private AuthAccessor authAccessor;
private String userId = null;
@Autowired
private TokenService ts;
@Override
public String intercept(ActionInvocation invocation) throws Exception{
ActionContext actionContext = invocation.getInvocationContext();
HttpServletRequest request= (HttpServletRequest) actionContext.get(StrutsStatics.HTTP_REQUEST);
HttpServletResponse response = ServletActionContext.getResponse();
response.setHeader("Access-Control-Allow-Origin", "*");
String token = request.getParameter("token");
String termType = request.getParameter("termType");
System.out.println("========="+request.getRequestURI());
String sPath = request.getServletPath();
//System.out.println(sPath);
SpResult spResult = new SpResult();
String res = null;
if (token == null || token.equals("")) {
spResult.setHeaderCode("400");
spResult.setHeaderMessage(MesResult.messageInfo(MesResult.LOGIN, termType));
spResult.setBody(null);
actionContext.put("spResult", spResult);
res = "tokenError";
}else {
token = token.replaceAll(" ", "+");
//userId = ts.getUserId(token);
User u = ts.getUserId(token);
if(u == null) {
spResult.setHeaderCode("400");
spResult.setHeaderMessage(MesResult.messageInfo(MesResult.LOGIN, termType));
spResult.setBody(null);
actionContext.put("spResult", spResult);
res = "tokenError";
} else {
userId=String.valueOf(u.getUserId());
String methodName=invocation.getProxy().getMethod();
Method currentMethod=invocation.getAction().getClass().getMethod(methodName, null);
if(currentMethod.isAnnotationPresent(Authority.class)){
//获取权限校验的注解
Authority authority=currentMethod.getAnnotation(Authority.class);
//获取当前请求的注解的actionName
String actionName=authority.actionName();
//获取当前请求需要的权限
String privilege=authority.privilege();
//可以在此判断当前客户是否拥有对应的权限,如果没有可以跳到指定的无权限提示页面,如果拥有则可以继续往下执行。
Map<String,String> map = new HashMap<String,String>();
map.put("userInfoId", userId);
map.put("actionName", actionName);
map.put("actionAuth", privilege);
map.put("isDeleted", "0");
List<Map<String,String>> re = authAccessor.adminAuth(map);
if(re == null || (re != null && re.size() == 0)) {
spResult = new SpResult();
spResult.setHeaderCode("400");
spResult.setHeaderMessage(String.format("无此权限。%s-%s", actionName, privilege));
spResult.setBody(null);
actionContext = invocation.getInvocationContext();
actionContext.put("spResult", spResult);
res = "authError";
} else {
// 终于使其正常执行
invocation.getStack().setValue("userId",userId);
res = invocation.invoke();
// 记录执行,不考虑执行过程的异常
String namespace = invocation.getProxy().getNamespace();
String actionNameEx = invocation.getProxy().getActionName();
Map paramMap = request.getParameterMap();
String paras = JsonUtils.convert(paramMap);
map.clear();
map.put("userInfoId", userId);
map.put("namespace", namespace);
map.put("actionName", actionNameEx);
map.put("paras", paras);
LOGGER.info(userId);
LOGGER.info(namespace);
LOGGER.info(actionNameEx);
LOGGER.info(paras);
LOGGER.info("\n");
}
}
}
}
return res;
}
}log4j:
<logger name="com.xxx.xxx.impl.interceptor.CrmTokenInterceptor" additivity="false"> <level value="INFO" /><!--子类warn级别覆盖info--> <appender-ref ref="crmAccessAppender" /> </logger>
<appender name="crmAccessAppender" class="org.apache.log4j.DailyRollingFileAppender"> <param name="File" value="/data/applogs/urgoo-service/logs/crmAccess.log" /> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %m%n" /> </layout> </appender>
if(currentMethod.isAnnotationPresent(Authority.class)){
//获取权限校验的注解
Authority authority=currentMethod.getAnnotation(Authority.class);
//获取当前请求的注解的actionName
String actionName=authority.actionName();
//获取当前请求需要的权限
String privilege=authority.privilege();
//可以在此判断当前客户是否拥有对应的权限,如果没有可以跳到指定的无权限提示页面,如果拥有则可以继续往下执行。
Map<String,String> map = new HashMap<String,String>();
map.put("userInfoId", userId);
map.put("actionName", actionName);
map.put("actionAuth", privilege);
map.put("isDeleted", "0");
List<Map<String,String>> re = authAccessor.adminAuth(map);
if(re == null || (re != null && re.size() == 0)) {
spResult = new SpResult();
spResult.setHeaderCode("400");
spResult.setHeaderMessage(String.format("无此权限。%s-%s", actionName, privilege));
spResult.setBody(null);
actionContext = invocation.getInvocationContext();
actionContext.put("spResult", spResult);
res = "authError";这一段是获得action的权限注解值,见http://blog.csdn.net/silyvin/article/details/54425212,没有添加注解的无此宫内,然后到数据库中查询某人是否由权限进行该操作
如果无权限:
则返回警告消息
如果有权限,记录相应的namespace actionname 参数 userId(操作人)
// 终于使其正常执行
invocation.getStack().setValue("userId",userId);
res = invocation.invoke();
// 记录执行,不考虑执行过程的异常
String namespace = invocation.getProxy().getNamespace();
String actionNameEx = invocation.getProxy().getActionName();
Map paramMap = request.getParameterMap();
String paras = JsonUtils.convert(paramMap);
map.clear();
map.put("userInfoId", userId);
map.put("namespace", namespace);
map.put("actionName", actionNameEx);
map.put("paras", paras);
LOGGER.info(userId);
LOGGER.info(namespace);
LOGGER.info(actionNameEx);
LOGGER.info(paras);
LOGGER.info("\n");
效果:
2017-01-21 17:22:17,480 -1
2017-01-21 17:22:17,480 /adminToken
2017-01-21 17:22:17,480 selectBaseServiceLongByServiceTypeSingle
2017-01-21 17:22:17,481 {"xxx_CALLBACK":["JSON_CALLBACK"],"serviceType":["1"],"token":["ss"]}
2017-01-21 17:22:17,481
2017-01-21 17:27:22,466 -1
2017-01-21 17:27:22,466 /adminToken
2017-01-21 17:27:22,466 selectBaseService
2017-01-21 17:27:22,466 {"ccc_CALLBACK":["JSON_CALLBACK"],"token":["ss"]}
2017-01-21 17:27:22,466
有两个缺点:
1. 记录的东西不太好再进行自动化分析,必须有人的介入
2. 暂无法分布式部署
