A Simple Method for B/S system permission Control

Source: Internet
Author: User
Tags tld
After reading some posts about permission control on the internet, I am more confused about the usage of AOP (Aspect Oriented Programming, Aspect-Oriented Programming) and using containers, RBAC (Role-Based Access Control method), SSO, jive proxy mode, and so on, and role and group are both big headers. First, write a simple implementation method, I will study it later.
This method does not rely on the container framework and is suitable for small systems (the main JSP page is less than 100, because it is hard-coded to JSP). It is suitable for systems with more page fields to be precisely controlled.
(Plug-in: to distinguish between permission control and business logic, the business logic is determined by certain conditions during system operation. For example, a student enters the system in the student management system, you can only view your own records, because the visible records are determined by the student ID, so this is the business logic, and if the student cannot view the teacher's records, this is determined by the identity of a student, so this is permission control .)
Now, go to the question!
Table creation:
User (user information: userid userpassword, etc)
Role (role Description: roleid roledesc)
Permission (permission Description: permissionid permissiondesc)
User-role (User Role ing table: userid roleid)
Role-permission (role permission ing table: roleid permissionid)
User-permission (user permission ing table: userid permissionid)

Important statement:

1Here, role has no inheritance relationship, but is a set of permission.
2The user-Permission table is only for convenience. The data is obtained from the user-role-Permission table. This table is updated only when the user-role-Permission table is updated, the user cannot be assigned a specific permission. Only one or more roles can be granted to the user.
3Permission allocation is a difficult issue. Many complicated permission control systems are developed because of this. Here we try to make it as simple as possible, regardless of the business logic, from a page perspective, there are two layers: the JSP page to be controlled first, and the page field to be controlled (including link, text, Textbox, button, and so on ), the field layer also has privilege (R and W, can be read and writable)
Basic Idea: when you enter the JSP page, check the user information and check that the user has this permission to include this code. If this permission is not available, this code is not included, this function is completed by tags (do not write tags? It doesn't matter, copy it !). Check the code!
1Create a table (as shown above)
2Create two classes (bean) (USERPROFILE is the basic user information, userpermission is permission)
USERPROFILE. Java:
Package com. ××;
Import java. util. collection;

Public class USERPROFILE {
Private string userid;
Private string usertype;
Private string companyno;
Private string companyName;
Private string companytype;
Private collection userpermissions;

Public String getuserid (){
Return userid;
}
Public void setuserid (string userid ){
This. userid = userid;
}
Public String getusertype (){
Return usertype;
}
Public void setusertype (string usertype ){
This. usertype = usertype;
}
Public String getcompanyno (){
Return companyno;
}
Public void setcompanyno (string companyno ){
This. companyno = companyno;
}
Public String getcompanyname (){
Return companyName;
}
Public void setcompanyname (string companyName ){
This. companyName = companyName;
}
Public String getcompanytype (){
Return companytype;
}
Public void setcompanytype (string companytype ){
This. companytype = companytype;
}
Public Collection getuserpermissions (){
Return userpermissions;
}
Public void setuserpermissions (Collection userpermissions ){
This. userpermissions = userpermissions;
}
}

Userpermission. Java:
Package com. ××;

Public class userpermission {
Private int permissionid;
Private string privilege;
Public int getpermissionid (){
Return permissionid;
}
Public void setpermissionid (INT permissionid ){
This. permissionid = permissionid;
}
Public String getprivilege (){
Return privilege;
}
Public void setprivilege (string privilege ){
This. privilege = privilege;
}
}


3Add two tags (page and field ):
Securitytagforpage. Java:
Package com. **. **. taglib;
Import java. util .*;

Public class securitytagforpage extends tagsupport
{
 
Private int permissionid;

Public int doendtag () throws jspexception
{
Httpsession session = pagecontext. getsession ();
// Put the user's USERPROFILE into the session during login
USERPROFILE = (USERPROFILE) Session. getattribute ("USERPROFILE ");
Collection collection = USERPROFILE. getuserpermissions ();
Iterator it = collection. iterator ();
While (it. hasnext ())
{
Userpermission = (userpermission) it. Next ();
If (permissionid = userpermission. getpermissionid ()))
{
Return eval_page;
}
}
Return skip_page;
}

Public int getpermissionid ()
{
Return permissionid;
}
Public void setpermissionid (INT permissionid)
{
This. permissionid = permissionid;
}
}

Securitytagforfield:
Public class securitytagforfield extends tagsupport
{
Private int permissionid;
Private string privilege;

Public int dostarttag () throws jspexception
{
Httpsession session = pagecontext. getsession ();
USERPROFILE = (USERPROFILE) Session. getattribute ("USERPROFILE ");

Collection collection = USERPROFILE. getuserpermissions ();
Iterator it = collection. iterator ();
While (it. hasnext ())
{
Userpermission = (userpermission) it. Next ();
If (privilege = NULL)
{
If (permissionid = userpermission. getpermissionid ()))
{
Return eval_body_include;
}
}
Else
{
If (permissionid = userpermission. getpermissionid ())
& (Privilege. Equals (userpermission. getprivilege ())))
{
Return eval_body_include;
}
}
}
Return skip_body;
}

Public int getpermissionid ()
{
Return permissionid;
}
Public void setpermissionid (INT permissionid)
{
This. permissionid = permissionid;
}
Public String getprivilege ()
{
Return privilege;
}
Public void setprivilege (string privilege)
{
This. privilege = privilege;
}
}
4Create a securitytag. TLD file under the web-INF directory. The content is as follows: (change the class directory)
<? XML version = "1.0" encoding = "ISO-8859-1"?>
<! Doctype taglib public "-// Sun Microsystems, Inc. // dtd jsp tag library 1.1 // en"
Http://java.sun.com/j2ee/dtds/web-jsptaglibrary_1_1.dtd>
<! -- A tag library descriptor -->
<Taglib>
<Tlibversion> 1.0 </tlibversion>
<Jspversion> 1.1 </jspversion>
<Shortname> Security </shortname>
<Uri/>
<Info>
Access control!
</INFO>
<Tag>
<Name> securityforfield </Name>
<Tagclass> com. companyName. prjname. taglib. securitytagforfield </tagclass>
<Attribute>
<Name> permissionid </Name>
<Required> true </required>
</Attribute>
<Attribute>
<Name> privilege </Name>
</Attribute>

</Tag>
<Tag>
<Name> securityforpage </Name>
<Tagclass> com. companyName. prjname. taglib. securitytagforpage </tagclass>
<Attribute>
<Name> permissionid </Name>
<Required> true </required>
</Attribute>

</Tag>
</Taglib>

5Modify the JSP to be controlled
Write on the JSP page as follows:
<% @ Taglib uri = "/WEB-INF/securitytag. TLD" prefix = "security" %>
<% @ Page import = "com. HP. elog2.util. util" %>
<Security: securityforpage permissionid = "36"/>
.......
<Security: securityforfield permissionid = "46" Privilege = "R">
<TD> <HTML: Text name = "formbean" property = "property1" readonly = "true"/> </TD>
</Security: securityforfield>
<Security: securityforfield permissionid = "46" Privilege = "W">
<TD> <HTML: Text name = "formbean" property = "property1"/> </TD>
</Security: securityforfield>
......
In this case, we recommend that you perform permission control (Add Tag) After all JSP pages are completed, mainly for copy + C and copy + v.
The biggest problem with this method is that there are too many hardcodes, but the structure is simple, the idea is clear, and the applicability is wide.
The complex method I hope to contact the leon_sandy@tom.com with the person of the TAO, to study together!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.