Fine-grained role-based access control based on Struts 2 interceptor

Introduction

As the most successful MVC Web framework, Apache struts has long been widely used, but it exposes a lot of drawbacks, which leads to struts 2. Struts 2 abandoned the original struts 1 design, but turned to the WEBWORK2, and combined with the advantages of struts, trying to create a set of the perfect WEB framework for the director of the public house. Struts 2 also has a very important feature in WEBWORK2-interceptors (Interceptor). Interceptors are performed before and after Action execution (pictured below) and are a typical AOP implementation.

Figure 1. The architecture of Struts 2

The Struts 2 itself provides a org.apache.struts2.interceptor.RolesInterceptor interceptor to facilitate access control for developers. But the implementation of the interceptor is based on the access control mechanism provided by the Java-EE container. The access control provided by the container is coarse and often cannot meet the needs of most applications. In many projects, the permissions that a user should have are determined by a variety of factors, often with different roles in different contexts. For example, in a social project, a user will have different roles in different communities, such as members, administrators, guests, etc. His specific role depends on the identifier of the community currently in place. In addition, the user's role is related to the type of resource he wants to manipulate. For example, in this social networking site, users can create their own schedules, share the schedule with other users, or delegate to others for management. This type of resource for the schedule will have three roles for founders, readers, and managers. In more complex applications, the role of the user may also be determined by more factors, which requires a finer granularity of access control and the ability to handle more complex logic.

To meet this requirement, in the development of WEB applications based on Struts 2, we can also use interceptors to implement a managed role-based access control (RBAC, role-based access controls) system that enables it to manage finer-grained resources. The system defines an Action in the Struts 2 configuration file that can be invoked by those roles, that is, to authorize the role. The interceptor authenticates the current user before the action is invoked to determine whether the action should be executed.

Here we will implement the system based on the HIBERNATE+SPRING+STRUTS2 framework. In order to make the system structure more clear and easy to maintain, we divide this system into domain model layer, persistence layer and service layer. This layered architecture is one of the most widely used patterns in WEB development today.