Original address: http://blog.csdn.net/ycyk_168/article/details/18456631
With the deepening of enterprise informatization, a variety of information systems become the necessary tools to improve the efficiency of enterprise operation and management, more and more enterprises core secrets such as sales opportunities, customer information, design programs, such as the storage of information systems, record, circulation, these core information once leaked, will inevitably cause great loss to the enterprise. In the era of science and technology, information is the lifeblood of enterprise survival, and the security of information must become the problem that enterprises attach great importance to. Nowadays, with the implementation of various information security measures, information leaks have been transferred from external leaks to internal personnel leaks. The external hacker, the virus wants to obtain the valuable information, must penetrate the multi-channel firewall, avoids the multiple anti-virus tool's pursue, then carries on the filtering to the information to be possible, but the internal personnel knows what information is valuable, if does not carry on the necessary security protection to the information, Within the enterprise, some people who have the heart will be very easy to get the information they need.
A recent survey shows that almost half of all industry professionals admit that when they switch jobs, they take information, including documents, sales agreements, and contract lists, and tell them to the next boss. The survey also found that 80% of employees can easily download "competitive" information and information, and then take it to their next job.
Information security is a long way off. To ensure the security of the information system, there are many aspects such as firewall, encrypted transmission, anti-SQL injection, etc., but many security programs are from how to guard the door, such as identity authentication, digital certificate, whether it is the traditional user name plus password method or based on biometric identification fingerprint, retinal scanning technology, Even all kinds of e-government fields commonly used in the Usbkey are in the door to enter the system, once the identification of the completion of the door, but let go, there are few treatment options. The focus of this article is not how to authenticate, and after the completion of the identity authentication is also entered the system door, how to ensure that users only in their own scope of access to operate, rather than can be any function of the operation of the system is the internal fine-grained rights control solution.
The commonly used rights system design pattern is role-centric, where a role is a collection of people with the same permissions:
1. A role can have multiple operators, an operator can also belong to multiple roles
2. A role can have multiple functions of operation permissions, a function can also be owned by multiple roles.
By querying the user's role when logging in, you can get all the feature sets for a user, such as:
Most Business System page function menu design is a three-level standard, that is, the first level function menu, level Two function menu, level Three function menu, usually one or two level function menu is only used for functional classification, is not functional access address, three menu is the function of the real entrance, The general permission system is to control the rights by controlling the display and hiding of each person's corresponding function menu. To achieve fine-grained permission control, you can add the fourth layer when you design the menu: page elements, which are subordinate to the third-level feature menus, which identify each function button in a feature page, such as adding, modifying, deleting, querying, which can be considered page elements, and when assigning permissions to a role The fourth tier also incorporates unified rights management, which is displayed on the page if there is permission on the page element, which is not displayed if there is no feature permission for the page element.
For non-privileged access to the function or page in addition to the foreground of the hidden, but also in the background access to the authorization of the authentication, or the operator around the page directly through the input URL access function will create a privilege vulnerability, through the springmvc+annotation way can be easily implemented, The code is as follows:
First step: Create a SPRINGMVC interceptor to intercept all feature requests that require permission validation
[HTML] view plain copy
- <!--opening annotations--
- <mvc:annotation-driven/>
- <!--static resource access--
- <mvc:resources location= "/static/" mapping= "/static/**"/>
- <!--interceptors--
- <mvc:interceptors>
- <!--multiple interceptors, sequential execution--
- <mvc:interceptor>
- <!--if not configured or/**, all controllers---
- <mvc:mapping path= "/**"/>
- <!--do some general processing before the Freemarker interface is displayed--
- <bean class= "Xx.xxxx.core.web.FreeMarkerViewInterceptor" ></bean>
- </mvc:interceptor>
- </mvc:interceptors>
Step two: Create a annotation class that acts on the method level for passing in the feature ID
[Java] view plain copy
- @Retention (Retentionpolicy.runtime)
- @Target (Elementtype.method)
- Public @interface Permission {
- /**
- * Function ID, the function ID, the function ID in the corresponding database
- * @return
- * @version V1.0.0
- * @date Jan, 4:59:35 PM
- */
- String value ();
- }
Step three: Establish a one-to-one relationship between function IDs and execution methods in a database by static constants
[Java] view plain copy
- public class Funcconstants {
- /**
- * System Management-Role management-add roles
- */
- Public final static String Xtgl_jsgl_addjs = "4399D98BB0D84114ACB5693081E83BC9";
- /**
- * System Management-Department management-Department list
- */
- Public final static String xtgl_bmgl_bmlist = "dbc4bf80f8b6418788b79de204d37932";
- }
Fourth step: Verify permissions in the SPRINGMVC interceptor
[Java] view plain copy
- /**
- * Freemarker view blocker, page display before doing some general processing
- * @version V1.0.0
- * @date Dec, 4:20:04 PM
- */
- public class Freemarkerviewinterceptor extends Handlerinterceptoradapter {
- public void Aftercompletion (HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3) throws Except Ion {
- }
- public void Posthandle (HttpServletRequest request, httpservletresponse response, Object arg2, Modelandview view) throws E xception {
- String ContextPath = Request.getcontextpath ();
- if (view! = null) {
- Request.setattribute ("base", ContextPath);
- }
- }
- public boolean prehandle (HttpServletRequest request, httpservletresponse response, Object handler) throws Exception {
- Handle permission Annotation, implement method level permission control
- Handlermethod method = (Handlermethod) handler;
- Permission Permission = method.getmethodannotation (Permission.class);
- If NULL indicates that the method does not require permission validation
- if (permission = = null) {
- return true;
- }
- Verify that you have permissions
- if (! Webutil.haspower (Request, Permission.value ())) {
- Response.sendredirect (Request.getcontextpath () + "/business/nopermission.html");
- return false;
- }
- return true;
- Note that you must return true here, or the request will stop
- return true;
- }
- }
At this point, based on button, method validation of fine-grained permission system to complete!
(go) fine-grained permission control via Springmvc+annotation implementation method, Button level