How to resolve site multiuser rights management

Control access through URL matching, that is, when a user requests (response) a URL, to see if the user has this permission. This "view" is done in a filter. The criteria for determining whether a user has permission is configured in an XML file. The DTD document is as follows

such as: Java code
1.<?xml version= "1.0" encoding= "UTF-8"?>
2.
3.
4.<! ELEMENT Privilege (globe-error?,allmapping,user-name,mapping*) >
5.<! ELEMENT globe-error (#PCDATA) >
6.<! ELEMENT allmapping (#PCDATA) >
7.<! ELEMENT user-name (#PCDATA) >
8.<! ELEMENT Mapping (Error?, message) >
9.<! ELEMENT error (#PCDATA) >
10.<! ELEMENT message (#PCDATA) >
11.
12.<! Attlist globe-error Redirect (False|true) "false" >
13.<! Attlist error Redirect (False|true) "false" >
14.<! Attlist Mapping
. Name CDATA #REQUIRED
URL CDATA #REQUIRED
. Code CDATA #REQUIRED >
18.<! Attlist message key CDATA #IMPLIED >
<?xml version= "1.0" encoding= "UTF-8"?>

<! ELEMENT Privilege (globe-error?,allmapping,user-name,mapping*) >
<! ELEMENT globe-error (#PCDATA) >
<! ELEMENT allmapping (#PCDATA) >
<! ELEMENT user-name (#PCDATA) >
<! ELEMENT Mapping (Error?, message) >
<! ELEMENT error (#PCDATA) >
<! ELEMENT message (#PCDATA) >

<! Attlist globe-error Redirect (False|true) "false" >
<! Attlist error Redirect (False|true) "false" >
<! Attlist Mapping
Name CDATA #REQUIRED
URL CDATA #REQUIRED
Code CDATA #REQUIRED >
<! Attlist message key CDATA #IMPLIED >

The core of the XML document is the mapping element, with the Url,code attribute (required) and the Error,message child element. The URL means that the matching url,code is the permission code, and when the user's permission code conforms to the configured permission code here, it is assumed that the user access to the Url,name property uniquely represents a mapping. The allmapping element is a collection of all mapping element name, separated by a symbol for each name, such as ' | ' Or ', ' can be used to help automatically generate permission codes, which are explained in detail later. Error (optional, if not, use Globe-error) is the wrong page that the user does not have permission to display, the redirect property (optional) forward to the error page or redirect to the forward page. The message specifies the error message that is returned (internationalization is supported).

The user's permission code is stored in the user's session, because I am accustomed to put the user information in one user object, and then save to the session, so my idea here is that there is a property in the user object to represent the permissions code, such as can be obtained:

Java code
1.pcode= (user) Session.getattribute ("User"). GetCode ();//pcode is user permission code
pcode= (user) Session.getattribute ("User"). GetCode ();//pcode is user permission code

Let's start by saying how permissions are set.

First of all, the Linux file permission settings, such as setting a file permissions 111010010 (owner read and write execution, the same group read, others read), with three sets of three-bit binary number, the first group is the file owner, the second group is the owner in the same group of users, The third group is the other person who has no relationship with the owner. In each group, the first bit represents the "read" permission, the second represents the "write" permission, and the third represents the "Execute" permission. OK, our permission representation method also appears, the function of the allmapping element is also shown. Allmapping has n mapping settings, the order in which name appears in mapping is meaningful, but developers don't have to care about its order, so let's note that the order is more convenient for the instructions below. For example:

Java Core Code
1.<allmapping>read|add|delete<allmapping>
2.<mapping name= "read" url= "/read.do" >
3. <error>/errorpage.jsp</error>
4. <message key= "Error.read" > No permission to read information </message>
5.</mapping>
6.<mapping name= "Add" url= "/add.do" >
7. <error>/errorpage.jsp</error>
8. <message key= "Error.add" > No permission to add information </message>
9.</mapping>
10.<mapping name= "Delete" url= "/delete.do" >
One. <error>/errorpage.jsp</error>
<message key= "Error.delete" > no permission to delete information </message>
13.</mapping>
<allmapping>read|add|delete<allmapping>
<mapping name= "read" url= "/read.do" >
<error>/errorpage.jsp</error>
<message key= "Error.read" > No permission to read information </message>
</mapping>
<mapping name= "Add" url= "/add.do" >
<error>/errorpage.jsp</error>
<message key= "Error.add" > No permission to add information </message>
</mapping>
<mapping name= "Delete" url= "/delete.do" >
<error>/errorpage.jsp</error>
<message key= "Error.delete" > no permission to delete information </message>
</mapping>

The user's permissions are ultimately expressed as a binary number, and when the user accesses a URL, if the mapping matches the URL, it checks the user permission binary number of the I bit, if the bit is 1 indicates that the user has this permission, and 0 indicates that the user does not have this permission.

OK, so how do you set user permissions? You can't just give a bunch of binary numbers! Of course not. Here are two ways to set user permissions:

A: User rights are represented by binary number, in the class responsible for the rights management (all the same as validation, there should be a class library) has the GetCode (Mapping-name) method, GetCode returns an n-bit binary string, If the mapping with the name Mapping-name is in the I-bit, then the first bit of this binary number is 1, and the other bits are 0. If the user set the permissions have read and add, using GetCode ("read") and GetCode ("add") to obtain two strings of permission code, then bitwise OR operation to get the user's final permission code, with the above settings, GetCode ("read") return "100", GetCode ("Add") returns "010", the user's permission code is 100|010=110, that is, read and add permissions.

Second: The user rights in decimal numbers, often with Linux friends may prefer this way, because everyone likes to use "chmod 744 filename" Way to set file permissions. In this way, the class responsible for the rights management returns a 10 binary number, the value of the decimal number is equal to the value of the binary number mentioned above, such as binary return 100, decimal is 4 (binary to decimal!) )。 Similar to the above, this time it is not a bitwise OR operation, but a direct add operation.

or set Read and add permissions, GetCode ("read") returns 4,getcode ("Add") returns 2, and the representation of the user right is 2+4=6.

The above is the overall scheme, in the concrete implementation, with a long integer representation of the permissions. An interface has also been designed:

Java code
1.privilege{
2. Public long Getprivilege ()
The 3.}//user object should implement this interface so that in the filter we use the
4.Privilege p= (Privilege) session.getattribute ("User");
5.p.getprivilege ();

privilege{
Public long Getprivilege ()
The}//user object should implement this interface so that in the filter we use the
Privilege p= (Privilege) session.getattribute ("User");
P.getprivilege (); You can get permission codes.
Other details There are URLs that can use regular expressions, and if a user requests a URL that matches more than one configuration item, only the user's permissions match all of the requirements to be counted. This is also a bit safer. For URLs that are not configured, the default does not require any permissions, that is, anyone can access it.

At the front desk, we don't typically show hyperlinks that you don't want users to see. For example, for a user who only publishes news, he does not want him to see the link to delete the news. My plan is to design a tag <privilege> have a URL attribute that represents the URL to be accessed by the following operation. If you delete news:

Java code
1.<privilege url= "/deletenews.do" >other</privilege>
<privilege url= "/deletenews.do" >other</privilege>
The approximate implementation of the tag is to obtain the current user permission code and obtain the permission code for the URL in the configuration file. If the current user's permissions are not sufficient to access the URL, then skipbody, otherwise eavlbody. (You can save a bunch of if).

How to resolve site multiuser rights management