Implementing the access control of JSP page elements with custom tag library and configuration file

js| Access | control | page

Controlling client access is a problem that developers must consider to develop a system based on B/s architecture. A profile-based security policy for a JSP or servlet specification controls the resource in a file, that is, only one view can be defined to be all or all inaccessible. A more complex system often requires access control for part of the view (such as a button in a JSP page), allowing access only to users of a role. If you adopt a programmable security policy, because the definition of user roles and operations is not defined at development time, and this strategy increases the workload of the programmer, it may not be a good idea.

I used custom tag libraries and and configuration files to solve this problem: to control the JSP page elements such as button, as the content of the label. A unique name for the protected content, which is used as a property of the label. Whether a role has permissions on a page element or a group of page elements, described in the XML configuration file.

For example, the following JSP page has "verbose" and "Modify" two buttons.

<%@ taglib uri= "Http://mytag" prefix= "Custtag"%>

<title>test</title>

<body >

<form name= "Form1" >

<table width= "border=" 0 "cellspacing=" 0 "cellpadding=" 2 ">

<tr>

<td>

<custtag:jspsecurity elementname= "Employeedetail" >

<input type= "button" name= "detail" value= "detailed" >

</custTag:JspSecurity>

<custtag:jspsecurity elementname= "Employeemodify" >

<input type= "button" name= "Modify" value= "Modify" >

</custTag:JspSecurity>

</td>

</tr>

</table>

<br>

</form>

</body>

The following XML configuration file content represents a user who is common to the role, only has permissions on the page element named Employeedetail, the detailed button, and the user named Employeedetail for the role "admin" and Employeemodify page elements, which are two buttons, have permissions.

<?xml version= "1.0" encoding= "GB2312"?>

<security>

<rolename name= "Common"/>

<rolename name= "admin"/>

<rolename name= "admin"/>

</security>

Custom tag Class Jspsecuritytag inherits the Bodytagsupport class. Bodytagsupport has a variable bodycontent that points to the content between the start and end flags. Jspsecuritytag's private static variable Rolelist saves the corresponding collection of roles and page elements from the XML file, and the private variable elementname the name of the corresponding page element. When parsing the custom label, first take the name of the page element, and then the role of the current user, if the role has the permissions of the page element, display the label body (that is, page elements), otherwise not displayed.

Pagekage Com.presentation.viewhelper.JspSecurityTag;

Import javax.servlet.jsp.tagext.*;

Import javax.servlet.jsp.*;

Import java.util.*;

Import org.xml.sax.*;

Import org.xml.sax.helpers.*;

Import org.w3c.dom.*;

Import java.io.*;

Import javax.xml.parsers.*;

public class Jspsecuritytag extends Bodytagsupport {

To save a corresponding collection of roles and page elements from an XML file

private static ArrayList rolelist;

The name of the page element

Private String elementname;

public void Setelementname (String str)

{

THIS.ELEMENTNAME=STR;

}

public int doafterbody () throws jspexception{

if (rolelist==null)

{

Rolelist=getlist ();

}

try{

If the certification through the display of the body of the label, otherwise skip the label body, it is so simple

if (isauthentificated (elementname))

{

if (bodycontent!= null) {

JspWriter Out=bodycontent.getenclosingwriter ();

Bodycontent.writeout (out);

}else

{

}

}

}catch (Exception e) {

throw new Jspexception ();

}

return skip_body;

}

From the XML configuration file, take the corresponding roles and page elements and save them to the static ArrayList

Private ArrayList GetList ()

{

Documentbuilderfactory DBF =

Documentbuilderfactory.newinstance ();

Documentbuilder db = null;

Document Doc=null;

NodeList childlist = null;

String elementname;

String rolename;

int index;

ArrayList thelist = new ArrayList ();

try{

db = Dbf.newdocumentbuilder ();

}catch (Exception e)

{

E.printstacktrace ();

}

try{

doc = Db.parse (new File ("Security.xml"));

}catch (Exception e)

{

E.printstacktrace ();

}

Reading page element list

NodeList elementlist = Doc.getelementsbytagname ("HtmlElement");

for (int i=0;i<elementlist.getlength (); i++)

{

element name = ((Element) Elementlist.item (i));

The name of the page element

ElementName = Name.getattribute ("name");

A list of permissions roles for this page element

NodeList rolnodelist = (nodelist) name.getelementsbytagname ("RoleName"));

for (int j=0;j<rolnodelist.getlength (); j + +)

{

The name of a role with permissions

RoleName = ((Element) Rolnodelist.item (j)). Getnodevalue ();

RoleName = ((Element) Rolnodelist.item (j)). GetAttribute ("name");

Thelist.add (New Elementandrole (Elementname,rolename));

}

}

return thelist;

}

Check if the role has permissions for the page element

Private Boolean isauthentificated (String elementname)

{

String rolename = "";

The user's role is saved to the session when the user logs in, but only directly from the session.

Rolename=this.pagecontext.getsession (). getattribute ("RoleName");

Rolelist contains a//elementandrole object with the ElementName property of RoleName as the Elementname,rolename property, the role has permissions for that page element

if (Rolelist.contains (new Elementandrole (Elementname,rolename))

{

return true;

}

}

return false;

}

An inner class that represents the corresponding relationship between a role and a page element

Class elementandrole{

String elementname;

String rolename;

Public Elementandrole (String elementname,string rolename)

{

This.elementname=elementname;

This.rolename=rolename;

}

public boolean equals (Object obj)

{

Return ((elementandrole) obj). Elementname.equals (This.elementname) && ((elementandrole) obj). Rolename.equals (This.rolename));

}

}

}

Before the tag library can be used by JSP pages, take the following three steps

1. Include a taglib element in the JSP page to determine the tag library that needs to be loaded into memory. The first line of the previous JSP file: <%@ taglib uri= "Http://mytag" prefix= "Custtag"%> to do is this matter.

2. Use the Taglib element in the configuration file Web.xml to determine the location of the TLD file. Increase in Web.xml:

<taglib>

<taglib-uri>http://mytag</taglib-uri>

<taglib-location>

/web-inf/mytag.tld

</taglib-location>

</taglib>

3, the TLD file must use the Taglib element to identify each custom label extremely attribute.

The following is a TLD file that uses this tag library

<?xml version= "1.0" encoding= "Iso-8859-1"?>

<! DOCTYPE taglib

Public "-//sun Microsystems, Inc.//dtd JSP Tag Library 1.1//en"

"Http://java.sun.com/j2ee/dtds/web-jsptaglibrary_1_1.dtd" >

<taglib>

<tlibversion>1.0</tlibversion>

<jspversion>1.1</jspversion>

<shortname>myTag</shortname>

<uri/>

<tag>

<name>JspSecurity</name>

<tagclass>com.presentation.viewhelper.JspSecurityTag</tagclass>

<info>

Jspsecuritytag

</info>

<attribute>

<name>elementName</name>

<required>true</required>

<rtexprvalue>true</rtexprvalue>

</attribute>

</tag>

</taglib>