Permission control scheme--based on URL interception

Overview:

In the system development process need to consider an important problem is the authority problem, the authority problem is also a category of security issues, we require the user login system, to control the user can access the system resources, so that users can only access to the system pre-allocated resources; The resources here can be a URL address, It can also be a menu and a button on a page. There are many schemes for controlling the permissions, here is the implementation scheme of permission control through URL interception.

Basic Flow:

Control of permissions can be divided into two steps: Authentication and authorization.

Authentication: That is, when the user logs on to the system, the user's identity information is judged.

Authorization: The user is assigned a resource that the user can access after the user logs on successfully.

Flowchart: According to the user's certification and authorization process to abstract the following flowchart

Generic Model:

based on our requirements for permission control, we can extract the following data models:

Subject: User, program, etc., including account and password attributes

Resources: URLs, menus, buttons, etc.

Role: In order to facilitate the management of the relationship between the resources and the subject, we usually draw a role entity between them, a role is a kind of subject, through the role can realize the group management of the subject, so that the subject and its corresponding resources can be more convenient management (expansion and modification).

The model structure looks like this:

implementation process:1, define user identity and basic operation:

Here we create a user identity entity Activeuser, which holds the identity information of the user, and stores the identity information in the session after the user has successfully logged in.

User Login Request @requestmapping ("/loginsubmit") public String loginsubmit (HttpSession session,string usercode,string Password,string Randomcode) throws exception{//Verification code//Get the correct verification code from session string Validatecode = (string) Session.getattribute ("Validatecode"), if (!randomcode.equals (Validatecode)) {//Throws Exception: Authenticode error throw new Customexception ( "Wrong captcha!" ");} User identity authentication Activeuser activeuser = Sysservice.authenticat (usercode, password);// Login successfully log user information to Sessionsession.setattribute ("Activeuser", activeuser);//Jump to Home return "Redirect:first.action";} Exit Request @requestmapping ("/logout") public String Logout (HttpSession HttpSession) throws exception{// Empty sessionhttpsession.invalidate (); return "Redirect:first.action";}

2. Public Access address configuration:

for the address information that can be accessed without user authentication, we can write a configuration file to configure it, and then read the judgment behind it.

#公开访问地址login. action= Login Page loginsubmit.action= Login request

3. Public Access address configuration:

for as long as the user authentication through the access to the address information can be configured, here we are also configured through a configuration file, behind the read judgment.

#公共访问地址first. action= Home logout.action= exit

4, the Authentication Interceptor:

The identity information of the user is judged by the authentication interceptor.

public class Logininterceptor implements Handlerinterceptor {@Overridepublic Boolean prehandle (httpservletrequest Request,httpservletresponse response, Object handler) throws Exception {//checksum is a public resource address list<string> Open_urls = Resourcesutil.gekeylist ("Anonymousurl");//urlstring URL of user access = Request.getrequesturi (); for (String Open_url:open_ URLs) {if (Url.indexof (Open_url) >= 0) {//If the access is a public address then release return true;}} Whether the user is logged in successfully httpsession session = Request.getsession (); Activeuser Activeuser = (activeuser) session.getattribute ("Activeuser"); if (activeuser! = null) {//user already logged in authentication, release return true;} Otherwise jump to landing page request.getrequestdispatcher ("/web-inf/jsp/login.jsp"). Forward (request,response); return false;} @Overridepublic void Posthandle (HttpServletRequest arg0, HttpServletResponse arg1,object arg2, Modelandview arg3) Throws Exception {} @Overridepublic void Aftercompletion (HttpServletRequest arg0,httpservletresponse arg1, Object arg2, Exception Arg3) throws Exception {}}

5. Authorized Interceptor

Determine whether the user has access to the resource by authorizing the interceptor.

public class Permissioninterceptor implements Handlerinterceptor {@Overridepublic Boolean prehandle ( HttpServletRequest request,httpservletresponse response, Object handler) throws Exception {String URL = Request.getrequesturi ();//Whether the checksum is a public resource address list<string> open_urls = resourcesutil.gekeylist ("Anonymousurl"); for ( String open_url:open_urls) {if (Url.indexof (Open_url) >= 0) {//Public address release return true;}} Determine if the public access address is list<string> Common_urls = resourcesutil.gekeylist ("Commonurl"); for (String Common_url:common_ URLs) {if (Url.indexof (Common_url) >= 0) {//Public address release return true;}} HttpSession session = Request.getsession (); Activeuser Activeuser = (activeuser) session.getattribute ("Activeuser");//Get the list of user rights list<syspermission> Permission_list = Activeuser.getpermissions ();//Verify that the user access address is within the scope of the user's permission for (Syspermission syspermission:permission_list {String Permission_url = Syspermission.geturl (); if (Url.contains (Permission_url)) {return true;}} Jump to a page that is denied access Request.getrequestdispatcher ("/refuse.jsp "). Forward (request, response); return false;} @Overridepublic void Posthandle (HttpServletRequest arg0, HttpServletResponse arg1,object arg2, Modelandview arg3) Throws Exception {} @Overridepublic void Aftercompletion (HttpServletRequest arg0,httpservletresponse arg1, Object arg2, Exception Arg3) throws Exception {}}

6. Configuring interceptors

Configure the Interceptor so that it works.

<!--Interceptor--><mvc:interceptors><!--Multiple interceptors, sequential execution of--><!--certified interceptors--><mvc:interceptor>< Mvc:mapping path= "/**"/><bean class= "Cn.itcast.ssm.controller.interceptor.LoginInterceptor" ></bean ></mvc:interceptor><!--Authorized Interceptor--><mvc:interceptor><mvc:mapping path= "/**"/><bean class= "Cn.itcast.ssm.controller.interceptor.PermissionInterceptor" ></bean></mvc:interceptor> </mvc:interceptors>

Summary

this is mainly through the two interceptors to achieve authentication and authorization, the advantage is that it can not rely on the framework implementation, for interceptors we can also be implemented through the web-provided filter, the disadvantage is that the system is configured with a lot of URLs, or when the system is initialized to set the URL in the database , then there is the change of the access address to change the configuration at the same time, maintenance is relatively difficult.

Permission control scheme--based on URL interception