Recommendations on user rights qualification in struts

About the permissions of the Web system problem, there may be many ways, I am here to say some of their own tips, play a role in the discussion, I forget you:

A role in the system contains more than one user, the role and the user is best to use a one-to-many, so as to avoid confusion;

Since the beginning of the system, the system has only one superuser (for example, root) with two default roles, namely, the visitor role and the registered user role;

Superuser can add roles in subsequent administration, the default role cannot be deleted, and if there are users under this role in the deletion of other roles, the roles of those users can be automatically converted to the registered user role if they are not allowed to delete or delete;

The right of each role user to access certain functional modules of the system, whether a role can access a function module can be modified by the Superuser, this also includes the default role of the corresponding permissions module;

The relationship between roles and system modules is many-to-many, that is, a role can access multiple modules, and one module may have multiple roles to access;

We mainly talk about struts, a module contains multiple action,action and modules is a many-to-many relationship;

This way, when a user accesses an action, it maps to a module of the system, which is the system takes out the current user's role to see if the role has access to this module, that is, you can achieve the permissions set in struts;

This process consists mainly of the following pieces:

1. Each module of the system is formed after the system is developed, and the module information is stored in the persistent media.

2. In Struts-config.xml, the configuration of each action has a role attribute, which fills in the name of a module, thus establishing a many-to-many relationship between action and module;

3. The mapping between users, roles, and modules is through the mapping between database tables, and there is no more to say;

4. Extend the Requestprocessor class in struts (note that if you use the tiles framework, you need to inherit another tiles-specific class), and then copy the Processorrole method (other methods are also useful, such as the Preprocess method, You can set the submitted string to be UTF-8, or you can write some of the system's access logs, and so on, in which you can remove the current action's module name and the current user's role so that you can qualify the user's permissions.

This allows for permissions to be limited, the advantage of this method is that even from some places to find downloads or access to some important functions of the link can still intercept, the disadvantage is that each visit needs to be determined, but do the appropriate caching, how to do the cache because of the different systems; If you have special needs can also limit IP, Even a session corresponding to an ID, if the IP is changed immediately destroy the session, to prevent users to paste the SessionID fake users.

Today more dizzy, rarely write such a long article, we have to do to see, what the problem is welcome to point out, I will amend as soon as possible.