Springmvc+annotation implementation method, Button-level fine-grained permission control

Source: Internet
Author: User


The commonly used rights system design pattern is role-centric, where a role is a collection of people with the same permissions:

1. A role can have multiple operators, an operator can also belong to multiple roles

2. A role can have multiple functions of operation permissions, a function can also be owned by multiple roles.

By querying the user's role when logging in, you can get all the feature sets for a user, such as:



Most Business System page function menu design is a three-level standard, that is, the first level function menu, level Two function menu, level Three function menu, usually one or two level function menu is only used for functional classification, is not functional access address, three menu is the function of the real entrance, The general permission system is to control the rights by controlling the display and hiding of each person's corresponding function menu. To achieve fine-grained permission control, you can add the fourth layer when you design the menu: page elements, which are subordinate to the third-level feature menus, which identify each function button in a feature page, such as adding, modifying, deleting, querying, which can be considered page elements, and when assigning permissions to a role The fourth tier also incorporates unified rights management, which is displayed on the page if there is permission on the page element, which is not displayed if there is no feature permission for the page element.


For non-privileged access to the function or page in addition to the foreground of the hidden, but also in the background access to the authorization of the authentication, or the operator around the page directly through the input URL access function will create a privilege vulnerability, through the springmvc+annotation way can be easily implemented, The code is as follows:

First step: Create a SPRINGMVC interceptor to intercept all feature requests that require permission validation

<!--opening Annotations -    <Mvc:annotation-driven/>    <!--Static resource access -     <mvc:resources Location= "/static/"Mapping= "/static/**"/>            <!--Interception Device -      <mvc:interceptors>          <!--multiple interceptors, sequential execution -          <Mvc:interceptor>            <!--if not configured or/**, all controllers will be blocked -           <mvc:mappingPath="/**" />            <!--do some general processing before the Freemarker interface is displayed -           <Beanclass= "Xx.xxxx.core.web.FreeMarkerViewInterceptor"></Bean>          </Mvc:interceptor>      </mvc:interceptors>  

Step two: Create a annotation class that acts on the method level for passing in the feature ID

@Retention (retentionpolicy.runtime) @Target (Elementtype.method)  public @Interface  Permission {    /*** Feature ID, the function ID     , the function     ID in the corresponding database  @return@version       V1.0.0     * @date Jan, 4:59:35 PM      *    /String value ();    }

Step three: Establish a one-to-one relationship between function IDs and execution methods in a database by static constants

 Public class funcconstants {    /**     * System Management-Role management-Add roles     */ public      Final Static String Xtgl_jsgl_addjs = "4399d98bb0d84114acb5693081e83bc9";     /**      * System Management-Department management-Department list     */ public     finalstatic String xtgl_bmgl_bmlist = "dbc4bf80f8b6418788b79de204d37932";    }

Fourth step: Verify permissions in the SPRINGMVC interceptor

/*** freemarker view blocker, page display before doing some general processing *@versionV1.0.0 * @date Dec, 4:20:04 PM*/ Public classFreemarkerviewinterceptorextendsHandlerinterceptoradapter { Public voidAftercompletion (HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3)throwsException {} Public voidPosthandle (HttpServletRequest request, httpservletresponse response, Object arg2, Modelandview view)throwsException {String contextpath=Request.getcontextpath (); if(View! =NULL) {Request.setattribute ("Base", ContextPath); }    }       Public BooleanPrehandle (HttpServletRequest request, httpservletresponse response, Object handler)throwsException {//handle permission Annotation, implement method level permission controlHandlermethod method =(Handlermethod) handler; Permission Permission= Method.getmethodannotation (Permission.class); //If NULL indicates that the method does not require permission validation        if(Permission = =NULL) {            return true; }                //Verify that you have permissions        if(!webutil.haspower (Request, Permission.value ())) {Response.sendredirect (Request.getcontextpath ()+ "/business/nopermission.html"); return false; }        return true; //Note that you must return true here, or the request will stop//return true;    }}

At this point, based on button, method validation of fine-grained permission system to complete!

Springmvc+annotation implementation method, Button-level fine-grained permission control

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.