spring aop实现权限控制

spring aop 拦截业务方法，实现权限控制

难点：aop类是普通的java类，session是无法注入的，那么在有状态的系统中如何获取用户相关信息呢，session是必经之路啊，获取session就变的很重要。思索很久没有办法，后来在网上看到了解决办法。

思路是：

i. SysContext 成员变量 request,session,response

ii. Filter 目的是给 SysContext 中的成员赋值

iii.然后在AOP中使用这个SysContext的值

要用好，需要理解 ThreadLocal和 和Filter 执行顺序

1.aop获取request，response，session等

[java] view
plain copy

public class SysContext {

private static ThreadLocal<HttpServletRequest> requestLocal=new ThreadLocal<HttpServletRequest>();

private static ThreadLocal<HttpServletResponse> responseLocal=new ThreadLocal<HttpServletResponse>();

public static HttpServletRequest getRequest(){

return requestLocal.get();

}

public static void setRequest(HttpServletRequest request){

requestLocal.set(request);

}

public static HttpServletResponse getResponse(){

return responseLocal.get();

}

public static void setResponse(HttpServletResponse response){

responseLocal.set(response);

}

public static HttpSession getSession(){

return (HttpSession)(getRequest()).getSession();

}

}

2.添加过滤器

[java] view
plain copy

public class GetContextFilter implements Filter{

@Override

public void destroy() {

}

@Override

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

SysContext.setRequest((HttpServletRequest)request);

SysContext.setResponse((HttpServletResponse)response);

chain.doFilter(request, response);

}

@Override

public void init(FilterConfig config) throws ServletException {

}

}

3.配置web.xml

将这部分放置在最前面，这样可以过滤到所有的请求

[html] view
plain copy

<filter>

<filter-name>sessionFilter</filter-name>

<filter-class>com.unei.filter.GetContextFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>sessionFilter</filter-name>

<url-pattern>*</url-pattern>

</filter-mapping>

4.spring aop before

从session中取出用户名，如果不存在，抛出异常跳转，将错误信息放到request中

[java] view
plain copy

@Aspect

public class AdminAspect {

ActionContext context = ActionContext.getContext();

HttpServletRequest request;

HttpServletResponse response;

@Before("execution(* com.unei.Action.AdminAction.getPrivileges(..))")

public void adminPrivilegeCheck()

throws Throwable {

HttpSession session = SysContext.getSession();

request = SysContext.getRequest();

response = SysContext.getResponse();

String userName = "";

try {

userName = session.getAttribute("userName").toString();

if(userName==null||userName.equals(""))

throw new Exception("no privilege");

} catch (Exception ex) {

request.setAttribute("msg", "{\"res\":\"" + "无权限" + "\"}");

try {

request.getRequestDispatcher("/jsp/json.jsp").forward(

request, response);

} catch (ServletException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

}

}

}

5.applicationContext.xml

[html] view
plain copy

<bean id="adminAspect" class="com.unei.aop.AdminAspect"></bean>

分类: JAVA
WEB总结