在struts2.1中使用注解和拦截器实现权限细粒度控制

首先要引入struts2.1各包，特别要引入Convention Plugin插件。

本文只是一个简单模拟，因此我们新建两个jsp文件，分别为登录和退出。
login.jsp

< %@ page language="java"  pageEncoding="GB18030"%>

< %
pageContext.getSession().setAttribute("user","huashui");
pageContext.getSession().setAttribute("rights","TEST_AUTH");
%>
登录成功

logout.jsp

< %@ page language="java" pageEncoding="GB18030"%>

< %
pageContext.getSession().removeAttribute("user");
pageContext.getSession().removeAttribute("rights");
%>
退出成功

index.jsp

< %@ page language="java" pageEncoding="GB18030"%>
< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
        <head>
                <title>主页</title>
        </head>
        <body>
                <p>
                        ${tip }
                </p>
                <a href="login.jsp">登录</a>
                <br />
                <a href="logout.jsp">退出</a>
                <br />
                <a href="admin/test.action">权限页面</a>
        </body>
</html>

建好了这三个页面后，我们开始来写注解。

package org.huashui.authentication;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

/**
 *@author Huashui
 *@blog http://huashui.org
 */
@Retention(RetentionPolicy.RUNTIME)//指定该注解是在运行期进行
@Target({ElementType.METHOD})//指定该注解要在方法上使用
public @interface AuthName {
         String value() default "";

}

注解本身不能起作用，注解起作用关键在于后台有一个解析器。接下来来写下这个解析器。

package org.huashui.authentication;

import java.lang.reflect.Method;

/**
 * @author huashui
 * @blog http://huashui.org
 */
public class ParseAuthName {
        public static String parseAuthentication(Class< ?> clazz, String methodName,
                        Class< ?>... parameterTypes) throws NoSuchMethodException {
                //根据方法名，取得方法，如果有则返回
                Method method = clazz.getMethod(methodName, parameterTypes);

                if (null != method) {
                        AuthName authName = method.getAnnotation(AuthName.class);
                        if (null != authName) {
                                return authName.value();
                        }
                }

                return null;
        }
}

接下来书写拦截器

package org.huashui.interceptor;

import org.huashui.authentication.ParseAuthName;

import com.opensymphony.xwork2.Action;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.ActionProxy;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;

/**
 * @authorhuashui
 * @blog http://huashui.org
 */
@SuppressWarnings("serial")
public class AuthInterceptor extends AbstractInterceptor {

        @Override
        public String intercept(ActionInvocation invocation) throws Exception {
                ActionContext context = invocation.getInvocationContext();
                String user = (String) context.getSession().get("user");
                String rights = (String) context.getSession().get("rights");
                if (null != user) {
                        ActionProxy proxy = invocation.getProxy();
                        String methodName = proxy.getMethod();
                        Object action = proxy.getAction();
                        String auth = null;
                        try {
                                auth = ParseAuthName.parseAuthentication(action.getClass(),
                                                methodName, null);

                        } catch (NoSuchMethodException e) {
                                e.printStackTrace();
                                ActionContext.getContext().put("tip", "没有权限");
                                return Action.LOGIN;
                        }

                        if (null != auth) {
                                if ("TEST_AUTH".equals(auth)) {
                                        return invocation.invoke();
                                }
                        }
                        ActionContext.getContext().put("tip", "没有权限");
                        return Action.LOGIN;
                } else {
                        ActionContext.getContext().put("tip", "没有登录");
                        return Action.LOGIN;
                }

        }

}

接下来配置下拦截器

< ?xml version="1.0" encoding="UTF-8" ?>
< !DOCTYPE struts PUBLIC
    "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
    "http://struts.apache.org/dtds/struts-2.0.dtd">

<struts>
        <package name="huashui-default" namespace="/admin"
                extends="struts-default">
                <interceptors>
                        <interceptor name="auth"
                                class="org.huashui.interceptor.AuthInterceptor">
                        </interceptor>
                        <interceptor -stack name="authdefault">
                                </interceptor><interceptor -ref name="defaultStack"></interceptor>
                                <interceptor -ref name="auth"></interceptor>

                </interceptors>
                <default -interceptor-ref name="authdefault"></default>
        </package>
</struts>

配好这些后，我们开始写Action进行测试

package org.huashui.action;

import org.apache.struts2.convention.annotation.Action;

import org.apache.struts2.convention.annotation.ParentPackage;
import org.apache.struts2.convention.annotation.Result;
import org.huashui.authentication.AuthName;

/**
 * @author 曾华水
 * @email [email protected]
 */
@ParentPackage("huashui-default")
@Namespace("/admin")
public class UserListAction {

        @AuthName(value = "TEST_AUTH")
        @Action(value = "test", results = {
                        @Result(name = "success", location = "/WEB-INF/content/success.jsp"),
                        @Result(name = "login", location = "/index.jsp")

        })
        public String execute() {
                return com.opensymphony.xwork2.Action.SUCCESS;
        }

}

完成。