在进行springMVC进行J2EE项目开发时,spring及第三方的如Shiro等为我们快速实现某个功能提供了注解标签,配置和使用都及其简单
但在某些情况下,需要根据项目需要,自定义某些功能时就会用到今天讲到的自定义标签
以进行简单的权限拦截为例来进行讲解
当某个controller中的方法,需要具有某个权限或者角色的人员才能执行时,我们分如下几步进行自定义的权限拦截
第一步:定义注解标签
1 package net.zicp.xiaochangwei.web.annotation;
2
3 import java.lang.annotation.Documented;
4 import java.lang.annotation.ElementType;
5 import java.lang.annotation.Retention;
6 import java.lang.annotation.RetentionPolicy;
7 import java.lang.annotation.Target;
8
9 /**
10 *
11 * @author xiaochangwei
12 * 自定义权限标签
13 */
14 @Target(ElementType.METHOD)
15 @Retention(RetentionPolicy.RUNTIME)
16 @Documented
17 public @interface SelfPermission {
18 String value() default "";
19 }
第二步:在xml中配置interceptor
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="net.zicp.xiaochangwei.web.interceptors.SelfPermissionInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
第三步:实现对应的interceptor bean
package net.zicp.xiaochangwei.web.interceptors;
import java.lang.annotation.Annotation;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.zicp.xiaochangwei.web.annotation.SelfPermission;
import net.zicp.xiaochangwei.web.common.Result;
import net.zicp.xiaochangwei.web.entity.Permission;
import net.zicp.xiaochangwei.web.entity.Role;
import org.apache.commons.collections4.IterableUtils;
import org.apache.commons.collections4.Predicate;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.annotation.AnnotationUtils;
import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
/**
* 对有@SelfPermission标签的方法进行拦截,模拟进行权限检查
*
* @author xiaochangwei
*
*/
public class SelfPermissionInterceptor implements HandlerInterceptor {
@Autowired
private RedisTemplate<String, String> redisTemplate;
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
request.setCharacterEncoding("UTF-8");
response.setCharacterEncoding("UTF-8");
if (handler instanceof HandlerMethod) {
HandlerMethod handlerMethod = (HandlerMethod) handler;
SelfPermission permission = getAnnotation(handlerMethod, SelfPermission.class);
if (permission != null) {
try {
return checkPermission(permission.value());
} catch (Exception e) {
Result result = new Result("120001", "没得权限", Result.Status.ERROR);
response.setContentType("text/plain;charset=UTF-8");
response.getWriter().write(JSONObject.toJSONString(result));
return false;
}
}
}
return true;
}
@Override
public void afterCompletion(HttpServletRequest arg0,
HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, ModelAndView arg3) throws Exception {
}
public boolean checkPermission(final String permissionCode)
throws Exception {
String cachedRole = redisTemplate.opsForValue().get("role1");
if (cachedRole != null) {
System.out.println("缓存中找到权限数据");
Role jrole = JSON.parseObject(cachedRole, Role.class);
boolean result = IterableUtils.matchesAny(jrole.getPermissions(),
new Predicate<Permission>() {
public boolean evaluate(Permission p) {
return permissionCode.equals(p.getPermission());
}
});
if (!result) {
throw new Exception("没得权限");
}
return result;
} else {
System.out.println("缓存中没有找到权限数据");
return false;
}
}
private <T extends Annotation> T getAnnotation(HandlerMethod handlerMethod,
Class<T> clazz) {
T annotation = handlerMethod.getMethodAnnotation(clazz);
if (annotation != null) {
return annotation;
}
annotation = AnnotationUtils.findAnnotation(handlerMethod.getBeanType(), clazz);
return annotation;
}
}
HandlerInterceptor用于拦截,如果有多个的时候,只有上一个返回true才会继续下一个的执行
原理很简单,就是根据xml中配置,当其扫描路径下的方法被执行时,检查其上有个没有定义的注解,如果没有放行,如果有就根据逻辑判断确定返回true或者false
true表示验证成功
false表示验证失败
同理,我们还可以自定义jsp标签在页面上使用,如有权限才显示相应的东西,前后端必须一同控制才行,如果只前端判断后端不处理会被绕过,而只后台判断前端不处理又不友好
直接贴代码了
1.自定义标签的实现类,很简单,继承TagSupport
package net.zicp.xiaochangwei.web.tag;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.TagSupport;
import net.zicp.xiaochangwei.web.entity.Permission;
import net.zicp.xiaochangwei.web.entity.Role;
import net.zicp.xiaochangwei.web.utils.Constant;
import net.zicp.xiaochangwei.web.utils.SpringBeanUtil;
import org.apache.commons.collections4.IterableUtils;
import org.apache.commons.collections4.Predicate;
import org.springframework.data.redis.core.RedisTemplate;
import com.alibaba.fastjson.JSON;
/**
* @author 肖昌伟 E-mail:317409898@qq.com
* @version 创建时间:2016年9月18日 上午11:45:06
*
*/
public class HasPermissionTag extends TagSupport {
private static final long serialVersionUID = 1L;
private RedisTemplate<String, String> redisTemplate;
String name = null;
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public int doStartTag() throws JspException {
try {
return isPermitted();
} catch (Exception e) {
e.printStackTrace();
}
return TagSupport.SKIP_BODY;
}
public int isPermitted() throws Exception{
String p = getName();
boolean show = checkPermission(p);
if (show) {
return TagSupport.EVAL_BODY_INCLUDE;
} else {
return TagSupport.SKIP_BODY;
}
}
@SuppressWarnings("unchecked")
public boolean checkPermission(final String permissionCode)
throws Exception {
redisTemplate = (RedisTemplate<String, String>) SpringBeanUtil.getBean("redisCache");
String cachedRole = redisTemplate.opsForValue().get(Constant.ROLE+"1");
if (cachedRole != null) {
System.out.println("缓存中找到权限数据");
Role jrole = JSON.parseObject(cachedRole, Role.class);
boolean result = IterableUtils.matchesAny(jrole.getPermissions(),
new Predicate<Permission>() {
public boolean evaluate(Permission p) {
return permissionCode.equals(p.getPermission());
}
});
if (!result) {
throw new Exception("没得权限");
}
return result;
} else {
System.out.println("缓存中没有找到权限数据");
return false;
}
}
}
2.定义tld文件,直接放在WEB-INF下即可,其它路径请在web.xml中配置好
<?xml version="1.0" encoding="UTF-8" ?>
<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
version="2.0">
<description>权限自定义标签库</description>
<tlib-version>1.0</tlib-version>
<short-name>PermissionTagLibrary</short-name>
<uri>http://xiaochangwei.com/tags</uri>
<tag>
<description>这个标签的作用是用来判断有没有权限</description>
<name>hasPermission</name>
<!-- 标签对应的处理器类-->
<tag-class>net.zicp.xiaochangwei.web.tag.HasPermissionTag</tag-class>
<body-content>JSP</body-content>
<attribute>
<name>name</name>
<required>true</required>
<rtexprvalue>true</rtexprvalue>
</attribute>
</tag>
</taglib>
3.页面使用
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ taglib uri="http://xiaochangwei.com/tags" prefix="permission" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="shortcut icon" href="/favicon.ico" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>网站首页</title>
</head>
<body>
<permission:hasPermission name="viewInfo">有权限<br/><br/></permission:hasPermission>