Java开发网 - 续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？

Topic: 续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？

1.续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？

Posted by: j1j2
Posted on: 2003-11-21 15:39

filter固然灵活，但只能通过pattern配置，不能精确到struts的每个
action.
继承ActionServlet是我们这边用的，但它只能做单一的权限验证，
多权限就比较难做。

我认为权限验证就是业务逻辑的一部分，但为避免重复写代码，
设想用java的继承，这么做：

写几个进行不同权限验证的action子类
public abstract class Priv1Action extends Action{
execut(){
//权限1验证
priv();
//业务
business();
}

abstract business();
}

对应有Priv2Action,Priv3Action ... 等；
然后写每个业务时，根据需要继承对应的PrivNAction,
实现其中的business()方法，在其中写自己的业务逻辑。

这样做的好处是，每个action都会被精确的匹配验证，
且无需配置，更灵活。

2.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]	Copy to clipboard
Posted by: 老刀 Posted on: 2003-11-21 16:18 如果这样，那为什么不在业务层做权限验证呢？这样的话入口单一，简单明了

3.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]	Copy to clipboard
Posted by: j1j2 Posted on: 2003-11-21 17:58 业务层？不明白。到业务层的话session什么的都没了吧，还怎么验证。能举个例子吗？

4.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]

Copy to clipboard

Posted by: floater
Posted on: 2003-11-22 00:34

1. Always seperate the AA(Authentication and Authorization) from the business logic, at least at the code dependency level.
2. Business logic layer shouldn't care the session at all, this will free up your business logic classes from any web platform and thus the testing would be much easier and faster.
3. Having said NOs to some approach, here is the best I can come up.
- upon login, get both user info and entitlement info into the session.
- before invoke the real action, pass in the entitlement and check authorization.
- This means you either inherit ActionServlet or Action to check(and only check), and then invoke your business class(don't code your business in the Action class).

This approach is not new at all, but one more layer of abstraction to loose the code dependency, put more springs in between.

My 2 cents.

5.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: floater]

Copy to clipboard

Posted by: 老刀
Posted on: 2003-11-22 15:03

floater wrote:
1. Always seperate the AA(Authentication and Authorization) from the business logic, at least at the code dependency level.
2. Business logic layer shouldn't care the session at all, this will free up your business logic classes from any web platform and thus the testing would be much easier and faster.
3. Having said NOs to some approach, here is the best I can come up.
- upon login, get both user info and entitlement info into the session.
- before invoke the real action, pass in the entitlement and check authorization.
- This means you either inherit ActionServlet or Action to check(and only check), and then invoke your business class(don't code your business in the Action class).

This approach is not new at all, but one more layer of abstraction to loose the code dependency, put more springs in between.

My 2 cents.

赞成。
但是如果你的系统较为庞大时，权限及验证结构都会异常复杂，你根本无法预计同一个服务及对象他将提供多少个业务接口，而权限控制的粒度由业务接口决定(容器不是我们的：))，同一入口可能会做多个引用及组合，如果在每一个接口调用处进行权限控制，恐怕也是一场恶梦。
在实际的业务对象或服务完成后，再在其上加一层壳，这一层就是用来做权限控制的。如下：
业务对象 Car

public interface car {
public void drive(){};
public void fillOil(){};
}

public interface verifiedCar{
public void drive() throws AAException ();
public void fillOil(){} trows AAException ();
}

6.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]	Copy to clipboard
Posted by: j1j2 Posted on: 2003-11-24 11:31 - This means you either inherit ActionServlet or Action to check(and only check), 看来floater兄还是认同我的方法的嘛.

7.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]	Copy to clipboard
Posted by: glistar Posted on: 2003-11-25 09:06 struts 里面提供了权限控制机制，不知大家看到了没有!

8.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]	Copy to clipboard
Posted by: j1j2 Posted on: 2003-11-25 09:58 没有，说说看，怎么做

9.Re:续:使用STRUTS，做权限验证的时候，大家都用什么方法？？？ [Re: j1j2]	Copy to clipboard
Posted by: floater Posted on: 2003-11-26 00:20 As fas as I know there are two different ways for authorization, entitlement-based or role based. Be careful there, I just got hit by this several weeks ago.