Implement access control of JSP page elements with custom label libraries and profiles

xiaoxiao2021-03-06 38

Controling client access is a problem that developers who developed a B / S-based architecture must consider.

The JSP or Servlet specification based on the configuration file-based security policy is based on files, ie, only one view can be defined or all cannot be accessed. A more complex system often requires part of the view (such as

A button in the JSP page provides access control, allowing only user access to a role. If a programmable security policy is used, because the definition of user roles and operations cannot be defined when developing, and this strategy has increased the programmer's workload, it may not be a good way.

I use custom labels and and configuration files to solve this problem: control the right to control

JSP page elements such as Button, as the content of the label. Get a unique name for protected content, using this name as an attribute of the label. A role has permissions to a page element or a set of page elements, described in the XML configuration file.

For example, below

The JSP page has "Details" and "Modify" two buttons.

<% @ Taglib URI =

"http:// mytag

"Prefix =

Custtag

"%>

test </ title> </ hEAD> <body> <form name = "Form1 "> <Table Width = "600 "Border = "0 "Cellspacing = "0 "Cellpadding = "2 "> <tr> <TD> <CustTag: Jspsecurity ElementName = Employeedetail "> <Input Type = "Button "Name = "detail " Value = "detailed "> </ custtag: Jspsecurity> <CustTag: Jspsecurity ElementName = Employeemodify "> <Input Type = "Button "Name = "MODIFY " Value = "modify "> </ custtag: Jspsecurity> </ td> </ TR> </ TABLE> </ form> </ body> The following XML configuration file content represents a user who is a Common, only the "Detailed" button named Employeedetail, which is permission, the role "admin", the page element named Employeedetail and Employeemodify is two The button has permission. <? XML Version = "1.0 "ENCoding = "GB2312 "?> <security> <HTMLELEMENT NAME = Employeedetail "> <ROLENAME NAME = "Common "/> <ROLENAME NAME = ADMIN "/> </ Htmlelement> <HTMLELEMENT NAME = Employeemodify "> <ROLENAME NAME = ADMIN "/> </ htmlelement> </ security> Custom label JspsecurityTAG inherits the Bodytagsupport class. Bodytagsupport has a variable bodycontent pointing between the starting flag and the end flag. JSPSecurityTag's private static variable RoleList saves the corresponding set of roles and page elements from the XML file, the name of the private variable ElementName corresponds to the name of the page element. When parsing the custom label, first take the name of the page element, then take the role of the current user, if the character has the permissions of the page element, the tag body (ie, the page element) is displayed, otherwise it is not displayed. Pagekage com.presentation.view .view .view.Viewhelper. Jspsecuritytag; Import javax.servlet. Jsp.tagext. *; Import javax.servlet. JSP. *; Import java.util. *; Import org.xml.sax. *; Import org.xml.sax.helpers. *; Import org.w3c.dom. *; Import java.io. *; Import javax.xml.parsers. *; Public class JspsecurityTag Extends Bodytagsupport { / / Save correspondence from the XML file to the role and page elements Private static arraylist rolelist; // Name of page elements PRIVATE STRING ElementName; Public void setElementName (String STR) { This.ElementName = STR; } Public int dressboDy () throws JSPEXCEPTION { IF (RoleList == Null) { RoleList = getList (); } Try { / / If the authentication is displayed, it will be as simple as the label body. IF (isauthenticated (ElementName)) { IF (BodyContent! = null) { Jspwriter out = bodycontent.getenclosingwriter (); BodyContent.writeout (out); Else { } } } catch (exception e) { Throw new JSPEXCEPTION (); } Return Skip_body; } // Take the corresponding role and page elements from the XML configuration file, save to static arraylist Private arraylist getList () { DocumentBuilderFactory DBF = DocumentBuilderFactory.newInstance (); DocumentBuilder DB = NULL; Document Doc = NULL; Nodelist childlist = NULL; String elementname; String rolename; Int index; Arraylist thelist (); Try { DB = dbf.new DocumentBuilder ();} catch (Exception E) { E.PrintStackTrace (); } Try { DOC = db.parse (New file SECURITY.XML ")); } catch (Exception E) { E.PrintStackTrace (); } // Read page elements list Nodelist elementlist = doc.getElementsBytagname HTMLELEMENT "); For (int i = 0; I <elementlist.getlength (); i ) { Element name = (Element) ElementList.Item (i)); // Name of page elements ElementName = Name.GetaTRibute "Name "); // This page element corresponds to a list of permissions Nodelist rolnodelist = ((nodelist) Name.GetElementsBytagname RoleName ")); For (int J = 0; j <rolnodelist.getLength (); J ) { // Name of the role with permissions // ROLENAME = ((Element) Rolnodelist.Item (j)). getnode Value (); ROLENAME = (Element) Rolnodelist.Item (j)). GetAttribute ( "Name "); Thelist.add (New ElementAndrole (ElementName, RoleName); } } Return thelist; } / / Check if the role has the permission of the page element Private Boolean isauthentificated (String ElementName) { String rolename = " " // Save the role of the user to the session when the user logs in, here is only used directly from the session. Rolename = this.pageContext.getations (). getAttribute ( "ROLENAME"); // RoleList contains the ELEMENTNAME attribute as the // ElementAndrole object with the ROLENAME, the role is the permission of the page element. IF (New ElementAndrole (ElementName, RoleName))))) { Return True; } } Return False; } / / Indicate the internal class of the corresponding relationship of the role and page elements Class ElementAndrole { String elementname; String rolename; Public ElementAndrole (String ElementName, String Rolename) { this.ElementName = ElementName; this.RoleName = ROLENAME; } Public Boolean Equals (Object Obj) { Return ((ElementAndrole) .ElementName.Equals (this.ElementName) && ((ElementAndrole) Obj). RoleName.Equals (this.roleName)); } } } In label library Before using the JSP page, do three steps below, in A Taglib element is included in the JSP page that determines the label library that needs to be loaded into the memory. front The first line of the JSP file: <% @ Taglib URI = "http:// mytag "Prefix = Custtag "%> Is what this is. 2. Use the Taglib element to determine the location of the TLD file in the configuration file web.xml. Added in Web.xml: <taglib> <taglib-uri> http: // mytag <; / taglib-uri> <taglib-location> /Web-inf/mytag.tld </ taglib-location> </ taglib> 3, the TLD file must use the Taglib element to identify each custom label extreme attribute. Here is the TLD file corresponding to this label library. <? XML Version = "1.0 "ENCoding = "ISO-8859-1 "?> DOCTYPE TAGLIB Public "- // Sun microsystems, inc .//dtd JSP Tag Library 1.1 // en " "http://java.sun.com/j2ee/dtds/web- JSptaglibrary_1_1.dtd "> <taglib> <Tlibversion> 1.0 </ TLIBVERSION> < JSPVERSION> 1.1 </ JSPVersion> <ShortName> MyTag </ ShortName> <URI /> <tag> <Name> JSPSecurity </ name> <tagclass> com.presentation.viewhlper. JSPSecurityTag </ tagclass> <info> Jspsecuritytag </ info> <Attribute> <name> ElementName </ Name> <required> True </ reguired> <RTEXPR Value> True </ RTEXPR Value> </ attribute> </ tag> </ taglib></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-73940.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div>New Post(0) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="73940" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: 0.033, SQL: 9</div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'G7AFGBwqcRUhJ82nnOc5zwwE64r7MeQAcsiJuIdmsYd8AsqDYn_2B5RBdot1s2nzhECFaXWiWir2Q5TlvqAnj1mg_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>