1.权限拦截器
通过spring-mvc.xml来配置
<!-- 拦截器 -->
<mvc:interceptors>
<!-- 多个拦截器,顺序执行 -->
<bean class=" org.eking.framework.web.system.interceptor.PermissionInterceptor"></bean>
<bean class="org.eking.framework.web.system.interceptor.SecurityInterceptor"></bean>
<bean class="org.eking.framework.web.system.interceptor.SysLogInterceptor"></bean>
</mvc:interceptors>
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { if (handler instanceof HessianServiceExporter) { // TODO xie-qing 什么都不处理,后面再加上权限的验证 return true; } HandlerMethod handlerMethod = (HandlerMethod) handler; Method method = handlerMethod.getMethod(); String action = request.getRequestURI(); action = action.substring(action.lastIndexOf("/")+1); String ctx = WebUtils.getContextPath(request); // 1、 判断方法前是否有权限注解,有就做权限匹配,没有就放行 if (method.isAnnotationPresent(Permission.class)) { // 2、判断用户是否登录 SysUser currentUser = (SysUser) request.getSession().getAttribute(Constants.CURRENT_USER); if (currentUser == null) { PrintWriter out = response.getWriter(); out.print("<script type='text/javascript'>top.location='"+ctx+"/'</script>"); out.close(); return false; } // 3、 取出注解的权限值 Permission permission = method.getAnnotation(Permission.class); // 4、 与系统管理员拥有的权限进行匹配 boolean hasPrivilege = hasPrivilege(currentUser.getSysAuthoritys(), permission.name()); if (hasPrivilege) { // 4.1 拥有 return true; } else { // 4.2 不 拥有 log.info("您没有操作" + permission.name() + "的权限!"); // 弹出警告 WebUtils.alertMsg(response, "您没有操作权限!"); return false; } } return true; }
2.在Login登陆的时候先判定sysuser是否存在,md5加密来判定密码是否相等
<!-- 根据系统用户Id获取该用户拥有的权限集合 -->
<select id="getSysAuthoritysByUserId" resultMap="baseSysAuthorityResultMap" parameterType="string">
SELECT * FROM SYS_AUTHORITY SA, (
SELECT * FROM SYS_ROLE_AUTHORITY WHERE ROLE_ID IN (
SELECT A.ROLE_ID FROM SYS_ROLE A
JOIN SYS_USER_ROLE B ON A.ROLE_ID = B.ROLE_ID
WHERE B.USER_ID = #{value}
)
) TEMP
WHERE SA.AUTHORITY_ID=TEMP.AUTHORITY_ID
</select>
3.index页面用frameset来嵌套对应的frame
<frameset rows="90,*,55" border="0"> <frame src="${ctx}/login/toTop.do" name="top" /> <frameset cols="200,*"> <frame src="${ctx}/login/toLeft.do" name="left" /> <frame src="${ctx}/login/toRight.do" name="right" /> </frameset> <frame src="${ctx}/login/toBottom.do" name="bottom" /> </frameset>
4.初始化index页面的left页面权限菜单数据
@RequestMapping("/tree") @DoLog(cnContent = "权限树初始化", value = false) //@Permission(name = "login.tree") public String tree(HttpServletRequest request, HttpServletResponse response, ZTreeComm zTree) throws Exception { try { //1、获取登陆人的信息 SysUser currentUser = getLoginUser(request); // 2.根据id获取权限列表,id为空时获取父权限列表(limit=roleid) List<ZTreeComm> tree = sysUserService.initAuthorityTree(zTree, currentUser); // 3.设置父节点 List<ZTreeComm> votree = new ArrayList<ZTreeComm>(); for (int i = 0; i < tree.size(); i++) { ZTreeComm ztree = (ZTreeComm) tree.get(i); int total = sysUserService.isParent(ztree); ztree.setIsParent(total != 0 ? Constants.IS_TRUE : Constants.IS_FALSE); votree.add(ztree); } //4、list排序。 Collections.sort(votree, new Comparator<ZTreeComm>() { public int compare(ZTreeComm arg0, ZTreeComm arg1) { return arg0.getSortNo().compareTo(arg1.getSortNo()); } }); return this.ajax(response, votree); } catch (Exception e) { this.logException(e); return this.ajax(response, "系统出现异常: [" + e.getMessage() + "] 请与管理员联系!"); } }
public List<ZTreeComm> initAuthorityTree(ZTreeComm ztree, SysUser sysUser) throws Exception { //1、获取角色字符串 List<SysRole> sysRoles = sysUser.getSysRoles(); String roleId = ""; if (CollectionHelp.isNotBank(sysRoles)) { for (Object obj : sysRoles) { SysRole role = (SysRole) obj; if (Constants.STATUS_ACTIVE.equals(role.getStatus())) { roleId = role.getRoleId() + "," + roleId; } } } ztree.setDiyParams(roleId); //因为ztree并没有roleid的属性,所以使用ztree的空属性 //2、根据ztree,获取权限信息 List<ZTreeComm> dataList = new ArrayList<ZTreeComm>(); if (StringUtils.isEmpty(ztree.getId())) { //id为空,初始加载,查询根节点. where parent_dept_id is null dataList = sqlSessionTemplate.selectList(SecurityMgrConstants.ZTREE_COMMON_MAPPER_NAMESPACE + ".getAuthorityRoot", ztree); } else { //id不为空,为下拉,查询子节点 . where parent_dept_id =id dataList = sqlSessionTemplate.selectList(SecurityMgrConstants.ZTREE_COMMON_MAPPER_NAMESPACE + ".getAuthorityById", ztree); } return dataList; }
<!-- 查询部门根节点 --> <select id="getAuthorityRoot" resultMap="authorityTreeResultMap" parameterType="ZTreeComm"> SELECT * FROM SYS_AUTHORITY WHERE AUTHORITY_ID IN( SELECT AUTHORITY_ID FROM SYS_ROLE_AUTHORITY WHERE INSTR(#{diyParams},ROLE_ID)>0 ) AND PARENT_ID IS NULL AND AUTHORITY_TYPE='2' </select>
<!-- 查询部门子节点 --> <select id="getAuthorityById" resultMap="authorityTreeResultMap" parameterType="ZTreeComm"> SELECT * FROM SYS_AUTHORITY WHERE AUTHORITY_ID IN( SELECT AUTHORITY_ID FROM SYS_ROLE_AUTHORITY WHERE INSTR(#{diyParams},ROLE_ID)>0 ) AND PARENT_ID=#{id} AND AUTHORITY_TYPE='2' </select>
instr(string1,string2[,start_position[,nth_appearence]])
string1:要在此字符串中查找。
string2:要在string1中查找的字符串。
start_position:从string1开始查找的位置。可选,默认为1,正数时,从左到右检索,负数时,从右到左检索。
nth_appearence:查找第几次出现string2。可选,默认为1,不能为负。
注:如果没有查找到,返回0。
例如:
select instr('abcd','a') from dual; --返回1
select instr('abcd','c') from dual; --返回3
select instr('abcd','e') from dual; --返回0该函数可以用于模糊查询以及判断包含关系:
例如:
① select code, name, dept, occupation from staff where instr(code, '001') > 0;
等同于
select code, name, dept, occupation from staff where code like '%001%' ;
② select ccn,mas_loc from mas_loc where instr('FH,FHH,FHM',ccn)>0;
等同于
select ccn,mas_loc from mas_loc where ccn in ('FH','FHH','FHM');