accesscontrolfilter.java

JEECMS是JavaEE版网站管理系统（Java Enterprise Edition Content Manage System）的简称。 基于java技术开发

package com.jeecms.core.web;

import java.io.IOException;
import java.util.Set;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

import com.jeecms.core.entity.Admin;
import com.jeecms.core.entity.User;
import com.jeecms.core.manager.AdminMng;

public class AccessControlFilter implements Filter {
	private boolean isControl;
	private static final String BEAN_NAME = "adminMngImpl";
	private AdminMng adminMng;

	public void init(FilterConfig filterConfig) throws ServletException {
		String control = filterConfig.getInitParameter("isControl");
		if ("false".equals(control)) {
			isControl = false;
		} else {
			isControl = true;
		}
		WebApplicationContext wac = WebApplicationContextUtils
				.getRequiredWebApplicationContext(filterConfig
						.getServletContext());
		adminMng = (AdminMng) wac.getBean(BEAN_NAME, AdminMng.class);
	}

	@SuppressWarnings("unchecked")
	public void doFilter(ServletRequest servletRequest,
			ServletResponse servletResponse, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) servletRequest;
		HttpServletResponse resp = (HttpServletResponse) servletResponse;
		HttpSession session = req.getSession(false);
		if (isControl) {
			if (session == null) {
				resp.sendError(HttpServletResponse.SC_FORBIDDEN);
				return;
			}
			String domain = req.getServerName();
			Long userId = (Long) session.getAttribute(User.USER_KEY);
			Long adminId = (Long) session.getAttribute(Admin.ADMIN_KEY);
			Admin admin = adminMng.getLoginAdmin(domain, adminId, userId,
					session);
			if (admin == null) {
				resp.sendError(HttpServletResponse.SC_FORBIDDEN);
				return;
			}
			// 已在本站注册的超级管理员不受权限控制
			if (userId.equals(1L)) {
				chain.doFilter(servletRequest, servletResponse);
				return;
			}
			// 检查访问地址是否在管理员的权限集中
			String url = getUrl(req);
			Set<String> fiSet = (Set<String>) session
					.getAttribute(Admin.RIGHTS_KEY);
			if (fiSet == null || !fiSet.contains(url)) {
				resp.sendError(HttpServletResponse.SC_FORBIDDEN);
				return;
			}
			chain.doFilter(servletRequest, servletResponse);
			return;
		} else {
			// 用于开发状态
			if (session == null) {
				session = req.getSession(true);
			}
			session.setAttribute(Admin.ADMIN_KEY, 1L);
			session.setAttribute(User.USER_KEY, 1L);
			chain.doFilter(servletRequest, servletResponse);
		}
	}

	private String getUrl(HttpServletRequest req) {
		String url = req.getRequestURI();
		String context = req.getContextPath();
		if (url.indexOf(".") != -1) {
			return url.substring(context.length(), url.indexOf("."));
		} else if (url.indexOf("?") != -1) {
			return url.substring(context.length(), url.indexOf("?"));
		} else {
			return url.substring(context.length());
		}
	}

	public void destroy() {
	}
}