|
锁定老帖子 主题:webwork的一个缺陷
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
|
|
|---|---|
| 作者 | 正文 |
|
发表时间:2005-09-08
jdev 写道 lllyq 写道 ww2.1.x还有一个很大的缺陷,Exception的处理
在ServletDispachter.serviceAction里面,把Exception拦下来,interceptor就无法处理了 不错!我们正为这个事情头疼呢!而且一旦出错,系统只能重新部署。 请问兄台是如何解决此问题的? 重新部署?不知道你怎么用的。 |
| 返回顶楼 | |
|
发表时间:2005-09-08
如果url全部编码,参照上面webwork代码,是无法跳转到相关url 。
如果只解析参数对应值 <code> String params=URLEncoder.encode("2003-12-15 12:45"); String url="http://www.sina.com.cn/test.action?testdate="; String encoderUrl=url+params; <code> 对应解析后的url为: http://www.sina.com.cn/test.action?testdate=2003-12-15+12%3A45 这样跳转的确没问题,对应的action只要对相关的参数进行解码。 是可以解决问题,考虑不周到,以后注意这一点,谢谢大家! |
| 返回顶楼 | |
|
发表时间:2005-09-08
robbin 写道 程序都出错了,你还要硬往下执行,有意思吗? robbin 写道 jdev 写道 lllyq 写道 ww2.1.x还有一个很大的缺陷,Exception的处理
在ServletDispachter.serviceAction里面,把Exception拦下来,interceptor就无法处理了 不错!我们正为这个事情头疼呢!而且一旦出错,系统只能重新部署。 请问兄台是如何解决此问题的? 重新部署?不知道你怎么用的。 重新部署,即重新Deploy一下web应用。关键是,在我们的生产环境一旦出现此错误,然后所有的action就失效了。所有的提交action,一执行就返回500错误。只能重新部署。 |
| 返回顶楼 | |
|
发表时间:2005-09-08
jdev 写道 robbin 写道 程序都出错了,你还要硬往下执行,有意思吗? robbin 写道 jdev 写道 lllyq 写道 ww2.1.x还有一个很大的缺陷,Exception的处理
在ServletDispachter.serviceAction里面,把Exception拦下来,interceptor就无法处理了 不错!我们正为这个事情头疼呢!而且一旦出错,系统只能重新部署。 请问兄台是如何解决此问题的? 重新部署?不知道你怎么用的。 重新部署,即重新Deploy一下web应用。关键是,在我们的生产环境一旦出现此错误,然后所有的action就失效了。所有的提交action,一执行就返回500错误。只能重新部署。 那就是你部署或者应用服务器的问题了。webwork本身没有这样的问题。 |
| 返回顶楼 | |
|
发表时间:2005-09-08
robbin 写道 lllyq 写道 ww2.1.x还有一个很大的缺陷,Exception的处理
在ServletDispachter.serviceAction里面,把Exception拦下来,interceptor就无法处理了 程序都出错了,你还要硬往下执行,有意思吗? 1. 对异常处理的很不友好 2. 更重要的是我需要抛出异常,我的WW interceptor需要捕获来自后台拦截service的异常(简单来说就是权限控制) |
| 返回顶楼 | |
|
发表时间:2005-09-08
jdev 写道 lllyq 写道 ww2.1.x还有一个很大的缺陷,Exception的处理
在ServletDispachter.serviceAction里面,把Exception拦下来,interceptor就无法处理了 不错!我们正为这个事情头疼呢!而且一旦出错,系统只能重新部署。 请问兄台是如何解决此问题的? 修改serviceAction,给方法增加throws ServletException 在最后catch的地方throw new ServletException(e); 一个WW拦截器的例子: public class UnauthorizedExceptionInterceptor implements Interceptor {
protected static final Log logger = LogFactory.getLog(UnauthorizedExceptionInterceptor.class);;
public static final String UNAUTHORIZED = "unauthorized";
public static final String UNLOGINED = "unlogined";
public String intercept(ActionInvocation invocation); throws Exception {
com.opensymphony.xwork.Action action = invocation.getAction();;
String result = null;
if (action instanceof MemberAction); {
MemberAction memberAction = (MemberAction);action;
if (!memberAction.hasLogined();); {
return UNLOGINED;
}
}
if (action instanceof SecurityAction); {
SecurityAction securityAction = (SecurityAction);action;
if (!securityAction.isPermitted();); {
return UNAUTHORIZED;
}
}
try {
result = invocation.invoke();;
} catch (Exception e); {
if (e.getCause(); instanceof XXXXUnauthorizedException); {
return UNAUTHORIZED;
} else {
throw e;
}
}
return result;
}
public void destroy(); {
}
public void init(); {
}
}
|
| 返回顶楼 | |
|
发表时间:2005-09-08
其实你这种用异常来控制权限的用法对于webwork来说完全是画蛇添足。你在Action中判断不具备权限的时候,可以直接 return "unauthorized",未登陆可以return "nologin";然后在xwork.xml里面配置一下<global-results>:
<global-results>
<result name="nologin" type="redirect">/login.html</result>
<result name="unauthorized" type="redirect">/unauthorized.html</result>
</global-results>
这样很简单就搞定的事情,被你搞的那么复杂,还要去hack webwork,真的是画蛇添足。 BTW:如果你就那么喜欢用异常来控制权限的话,可以使用webwork2.2,支持抛出异常,在xwork.xml里面配置exception选项。 |
| 返回顶楼 | |
|
发表时间:2005-09-08
要是对权限控制只到Action的层次,自然不需要hack ww。但事实上不够的
|
| 返回顶楼 | |
|
发表时间:2005-09-08
BTW:如果你就那么喜欢用异常来控制权限的话,可以使用webwork2.2,支持抛出异常,在xwork.xml里面配置exception选项。 不是我喜欢,而是不得不,下面代码乱是乱点,可以说明一点问题 //TODO concern role hierarchy
//TODO concern restricted permissions
//TODO concern fine-granular permission(resource id and resource property logic);
public class PermissionInterceptor implements MethodInterceptor {
private SecurityManager securityManager = new SecurityManager();;
private static String securityResourceInterfaceName = SecurityResource.class.getName();;
private MyPermission permission;
private SecurityOperation securityOperation;
private String sessionKey = "login_user";
private String groupKey = "group";
private String administrator = "administrator";
public void setPermission(MyPermission permission); {
this.permission = permission;
this.securityManager.setPermission(this.permission);;
}
public void setSecurityOperation(SecurityOperation securityOperation); {
this.securityOperation = securityOperation;
}
public void setSessionKey(String sessionKey); {
this.sessionKey = sessionKey;
}
public void setGroupKey(String groupKey); {
this.groupKey = groupKey;
}
public void setAdministrator(String administrator); {
this.administrator = administrator;
}
public Object invoke(MethodInvocation methodInvocation); throws Throwable {
Object result = null;
String methodName = methodInvocation.getMethod();.getName();;
SecurityUser securityUser = null;
Object user = ActionContext.getContext();.getSession();.get(sessionKey);;
String operationIdentity = getOperationIdentity(methodName);;
if (operationIdentity != null
&& (user == null || (user instanceof SecurityUser && !((SecurityUser); user);.isAdministrator(administrator);););); {
securityUser = (SecurityUser); user;
SecurityOperation operation = securityOperation.getInstance(operationIdentity);;
if (!operationIdentity.equals(SecurityOperation.READ);); {
SecurityResource securityResource = null;
Object[] args = methodInvocation.getArguments();;
if (args != null); {
for (int i = 0; i < args.length; i++); {
if (args[i] instanceof SecurityResource); {
securityResource = (SecurityResource); args[i];
break;
}
}
}
if (securityResource != null && !securityManager.hasPermission(securityUser, operation, securityResource);); {
throw new MyUnauthorizedException();;
}
} else {
Object[] args = methodInvocation.getArguments();;
QueryObject queryObject = null;
if (args != null); {
for (int i = 0; i < args.length; i++); {
if (args[i] instanceof QueryObject); {
queryObject = (QueryObject); args[i];
break;
}
}
}
// Get resourceClassName
Class resourceClass = queryObject == null ? null : queryObject.getPersistentClass();;
if (resourceClass == null && methodInvocation.getThis(); instanceof CoreEntityManager); {
CoreEntityManager entityManager = (CoreEntityManager); methodInvocation.getThis();;
resourceClass = entityManager.getPersistentClass(); == null ? null : entityManager.getPersistentClass();;
}
String resourceClassName = null;
if (resourceClass != null && isSecurityResource(resourceClass);); {
resourceClassName = resourceClass.getName();;
if (securityManager.isAnonymousPermission(operationIdentity, resourceClassName);); {
} else if (securityUser == null); {
return null;
// throw new MyUnauthorizedException();;
} else {
if (queryObject != null); {
List permissionGroups = getPermissionGroup(securityUser, operation, resourceClassName);;
if (permissionGroups == null); {
if (!securityManager.hasPermission(securityUser, operation, resourceClassName, null);); {
return null;
}
// throw new MyUnauthorizedException();;
} else {
QueryParam restrictQueryParam = new QueryParam();;
for (int i = permissionGroups.size(); - 1; i >= 0; i--); {
SecurityGroup group = (SecurityGroup); permissionGroups.get(i);;
restrictQueryParam.orParameter(new QueryParam(groupKey, group););;
}
QueryParam queryParam = queryObject.getQueryParam();;
QueryParam newQueryParam = null;
if (queryParam == null); {
newQueryParam = restrictQueryParam;
} else {
newQueryParam = new QueryParam();;
newQueryParam.andParameter(queryParam);;
newQueryParam.andParameter(restrictQueryParam);;
}
queryObject.setQueryParam(newQueryParam);;
}
} else {
List userRoles = securityUser.getSecurityRoles();;
if (userRoles != null); {
boolean passFlag = false;
for (int i = userRoles.size(); - 1; i >= 0; i--); {
if (securityManager.hasPermission((SecurityRole); (userRoles.get(i););, operationIdentity,
resourceClassName);); {
passFlag = true;
break;
}
}
if (passFlag); {
result = methodInvocation.proceed();;
if (result != null); {
if (result instanceof SecurityResource); {
if (!securityManager.hasPermission(securityUser, operation, (SecurityResource); result);); {
return null;
// throw new
// MyUnauthorizedException();;
}
} else if (result instanceof Collection); {
Iterator iterator = ((Collection); result);.iterator();;
while (iterator.hasNext();); {
Object object = iterator.next();;
if (!(object instanceof SecurityResource);); {
break;
}
if (!securityManager.hasPermission(securityUser, operation, (SecurityResource); (object););); {
return null;
// throw new
// MyUnauthorizedException();;
}
}
}
}
return result;
}
}
throw new MyUnauthorizedException();;
}
}
}
}
}
result = methodInvocation.proceed();;
return result;
}
private String getOperationIdentity(String methodName); {
// TODO Match "batch*"
if (methodName.startsWith("find"); || methodName.startsWith("load");
|| (methodName.startsWith("get"); && !methodName.equals("getPersistentClass"););); {
return SecurityOperation.READ;
} else if (methodName.startsWith("save");); {
return SecurityOperation.CREATE;
} else if (methodName.startsWith("update"); || methodName.startsWith("merge");); {
return SecurityOperation.UPDATE;
} else if (methodName.startsWith("remove");); {
return SecurityOperation.REMOVE;
} else {
return null;
}
}
private List getPermissionGroup(SecurityUser user, SecurityOperation securityOperation, String resourceClassName); {
List groups = null;
List roles = user.getSecurityRoles();;
if (roles != null); {
groups = new ArrayList();;
for (int i = roles.size(); - 1; i >= 0; i--); {
SecurityRole role = (SecurityRole); roles.get(i);;
List permissions = role.getPermissions();;
SecurityGroup group = role.getSecurityGroup();;
if (securityManager.containPermission(permissions, securityOperation.getIdentity();, resourceClassName);); {
if (group != null && !groups.contains(group);); {
groups.add(group);;
} else if (!role.isGlobalRole(); && !groups.contains(user.getSecurityGroup(););); {
groups.add(user.getSecurityGroup(););;
}
}
}
if (groups.size(); == 0); {
groups = null;
}
}
return groups;
}
private static boolean isSecurityResource(Class objClass); {
do {
Class[] classes = objClass.getInterfaces();;
for (int i = 0; i < classes.length; i++); {
if (classes[i].getName();.equals(securityResourceInterfaceName););
return true;
}
objClass = objClass.getSuperclass();;
} while (!(objClass.equals(objectClass != null ? objectClass : (objectClass = Object.class););););;
return false;
}
private static Class objectClass;
}
|
| 返回顶楼 | |
|
发表时间:2005-10-21
用异常来控制权限感觉很怪。异常我一般就用来提示错误信息,转到错误页面,记录错误log。都是跟错误有关的。权限怎么能跟异常挂起钩来?
|
| 返回顶楼 | |
