[authority] [interceptor for checking authority]

Posted by crusty76 on Sat, 02 May 2020 10:52:44 +0200

Environmental preparation

  • The employee has logged in
  • Store the permission expression set corresponding to the employee into the session, (Exps _in

Check permission blocker

Release conditions:

  • The Action can be accessed without permission (the accessed method is not annotated)
  • The employee is a super administrator
  • This employee has this permission (permission expression list in session, expression corresponding to access method)
public class PermissionCheckInterceptor extends AbstractInterceptor {

    public String intercept(ActionInvocation invocation) throws Exception {

        //Need love permission
        //Super administrator or not
        //Do you have this permission
        if(isNoRequired(invocation)||isAdmin(invocation)||isHasPermission(invocation)) {

        return "noPermission";

    //Whether the requested Action requires permission
    private boolean isNoRequired(ActionInvocation invocation) throws Exception {
        //Get method object
        Method method = this.getMethod(invocation);
        //If not annotated, return true (release)
        if(!method.isAnnotationPresent(RequiredPermission.class)) {
            return true;
        return false;
    //Super administrator or not
    private boolean isAdmin(ActionInvocation invocation) {
        //Get the employee object in the current session
        Employee employee = (Employee) ActionContext.getContext().getSession().get("EMPLOYEE_IN_SESSION");
        //admin property is of type boolen
        return employee.getAdmin();

    //Do you have this permission
    //The judgment comes last, so the accessed Action must be annotated (pass without annotation)
    private boolean isHasPermission(ActionInvocation invocation)  throws Exception {
        //Permission expression for current access Action
        Method method = this.getMethod(invocation);
        String EXP = PermissionUtil.creatEXP(method);
        //Get the expression set of the permissions the role has
        Set<String> EXPs = (Set<String>) ActionContext.getContext().getSession().get("EXPS_IN_SESSION");

        if(EXPs.contains(EXP)) {
            return true;
        return false;

    //Get the method object corresponding to the currently accessed Action
    private Method getMethod(ActionInvocation invocation) throws Exception {
        Class<?> clz = invocation.getProxy().getAction().getClass();
        return clz.getMethod(invocation.getProxy().getMethod());


Deployment of profile

  • The interceptor needs to be deployed after the login interceptor (only after login can there be objects in the session, so it is not necessary to judge null)
        <!--Declare login interceptor+Permission interceptor-->
            <interceptor name="loginInterceptor" class="interceptor.LoginInterceptor">
                <param name="excludeActions">login_login</param>
            <interceptor name="permissionCheckInterceptor" class="interceptor.PermissionCheckInterceptor"></interceptor>

        <!--Build interceptor stack-->
            <interceptor-stack name="myStack">
                <interceptor-ref name="loginInterceptor"/>  
                <interceptor-ref name="permissionCheckInterceptor"/>            
                <interceptor-ref name="paramsPrepareParamsStack"/>              

        <!--Using interceptors-->
         <default-interceptor-ref name="myStack"/>

Topics: Session