权限控制是web项目的一个重要的模块，由于操作权限的控制几乎牵扯的业务层的每一个方法，所以实现起来相对比较复杂，这方面的实现方法也比较多，本文所介绍的在线商城项目，其后台管理的权限拦截通过@注解来实现。注解本身并不能实现任何的业务操作，而只是起到配置的作用，在权限管理器中通过反射取出错操作方法注解中的权限需求信息，与session中当前管理员的权限进行比较，以此来判断是拦截还是允许操作.如上图所示，ManagerLogonAction.java主要负责判断从登录页面传来的登录信息是否正确，如果正确，将所登录的manager以control-manager的名称放入session总，相关代码如下：………………………………….Manager manager =managerdao.managerlogon(formBean.getUsername(),formBean.getPassword());//调用DAO层登录判断方法，如果返回不为空，说明登录信息正确if (manager != null) {request.getSession(true).setAttribute("control-manager", manager);return mapping.findForward("logonok");//跳转到登录正确提示页面} else {request.setAttribute("outmessage", "登录失败，请检查您的用户名和密码！");……………………….定义注解：@Retention(RetentionPolicy.RUNTIME)//生成策略：运行时@Target(ElementType.METHOD)//注解位置：方法public @interface SystemPrivilegeAnnotation {String modile();//权限模块String privilegeValue();//权限值}权限管理器：PrivilegController.java：public class PrivilegController extends RequestProcessor {@Overrideprotected ActionForward processActionPerform(HttpServletRequest request,HttpServletResponse response, Action action, ActionForm form,ActionMapping mapping) throws IOException, ServletException {if (!systemPrivilege(request, action, mapping)) {request.setAttribute("outmessage", "您没有权限进行当前操作！");request.setAttribute("toUrl", SiteURL.getUrlByKey("logon"));return mapping.findForward("global-out");}return super.processActionPerform(request, response, action, form,mapping);}//权限判断方法，返回true说明当前用户有权限调用当前方法private boolean systemPrivilege(HttpServletRequest request, Action action,ActionMapping mapping) {HttpSession session = request.getSession(false);Manager manager = (Manager) session.getAttribute("control-manager");//拿出当前用户String currentMethodName = getCurrentMethodName(request, action,mapping);//拿到方法的名字SystemPrivilegeAnnotation systemPrivilegeAnnotation = getMethodSystemPrivilegeAnnotation(action, currentMethodName);//拿出方法中的注解信息if (systemPrivilegeAnnotation == null) {return true;//如果注解信息为空说明当前方法不需要任何权限}SystemPrivilege nowPrivilege = new SystemPrivilege(systemPrivilegeAnnotation.modile(), systemPrivilegeAnnotation.privilegeValue());//根据注解信息建立权限对象，即当前方法所需权限//循环，将当前用户的所有权限逐个与当前方法所需权限相比较for (SystemPrivilege privilege : manager.getSps()) {if (privilege.equals(nowPrivilege)) {return true;}}return false;}//拿到当前action方法的名字（本项目的Action类都是继承自DispatchAction或Action）private String getCurrentMethodName(HttpServletRequest request,Action action, ActionMapping mapping) {if (DispatchAction.class.isAssignableFrom(action.getClass())) {return request.getParameter(mapping.getParameter());}return "execute";}//通过反射得到action方法的注解信息private SystemPrivilegeAnnotation getMethodSystemPrivilegeAnnotation(Action action, String methodName) {try {Method method = action.getClass().getMethod(methodName, new Class[] {ActionMapping.class, ActionForm.class,HttpServletRequest.class, HttpServletResponse.class });//第二个参数是所求方法的参数列表if (method != null) {if (method.isAnnotationPresent(SystemPrivilegeAnnotation.class)) {return method.getAnnotation(SystemPrivilegeAnnotation.class);}}} catch (Exception e) {e.printStackTrace();}return null;}}这样，在每一个Action方法中加入注解就可以实现对此方法的权限拦截，如产品的删除操作中：@SystemPrivilegeAnnotation(privilegeValue ="delete",modile="product")public ActionForward delete(ActionMapping mapping, ActionForm form,HttpServletRequest request, HttpServletResponse response)throws Exception {ProductForm formBean = (ProductForm) form;dao.delete(Product.class, formBean.getProductids());request.setAttribute("outmessage", "删除成功!");request.setAttribute("toUrl", SiteURL.getUrlByKey("console.product.list"));return mapping.findForward("global-out");}再如产品类别的查看操作：@SystemPrivilegeAnnotation(privilegeValue ="view",modile="product_type")public ActionForward execute(ActionMapping mapping, ActionForm form,HttpServletRequest request, HttpServletResponse response)throws Exception {ProductTypeForm productTypeForm = (ProductTypeForm) form;………………………………………………………….最后，还要在struts-config.xml中注册权限管理器：


升级到struts2吧兄弟.

struts2与struts1相比更多的是平行的关系吧，在struts2出来的时候，struts1不是仍在发展吗？

顶类个顶