新增权限验证

TommyLemon · TommyLemon · commit ca3b490d5fc8 · 2016-12-11T14:03:46.000+08:00
diff --git a/APIJSON(Android)/APIJSON(ADT)/res/layout/select_activity.xml b/APIJSON(Android)/APIJSON(ADT)/res/layout/select_activity.xml
@@ -43,6 +43,24 @@
                 style="@style/select_json"
                 android:onClick="selectComplex"
                 android:text="@string/demo_complex" />
+
+            <TextView
+                style="@style/select_name"
+                android:text="Access Error" />
+
+            <Button
+                style="@style/select_json"
+                android:onClick="selectAccessError"
+                android:text="@string/demo_wallet" />
+
+            <TextView
+                style="@style/select_name"
+                android:text="Access Permitted" />
+
+            <Button
+                style="@style/select_json"
+                android:onClick="selectAccessPermitted"
+                android:text="@string/demo_wallet_with_access" />
         </LinearLayout>
     </ScrollView>
 
diff --git a/APIJSON(Android)/APIJSON(ADT)/res/values/strings.xml b/APIJSON(Android)/APIJSON(ADT)/res/values/strings.xml
@@ -10,5 +10,7 @@
 <string name="demo_rely">{\n&#160;&#160;&#160;\"User\":{\n&#160;&#160;&#160;&#160;&#160;&#160;\"id\":70793\n&#160;&#160;&#160;},\n&#160;&#160;&#160;\"Work\":{\n&#160;&#160;&#160;&#160;&#160;&#160;\"userId\":\"User/id\"\n&#160;&#160;&#160;}\n}</string>
 <string name="demo_array">{\n&#160;&#160;&#160;\"User[]\":{\n&#160;&#160;&#160;&#160;&#160;&#160;\"count\":10,\n&#160;&#160;&#160;&#160;&#160;&#160;\"User\":{\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;\"sex\":0\n&#160;&#160;&#160;&#160;&#160;&#160;}\n&#160;&#160;&#160;}\n}</string>
 <string name="demo_complex">{\n&#160;&#160;&#160;\"[]\":{\n&#160;&#160;&#160;&#160;&#160;&#160;\"count\":2,\n&#160;&#160;&#160;&#160;&#160;&#160;\"User\":{\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;\"sex\":0\n&#160;&#160;&#160;&#160;&#160;&#160;},\n&#160;&#160;&#160;&#160;&#160;&#160;\"Work\":{\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;\"userId\":\"/User/id\"\n&#160;&#160;&#160;&#160;&#160;&#160;},\n&#160;&#160;&#160;&#160;&#160;&#160;\"Comment[]\":{\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;\"count\":3,\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;\"Comment\":{\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;\"workId\":\"[]/Work/id\"\n&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;}\n&#160;&#160;&#160;&#160;&#160;&#160;}\n&#160;&#160;&#160;}\n}</string>
+<string name="demo_wallet">{\n&#160;&#160;&#160;\"Wallet\":{\n&#160;&#160;&#160;&#160;&#160;&#160;\"userId\":38710\n&#160;&#160;&#160;}\n}</string>
+<string name="demo_wallet_with_access">{\n&#160;&#160;&#160;\"Wallet\":{\n&#160;&#160;&#160;&#160;&#160;&#160;\"userId\":38710\n&#160;&#160;&#160;},\n&#160;&#160;&#160;\"currentUserId\":38710,\n&#160;&#160;&#160;\"payPassword\":\"123456\"\n}</string>
 
 </resources>
diff --git a/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/RequestUtil.java b/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/RequestUtil.java
@@ -16,6 +16,7 @@
 
 import zuo.biao.apijson.client.model.Comment;
 import zuo.biao.apijson.client.model.User;
+import zuo.biao.apijson.client.model.Wallet;
 import zuo.biao.apijson.client.model.Work;
 
 /**create request JSONObjects
@@ -50,4 +51,16 @@ public static JSONObject newComplexRequest() {
 		return request.toArray(2, 1);
 	}
 
+	public static JSONObject newAccessErrorRequest() {
+		return new JSONRequest(new Wallet((long) 38710));
+	}
+	
+	public static JSONObject newAccessPermittedRequest() {
+		JSONRequest request = new JSONRequest();
+		request.put(new Wallet().setUserId((long) 38710));
+		request.put("currentUserId", 38710);
+		request.put("payPassword", "123456");
+		return request;
+	}
+
 }
diff --git a/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/model/Wallet.java b/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/model/Wallet.java
@@ -0,0 +1,35 @@
+package zuo.biao.apijson.client.model;
+
+public class Wallet extends BaseModel {
+	private static final long serialVersionUID = 4298571449155754300L;
+	
+	public Double balance;
+	
+	public Long userId;
+	
+	/**默认构造方法，JSON等解析时必须要有
+	 */
+	public Wallet() {
+		super();
+	}
+	public Wallet(Long id) {
+		this();
+		this.id = id;
+	}
+	
+	public Wallet setUserId(Long userId) {
+		this.userId = userId;
+		return this;
+	}
+	public Long getUserId() {
+		return userId;
+	}
+	
+	public Double getBalance() {
+		return balance;
+	}
+	public void setBalance(Double balance) {
+		this.balance = balance;
+	}
+
+}
diff --git a/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/ui/QueryActivity.java b/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/ui/QueryActivity.java
@@ -75,6 +75,8 @@ public static Intent createIntent(Context context, int type, String url) {
 	public static final int TYPE_RELY = 1;
 	public static final int TYPE_ARRAY = 2;
 	public static final int TYPE_COMPLEX = 3;
+	public static final int TYPE_ACCESS_ERROR = 4;
+	public static final int TYPE_ACCESS_PERMITTED = 5;
 
 
 	private int type = TYPE_SINGLE;
@@ -147,6 +149,12 @@ public void setRequest() {
 		case TYPE_ARRAY:
 			request = JSON.toJSONString(RequestUtil.newArrayRequest());
 			break;
+		case TYPE_ACCESS_ERROR:
+			request = JSON.toJSONString(RequestUtil.newAccessErrorRequest());
+			break;
+		case TYPE_ACCESS_PERMITTED:
+			request = JSON.toJSONString(RequestUtil.newAccessPermittedRequest());
+			break;
 		default:
 			request = JSON.toJSONString(RequestUtil.newComplexRequest());
 			break;
diff --git a/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/ui/SelectActivity.java b/APIJSON(Android)/APIJSON(ADT)/src/zuo/biao/apijson/client/ui/SelectActivity.java
@@ -59,6 +59,12 @@ public void selectArray(View v) {
 	public void selectComplex(View v) {
 		select(QueryActivity.TYPE_COMPLEX);
 	}
+	public void selectAccessError(View v) {
+		select(QueryActivity.TYPE_ACCESS_ERROR);
+	}
+	public void selectAccessPermitted(View v) {
+		select(QueryActivity.TYPE_ACCESS_PERMITTED);
+	}
 	//click event,called form layout android:onClick >>>>>>>>>>>>>>>>
 	
 	private String url;
diff --git a/APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/RequestParser.java b/APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/RequestParser.java
@@ -13,19 +13,22 @@
 limitations under the License.*/
 
 package zuo.biao.apijson.server;
+import static zuo.biao.apijson.StringUtil.UTF_8;
+
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
+import java.rmi.AccessException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 
 import com.alibaba.fastjson.JSONObject;
+
 import zuo.biao.apijson.JSON;
 import zuo.biao.apijson.StringUtil;
+import zuo.biao.apijson.server.sql.AccessVerifyer;
 import zuo.biao.apijson.server.sql.QueryHelper;
 
-import static zuo.biao.apijson.StringUtil.UTF_8;
-
 /**parser for parsing request to JSONObject
  * @author Lemon
  */
@@ -54,10 +57,12 @@ public JSONObject parse(String json) {
 
 		relationMap = new HashMap<String, String>();
 		parseRelation = false;
-		requestObject = getObject(null, null, null, JSON.parseObject(json));
+		requestObject = JSON.parseObject(json);
+		requestObject = getObject(null, null, null, requestObject);
 		parseRelation = true;
 		requestObject = getObject(null, null, null, requestObject);
-		System.out.println(TAG + "\n\n最终返回至客户端的json:\n" + JSON.toJSONString(requestObject));
+		
+		requestObject = AccessVerifyer.removeAccessInfo(requestObject);
 
 		/**
 		 * TODO 格式化json，去除标记array内object位置的数字，转为[]形式，比如
@@ -68,7 +73,8 @@ public JSONObject parse(String json) {
 
 		QueryHelper.getInstance().close();
 //		QueryHelper2.getInstance().close();
-
+		
+		System.out.println(TAG + "\n\n最终返回至客户端的json:\n" + JSON.toJSONString(requestObject));
 		return requestObject;
 	}
 
@@ -144,7 +150,15 @@ private JSONObject getObject(String parentPath, final QueryConfig parentConfig,
 					config2.setLimit(parentConfig.getLimit()).setPage(parentConfig.getPage())
 							.setPosition(parentConfig.getPosition());//避免position > 0的object获取不到
 				}
-				JSONObject result = getSQLObject(config2);
+				JSONObject result = null;
+				try {
+					result = getSQLObject(config2);
+				} catch (AccessException e) {
+//					e.printStackTrace();
+					result = new JSONObject(true);
+					result.put("status", 403);
+					result.put("message", e.getMessage());
+				}
 				//				if (result != null) {
 				transferredRequest = result;
 				if (parseRelation) {
@@ -389,9 +403,11 @@ private JSONObject getJSONObject(JSONObject object, String key) {
 	/**获取数据库返回的String
 	 * @param config
 	 * @return
+	 * @throws AccessException 
 	 */
-	private synchronized JSONObject getSQLObject(QueryConfig config) {
+	private synchronized JSONObject getSQLObject(QueryConfig config) throws AccessException {
 		System.out.println("getSQLObject  config = " + JSON.toJSONString(config));
+		AccessVerifyer.verify(requestObject, config == null ? null : config.getTable());
 		return QueryHelper.getInstance().select(config);//QueryHelper2.getInstance().select(config);//
 	}
 
diff --git a/APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/sql/AccessVerifyer.java b/APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/sql/AccessVerifyer.java
@@ -0,0 +1,129 @@
+package zuo.biao.apijson.server.sql;
+
+import java.rmi.AccessException;
+
+import com.alibaba.fastjson.JSONObject;
+
+import zuo.biao.apijson.StringUtil;
+
+/**权限验证类
+ * @author Lemon
+ */
+public class AccessVerifyer {
+	private static final String TAG = "AccessVerifyer: ";
+
+	private static final int ACCESS_LOGIN = 1;
+	private static final int ACCESS_PAY = 2;
+
+	public static final String KEY_CURRENT_USER_ID = "currentUserId";
+	public static final String KEY_LOGIN_PASSWORD = "loginPassword";
+	public static final String KEY_PAY_PASSWORD = "payPassword";
+
+	//	public static final String[] LOGIN_ACCESS_TABLE_NAMES = {"Work", "Comment"};
+	public static final String[] PAY_ACCESS_TABLE_NAMES = {"Wallet"};
+
+	/**验证权限是否通过
+	 * @param request
+	 * @param tableName
+	 * @return
+	 */
+	public static boolean verify(JSONObject request, String tableName) throws AccessException {
+		try {
+			verify(request, getAccessId(tableName));
+		} catch (AccessException e) {
+			throw new AccessException(TAG + "verify  tableName = " + tableName + ", error = " + e.getMessage());
+		}
+		return true;
+	}
+
+
+	/**验证权限是否通过
+	 * @param request
+	 * @param accessId 可以直接在代码里写ACCESS_LOGIN等，或者建一个Access表，包括id和需要改权限的table的tableName列表
+	 * @return
+	 * @throws AccessException 
+	 */
+	public static boolean verify(JSONObject request, int accessId) throws AccessException {
+		if (accessId < 0 || request == null) {
+			return true;
+		}
+		long currentUserId = request.getLongValue(KEY_CURRENT_USER_ID);
+		if (currentUserId <= 0) {
+			throw new AccessException(TAG + "verify accessId = " + accessId
+					+ " >>  currentUserId <= 0, currentUserId = " + currentUserId);
+		}
+		String password;
+
+		switch (accessId) {
+		case ACCESS_LOGIN:
+			password = StringUtil.getString(request.getString(KEY_LOGIN_PASSWORD));
+			if (password.equals(StringUtil.getString(getLoginPassword(currentUserId))) == false) {
+				throw new AccessException(TAG + "verify accessId = " + accessId
+						+ " >> currentUserId or loginPassword error"
+						+ "  currentUserId = " + currentUserId + ", loginPassword = " + password);
+			}
+		case ACCESS_PAY:
+			password = StringUtil.getString(request.getString(KEY_PAY_PASSWORD));
+			if (password.equals(StringUtil.getString(getPayPassword(currentUserId))) == false) {
+				throw new AccessException(TAG + "verify accessId = " + accessId
+						+ " >> currentUserId or payPassword error"
+						+ "  currentUserId = " + currentUserId + ", payPassword = " + password);
+			}
+		default:
+			return true;
+		}
+	}
+
+	/**获取权限id
+	 * @param tableName
+	 * @return
+	 */
+	public static int getAccessId(String tableName) {
+		if (StringUtil.isNotEmpty(tableName, true) == false) {
+			return -1;
+		}
+		//		for (int i = 0; i < LOGIN_ACCESS_TABLE_NAMES.length; i++) {
+		//			if (tableName.equals(LOGIN_ACCESS_TABLE_NAMES[i])) {
+		//				return ACCESS_LOGIN;
+		//			}
+		//		}
+		for (int i = 0; i < PAY_ACCESS_TABLE_NAMES.length; i++) {
+			if (tableName.equals(PAY_ACCESS_TABLE_NAMES[i])) {
+				return ACCESS_PAY;
+			}
+		}
+		return -1;
+	}
+
+	/**获取登录密码
+	 * @param userId
+	 * @return
+	 */
+	public static String getLoginPassword(long userId) {
+		// TODO 查询并返回对应userId的登录密码
+		return "123456";//仅测试用
+	}
+
+	/**获取支付密码
+	 * @param userId
+	 * @return
+	 */
+	public static String getPayPassword(long currentUserId) {
+		// TODO 查询并返回对应userId的支付密码
+		return "123456";//仅测试用
+	}
+
+	/**删除请求里的权限信息
+	 * @param requestObject
+	 * @return
+	 */
+	public static JSONObject removeAccessInfo(JSONObject requestObject) {
+		if (requestObject != null) {
+			requestObject.remove(KEY_CURRENT_USER_ID);
+			requestObject.remove(KEY_LOGIN_PASSWORD);
+			requestObject.remove(KEY_PAY_PASSWORD);
+		}
+		return requestObject;
+	}
+
+}
diff --git a/APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/sql/QueryHelper.java b/APIJSON(Server)/APIJSON(Eclipse_JEE)/src/main/java/zuo/biao/apijson/server/sql/QueryHelper.java
@@ -58,8 +58,12 @@ public Connection getConnection() throws Exception {
 	private static DatabaseMetaData metaData;
 	public void close() {
 		try {
-			statement.close();
-			connection.close();
+			if (statement != null && statement.isClosed() == false) {
+				statement.close();
+			}
+			if (connection != null && connection.isClosed() == false) {
+				connection.close();
+			}
 		} catch (SQLException e) {
 			e.printStackTrace();
 		}
