Abstract: Role-based access control is a traditional software security technology；Web application framework technology comes out continually，such as struts and spring，they decouple Web application by MVC design pattern.It is a challenge to make full use of these frameworks，and implement a flexibly configured，scalable and maintainable access control mechanism.We present a novel access control method based on AOP，reflection，context propagation，XML technology.The method can work with MVC framework seamlessly.It not only makes the access control code be centrally controlled，but also keep Web application loose coupled at the same time.

Key words: access control, Web application, AOP, context propagating

摘要： 基于角色的访问控制是一种传统的软件安全技术；支持Web应用开发的框架技术层出不穷，如struts和spring框架基于MVC设计模式对Web应用进行了有效地解耦合。在这些框架技术下，如何充分使用这些框架带来的优势，实现一种配置灵活、扩展性强、易于维护的访问控制机制成为一个新的挑战。结合AOP、反射、上下文传播、XML技术给出了一种新颖的访问控制实现方法，这种方法能够同基于MVC设计模式的框架有机地结合起来，不仅使访问控制代码集中管理，而且在实现访问控制的同时，保持了原有Web应用的松耦合结构。

关键词: 访问控制, Web应用, AOP, 上下文传递