粗粒度权限控制（拦截是否登录、拦截用户名admin权限）

RBAC à 基于角色的权限控制

1. tb_user
2. tb_role
3. tb_userrole
4. tb_menu(增、删、改、查)
5. tb_rolemenu

1　说明

我们给出三个页面：index.jsp、user.jsp、admin.jsp。

1. index.jsp：谁都可以访问，没有限制；
2. user.jsp：只有登录用户才能访问；
3. admin.jsp：只有管理员才能访问。

 

2　分析

设计User类：username、password、grade，其中grade表示用户等级，1表示普通用户，2表示管理员用户。

当用户登录成功后，把user保存到session中。

创建LoginFilter，它有两种过滤方式：

1. 如果访问的是user.jsp，查看session中是否存在user；
2. 如果访问的是admin.jsp，查看session中是否存在user，并且user的grade等于2。

 

3　代码

User.java

public class User {     private String username;     private String password;     private int grade[崔1] ; … }

 

为了方便，这里就不使用数据库了，所以我们需要在UserService中创建一个Map，用来保存所有用户。Map中的key中用户名，value为User对象。

UserService.java

public class UserService {     private static Map users [崔2] = new HashMap();     static {        users.put("zhangSan", new User("zhangSan", "123", 1));        users.put("liSi", new User("liSi", "123", 2)); [崔3]    }         public User login[崔4] (String username, String password) {        User user = users.get(username);[崔5]         if(user == null) return null;[崔6]         return user.getPassword().equals(password) ? user : null;[崔7]      } }

 

login.jsp

<body>   <h1>登录h1>     <p style="font-weight: 900; color: red">${msg }[崔8] p>     <form action="<c:url value='/LoginServlet'/>" method="post">     用户名：<input type="text" name="username"/><br/>     密　码：<input type="password" name="password"/><br/>     <input type="submit" value="登录"/>     form>   body>

 

index.jsp

<body>     <h1>主页h1>     <h3>${user.username }h3>     <hr/>     <a href="<c:url value='/login.jsp'/>">登录a><br/>     <a href="<c:url value='/user/user.jsp'/>">用户页面a><br/>     <a href="<c:url value='/admin/admin.jsp'/>">管理员页面a>   body>

 

/user/user.jsp

<body> <h1>用户页面h1> <h3>${user.username }h3> <hr/> body>

 

/admin/admin.jsp

<body>   <h1>管理员页面h1>   <h3>${user.username }h3>   <hr/> body>

 

LoginServlet

public class LoginServlet extends HttpServlet {     public void doPost(HttpServletRequest request, HttpServletResponse response)            throws ServletException, IOException {        request.setCharacterEncoding("utf-8");        response.setContentType("text/html;charset=utf-8");               String username = request.getParameter("username");        String password = request.getParameter("password"); [崔9]        UserService userService = new UserService();        User user = userService.login(username, password);[崔10]         if(user == null[崔11] ) {            request.setAttribute("msg", "用户名或密码错误");            request.getRequestDispatcher("/login.jsp").forward(request, response); [崔12]       } else {            request.getSession().setAttribute("user", user);            request.getRequestDispatcher("/index.jsp").forward(request, response); [崔13]       }     } }

 

LoginUserFilter.java

<filter>     <display-name>LoginUserFilterdisplay-name>     <filter-name>LoginUserFilterfilter-name>     <filter-class>cn.itcast.filter.LoginUserFilterfilter-class>   filter>   <filter-mapping>     <filter-name>LoginUserFilterfilter-name>     <url-pattern>/user/*[崔14] url-pattern>   filter-mapping>

public class LoginUserFilter implements Filter {     public void destroy() {}     public void init(FilterConfig fConfig) throws ServletException {}       public void doFilter(ServletRequest request, ServletResponse response,            FilterChain chain) throws IOException, ServletException {        response.setContentType("text/html;charset=utf-8");        HttpServletRequest req = (HttpServletRequest) request;        User user = (User) req.getSession().getAttribute("user");[崔15]         if(user == null)[崔16]  {            response.getWriter().print("您还没有登录");[崔17]             return;[崔18]         }        chain.doFilter(request, response);[崔19]      } }

 

LoginAdminFilter.java

<filter>     <display-name>LoginAdminFilterdisplay-name>     <filter-name>LoginAdminFilterfilter-name>     <filter-class>cn.itcast.filter.LoginAdminFilterfilter-class>   filter>   <filter-mapping>     <filter-name>LoginAdminFilterfilter-name>     <url-pattern>/admin/*[崔20] url-pattern>   filter-mapping>

public class LoginAdminFilter implements Filter {     public void destroy() {}     public void init(FilterConfig fConfig) throws ServletException {}       public void doFilter(ServletRequest request, ServletResponse response,            FilterChain chain) throws IOException, ServletException {        response.setContentType("text/html;charset=utf-8");        HttpServletRequest req = (HttpServletRequest) request;        User user = (User) req.getSession().getAttribute("user");[崔21]         if(user == null) {            response.getWriter().print("您还没有登录!");            return;        }        if(user.getGrade() < 2) {            response.getWriter().print("您的等级不够！");            return;        }        chain.doFilter(request, response);[崔24]      } }

---