粗粒度权限控制(拦截是否登录、拦截用户名admin权限)

RBAC à 基于角色的权限控制

  1. tb_user
  2. tb_role
  3. tb_userrole
  4. tb_menu(增、删、改、查)
  5. tb_rolemenu

1 说明

我们给出三个页面:index.jsp、user.jsp、admin.jsp。

  1. index.jsp:谁都可以访问,没有限制;
  2. user.jsp:只有登录用户才能访问;
  3. admin.jsp:只有管理员才能访问。

 

2 分析

设计User类:username、password、grade,其中grade表示用户等级,1表示普通用户,2表示管理员用户。

当用户登录成功后,把user保存到session中。

创建LoginFilter,它有两种过滤方式:

  1. 如果访问的是user.jsp,查看session中是否存在user;
  2. 如果访问的是admin.jsp,查看session中是否存在user,并且user的grade等于2。

 

3 代码

User.java

public class User {

    private String username;

    private String password;

    private int grade[崔1] ;

}

 

为了方便,这里就不使用数据库了,所以我们需要在UserService中创建一个Map,用来保存所有用户。Map中的key中用户名,value为User对象。

UserService.java

public class UserService {

    private static Map users [崔2] = new HashMap();

    static {

       users.put("zhangSan", new User("zhangSan", "123", 1));

       users.put("liSi", new User("liSi", "123", 2));

[崔3]    }

   

    public User login[崔4] (String username, String password) {

       User user = users.get(username);[崔5] 

       if(user == null) return null;[崔6] 

       return user.getPassword().equals(password) ? user : null;[崔7] 

    }

}

 

login.jsp

  <body>

  <h1>登录h1>

    <p style="font-weight: 900; color: red">${msg }[崔8] p>

    <form action="<c:url value='/LoginServlet'/>" method="post">

    用户名:<input type="text" name="username"/><br/>

    密 码:<input type="password" name="password"/><br/>

    <input type="submit" value="登录"/>

    form>

  body>

 

index.jsp

  <body>

    <h1>主页h1>

    <h3>${user.username }h3>

    <hr/>

    <a href="<c:url value='/login.jsp'/>">登录a><br/>

    <a href="<c:url value='/user/user.jsp'/>">用户页面a><br/>

    <a href="<c:url value='/admin/admin.jsp'/>">管理员页面a>

  body>

 

/user/user.jsp

<body>

<h1>用户页面h1>

<h3>${user.username }h3>

<hr/>

body>

 

/admin/admin.jsp

<body>

  <h1>管理员页面h1>

  <h3>${user.username }h3>

  <hr/>

body>

 

LoginServlet

public class LoginServlet extends HttpServlet {

    public void doPost(HttpServletRequest request, HttpServletResponse response)

           throws ServletException, IOException {

       request.setCharacterEncoding("utf-8");

       response.setContentType("text/html;charset=utf-8");

      

       String username = request.getParameter("username");

       String password = request.getParameter("password");

[崔9]        UserService userService = new UserService();

       User user = userService.login(username, password);[崔10] 

       if(user == null[崔11] ) {

           request.setAttribute("msg", "用户名或密码错误");

           request.getRequestDispatcher("/login.jsp").forward(request, response);

[崔12]       } else {

           request.getSession().setAttribute("user", user);

           request.getRequestDispatcher("/index.jsp").forward(request, response);

[崔13]       }

    }

}

 

LoginUserFilter.java

  <filter>

    <display-name>LoginUserFilterdisplay-name>

    <filter-name>LoginUserFilterfilter-name>

    <filter-class>cn.itcast.filter.LoginUserFilterfilter-class>

  filter>

  <filter-mapping>

    <filter-name>LoginUserFilterfilter-name>

    <url-pattern>/user/*[崔14] url-pattern>

  filter-mapping>

public class LoginUserFilter implements Filter {

    public void destroy() {}

    public void init(FilterConfig fConfig) throws ServletException {}

 

    public void doFilter(ServletRequest request, ServletResponse response,

           FilterChain chain) throws IOException, ServletException {

       response.setContentType("text/html;charset=utf-8");

       HttpServletRequest req = (HttpServletRequest) request;

       User user = (User) req.getSession().getAttribute("user");[崔15] 

       if(user == null)[崔16]  {

           response.getWriter().print("您还没有登录");[崔17] 

           return;[崔18] 

       }

       chain.doFilter(request, response);[崔19] 

    }

}

 

LoginAdminFilter.java

  <filter>

    <display-name>LoginAdminFilterdisplay-name>

    <filter-name>LoginAdminFilterfilter-name>

    <filter-class>cn.itcast.filter.LoginAdminFilterfilter-class>

  filter>

  <filter-mapping>

    <filter-name>LoginAdminFilterfilter-name>

    <url-pattern>/admin/*[崔20] url-pattern>

  filter-mapping>

public class LoginAdminFilter implements Filter {

    public void destroy() {}

    public void init(FilterConfig fConfig) throws ServletException {}

 

    public void doFilter(ServletRequest request, ServletResponse response,

           FilterChain chain) throws IOException, ServletException {

       response.setContentType("text/html;charset=utf-8");

       HttpServletRequest req = (HttpServletRequest) request;

       User user = (User) req.getSession().getAttribute("user");[崔21] 

       if(user == null) {

           response.getWriter().print("您还没有登录!");

           return;

       }

       if(user.getGrade() < 2) {

           response.getWriter().print("您的等级不够!");

           return;

       }

       chain.doFilter(request, response);[崔24] 

    }

}


 

你可能感兴趣的:(粗粒度权限控制(拦截是否登录、拦截用户名admin权限))