(1)创建过滤器:com.itheima.web.filters.AuthorFilter
@WebFilter(value = "/*")
public class AuthorFilter implements Filter {
private FilterConfig filterConfig;
/**
* 初始化方法,获取过滤器的配置对象
* @param filterConfig
* @throws ServletException
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
//1.定义和协议相关的请求和响应对象
HttpServletRequest request ;
HttpServletResponse response;
try{
//2.把参数转换成协议相关的对象
request = (HttpServletRequest)req;
response = (HttpServletResponse)resp;
//1.获取本次操作
String url = request.getRequestURI();
String queryString = request.getQueryString();
//1.当前获取到的url: /system/dept
url = url.substring(1);
//2.当前获取到的查询参数:operation=list operation=toEdit&id=100
int index = queryString.indexOf(‘&‘);
if(index != -1){
queryString = queryString.substring(0,index);
}
url = url + "?" + queryString;
//2.获取到当前登录人允许的操作
//3.比对本次操作是否在当前登录人允许的操作范围内
//3.1如果允许,放行
//3.2不允许跳转到非法访问页
//6.放行
chain.doFilter(request,response);
}catch (Exception e){
e.printStackTrace();
}
}
@Override
public void destroy() {
//可以做一些清理操作
}
}
(1)登陆成功后需要将用户的觉得对应的模块信息存放到session,找到UserServlet中的登陆方法login,
private void login(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String email = request.getParameter("email");
String pwd = request.getParameter("password");
User user = userService.login(email,pwd);
if(user != null) {
request.getSession().setAttribute("loginUser", user);
//如果登录成功,加载该用户对应的角色对应的所有模块
List<Module> moduleList = userService.findModuleById(user.getId());
request.setAttribute("moduleList",moduleList);
//当前登录用户对应的可操作模块的所有url拼接成一个大的字符串
StringBuffer sbf = new StringBuffer();
for(Module m: moduleList){
sbf.append(m.getCurl());
sbf.append(‘,‘);
}
request.getSession().setAttribute("authorStr",sbf.toString());
//跳转页面
request.getRequestDispatcher("/WEB-INF/pages/home/main.jsp").forward(request, response);
}else{
response.sendRedirect(request.getContextPath()+"/login.jsp");
}
}
(2)修改AuthorFilter
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
//1.定义和协议相关的请求和响应对象
HttpServletRequest request ;
HttpServletResponse response;
HttpSession session;
try{
//2.把参数转换成协议相关的对象
request = (HttpServletRequest)req;
response = (HttpServletResponse)resp;
session = request.getSession();
//1.获取本次操作
String url = request.getRequestURI();
//.css .js .png .jpg .index
if(url.endsWith(".css")
|| url.endsWith(".js")
|| url.endsWith(".png")
|| url.endsWith(".jpg")
|| url.endsWith("index.jsp")
|| url.endsWith("login.jsp")){
chain.doFilter(request,response);
return;
}
String queryString = request.getQueryString();
if(queryString.endsWith("operation=login")){
chain.doFilter(request,response);
return;
}
//1.当前获取到的url: /system/dept
url = url.substring(1);
//2.当前获取到的查询参数:operation=list operation=toEdit&id=100
int index = queryString.indexOf(‘&‘);
if(index != -1){
queryString = queryString.substring(0,index);
}
url = url + "?" + queryString;
//2.获取到当前登录人允许的操作
String authorStr = session.getAttribute("authorStr").toString();
//3.比对本次操作是否在当前登录人允许的操作范围内
//3.1如果允许,放行
//3.2不允许跳转到非法访问页
//6.放行
chain.doFilter(request,response);
}catch (Exception e){
e.printStackTrace();
}
}
(3)启动项目在模块管理功能中去添加一些数据,如下所示
然后需要在角色管理中为对应的角色进行授权
开始授权
(1)从day03的课程资料中找到模块页面/unauthorized.jsp,拷贝到项目的webapp下即可
(2)更改AuthorFilter,
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request ;
HttpServletResponse response;
HttpSession session;
try{
request = (HttpServletRequest)req;
response = (HttpServletResponse)resp;
session = request.getSession();
//1.获取本次操作
String url = request.getRequestURI();
//.css .js .png .jpg .index
if(url.endsWith(".css")
|| url.endsWith(".js")
|| url.endsWith(".png")
|| url.endsWith(".jpg")
|| url.endsWith("index.jsp")
|| url.endsWith("unauthorized.jsp")
|| url.endsWith("login.jsp")){
chain.doFilter(request,response);
return;
}
String queryString = request.getQueryString();
if(queryString.endsWith("operation=login")
||queryString.endsWith("operation=home")
||queryString.endsWith("operation=logout")){
chain.doFilter(request,response);
return;
}
//1.当前获取到的url: /system/dept
url = url.substring(1);
//2.当前获取到的查询参数:operation=list operation=toEdit&id=100
int index = queryString.indexOf(‘&‘);
if(index != -1){
queryString = queryString.substring(0,index);
}
url = url + "?" + queryString;
//2.获取到当前登录人允许的操作
String authorStr = session.getAttribute("authorStr").toString();
//3.比对本次操作是否在当前登录人允许的操作范围内
if(authorStr.contains(url)){
//3.1如果允许,放行
chain.doFilter(request,response);
return;
}else{
//3.2不允许跳转到非法访问页
response.sendRedirect(request.getContextPath()+"/unauthorized.jsp");
}
}catch (Exception e){
e.printStackTrace();
}
}
(3)对于页面上的元素,如果没有操作权限,我们直接让用户看不到即可,怎么操作呢?在页面上做一个判断,我们举一个例子,其他操作都是一样的
找到/WEB-INF/pages/system/user/list.jsp,
<div class="btn-group">
<c:if test="${sessionScope.authorStr.contains(‘system/user?operation=toAdd‘)}">
<button type="button" class="btn btn-default" title="新建" onclick=‘location.href="${ctx}/system/user?operation=toAdd"‘><i class="fa fa-file-o"></i> 新建</button>
</c:if>
<button type="button" class="btn btn-default" title="删除" onclick=‘deleteById()‘><i class="fa fa-trash-o"></i> 删除</button>
<button type="button" class="btn btn-default" title="刷新" onclick="window.location.reload();"><i class="fa fa-refresh"></i> 刷新</button>
<c:if test="${sessionScope.authorStr.contains(‘system/user?operation=userRoleList‘)}">
<button type="button" class="btn btn-default" title="角色" onclick="roleList()"><i class="fa fa-user-circle-o"></i> 角色</button>
</c:if>
</div>
原文:https://www.cnblogs.com/60kmph/p/14089386.html