一般情况下,Web应用程序不能允许所有用户可以访问所有功能。换句话讲,不同的用户具有访问不同功能的权限。所以,需要完成权限控制功能
权限匹配:(属于URL权限控制(粗粒度权限控制))
User:
package demo3;
public class User {
private String username;
private String password;
private String role;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getRole() {
return role;
}
public void setRole(String role) {
this.role = role;
}
}
LoginServlet:
package demo3;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.beanutils.BeanUtils;
import org.apache.commons.dbutils.QueryRunner;
import org.apache.commons.dbutils.handlers.BeanHandler;
import utils.C3P0Utils;
//完成用户登录功能
public class LoginServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
User user = new User();
BeanUtils.populate(user, request.getParameterMap());
QueryRunner runner = new QueryRunner(C3P0Utils.getDataSource());
User newuser = runner.query("select * from t_user where username=? and password=?", new BeanHandler<User>(User.class), user.getUsername(),user.getPassword());
if(newuser == null){
//登录失败
request.setAttribute("error_msg", "用户名或密码不正确");
request.getRequestDispatcher("/demo3/login.jsp").forward(request, response);
}else{
//登录成功
request.getSession().setAttribute("user", newuser); //注意这里放的是查询之后的,因为原本的user是没有角色的
response.sendRedirect("/day0107/index.jsp");
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
TestServlet:
package demo3;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class TestServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String url = request.getParameter("url");
// request.getRequestDispatcher("/"+url).forward(request, response);
response.sendRedirect(request.getContextPath()+"/"+url);
//request.getContextPath()+
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
AuthotFilter:
package demo3;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/*
* 当前filter完成权限控制功能
*/
public class AuthorFilter implements Filter{
@Override
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
//1.获取用户信息
User user = (User) request.getSession().getAttribute("user");
String userRole = user.getRole();
//2.获取请求连接信息
String url = request.getParameter("url");//url=user/look.jsp
String path = request.getContextPath();//获取工程路径://localhost/day0107
//对字符串进行切割,取出可以分配到的用户的角色
url = url.substring(0,url.lastIndexOf("/"));
if(url.contains(path)){
url = url.substring(url.indexOf(path));
}
// url = url.substring(url.indexOf(path));
System.out.println(url);
//3.进行匹配
if(userRole.equals("user")){
if(!url.equals("user")){
request.setAttribute("error_msg", "你没有该权限");
request.getRequestDispatcher("/error.jsp").forward(request, resp);
}
chain.doFilter(request, resp);
}else{
///如果是admin,则所有功能都可以,直接放行
chain.doFilter(request, resp);
}
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
@Override
public void destroy() {
}
}
admin:
add.jsp和delete.jsp:
<body>
<h1>这是商品添加页面</h1>
</body>
<body>
<h1>这是商品删除页面</h1>
</body>
user:
buy.jsp cart.jsp look.jsp order.jsp
error.jsp:
<body>
<h1><span style="color:red;">${error_msg }</span></h1>
</body>
index.jsp:
<body>
<c:if test="${empty user }">
<h1><a href="${pageContext.request.contextPath }/demo3/login.jsp">请先去登录</a></h1>
</c:if>
<c:if test="${not empty user }">
<h1>欢迎你,${user.username }</h1>
<h4>以下是功能列表</h4>
<h5><a href="servlet/TestServlet?url=user/look.jsp">查询商品</a></h5>
<h5><a href="servlet/TestServlet?url=user/buy.jsp">购买商品</a></h5>
<h5><a href="servlet/TestServlet?url=user/cart.jsp">查看购物车</a></h5>
<h5><a href="servlet/TestServlet?url=user/order.jsp">提交订单</a></h5>
<h5><a href="servlet/TestServlet?url=admin/add.jsp">添加商品</a></h5>
<h5><a href="servlet/TestServlet?url=admin/delete.jsp">删除商品</a></h5>
</c:if>
</body>
c3p0Utils:
package utils;
import java.beans.PropertyVetoException;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.sql.DataSource;
import com.mchange.v2.c3p0.ComboPooledDataSource;
public class C3P0Utils {
//得到一个数据源
private static DataSource dataSource = new ComboPooledDataSource();
public static DataSource getDataSource() {
return dataSource;
}
//从数据源中得到一个连接对象
public static Connection getConnection(){
try {
return dataSource.getConnection();
} catch (SQLException e) {
throw new RuntimeException("服务器错误");
}
}
public static void release(Connection conn,Statement stmt,ResultSet rs){
//关闭资源
if(rs!=null){
try {
rs.close();
} catch (Exception e) {
e.printStackTrace();
}
rs = null;
}
if(stmt!=null){
try {
stmt.close();
} catch (Exception e) {
e.printStackTrace();
}
stmt = null;
}
if(conn!=null){
try {
conn.close();//关闭
} catch (Exception e) {
e.printStackTrace();
}
conn = null;
}
}
}
c3p0-config.xml:
<?xml version="1.0" encoding="UTF-8"?>
<c3p0-config>
<default-config>
<property name="driverClass">com.mysql.jdbc.Driver</property>
<property name="jdbcUrl">jdbc:mysql://localhost:3306/day0107</property>
<property name="user">root</property>
<property name="password">123456</property>
<property name="initialPoolSize">10</property>
<property name="maxIdleTime">30</property>
<property name="maxPoolSize">100</property>
<property name="minPoolSize">10</property>
</default-config>
</c3p0-config>
数据库: