权限管理的两个目标
1.用户未仅需登录,不能进行操作
2.根据用户角色,对应其可操作的url,进行权限分配
实现方式
方案一(选用):最原生的filter实现
方案二(未用):用SpringSecurity框架,其基于springboot,而我的项目未引用框架
两个filter类LoginFilter ,AccessFilter,配置在web.xml中,顺序不能变,LoginFilter在AccessFilter之前执行
```
LoginFilter
cn.edu.jxau.framework.filter.LoginFilter
LoginFilter
/*
AccessFilter
cn.edu.jxau.framework.filter.AccessFilter
AccessFilter
/*
```
**LoginFilter**
用户登录成功后,应把用户存入session中,filter可从session中取出进行判断
```
public class LoginFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest)request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
String url = httpServletRequest.getRequestURI();
// System.out.println("大家好呀,我是拦截器,今天我拦截了 :"+url);
//如果用户登录了,进行放行
//如果是登录,注册,忘记密码,也进行放行
if(url.endsWith("login")|| url.endsWith("sendCode") || url.endsWith("registerPhone") || url.endsWith("forgetPassword")|| httpServletRequest.getSession().getAttribute(httpServletRequest.getSession().getId())!=null){
chain.doFilter(httpServletRequest, httpServletResponse);
}else {
System.out.println("请先登录");
}
}
@Override
public void destroy() {
}
}
```
权限控制实现(基于rabc)
思路一(选用):用户登录成功后,得到用户角色id,将其传入数据库,多表查询角色对应的权限,把权限存进session域中,然后filter拿到session中的权限,如果传来的url和session中的url一致,放行,如果不一致,拦截以此实现权限控制
思路二(未用):用户登录成功后,把用户id传入数据库,多表查询用户对应的权限(filter用直接调用service层的方法,思路一没有),如果传来的url和数据库查询出的url一致,放行,如果不一致,拦截以此实现权限控制
```
public class AccessFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest)request;
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
String url=httpServletRequest.getRequestURI();
System.out.println("我请求的url为"+url);
//登录,注册,忘记密码不拦截
if(url.endsWith("login")|| url.endsWith("sendCode") || url.endsWith("registerPhone") || url.endsWith("forgetPassword")){
chain.doFilter(httpServletRequest, httpServletResponse);
}else{
//从session域中拿到用户对应的权限
List accessDo=(List)httpServletRequest.getSession().getAttribute("userAccess");
System.out.println("filter"+accessDo);
for (AccessDo accessDo1 : accessDo) {
String access_url = accessDo1.getAccess_url();
System.out.println("允许的url为"+access_url);
//如果匹配到相应的权限,放行
if (url.indexOf(access_url)>=0){
chain.doFilter(httpServletRequest, httpServletResponse);
}
}
}
}
@Override
public void destroy() {
}
}
```
SQL语句
```
SELECT a.* FROM access a WHERE a.access_id IN (SELECT ar.access_id FROM access_role ar WHERE ar.role_id=?)
```
service层(BaseDao是我们自己写的解析执行sql语句的基础类,如果对应自己的话,传相应的参数就好)
```
//登录的时候,就用户对应的操作权限查出来,在把他放进session中,用作权限控制
int role_id=userDo.getRole_id();
List params1=new ArrayList<>();
params1.add(role_id);
List userAccess=new BaseDao().executeSql("getUserAccess",params1,true);
```
存入session中
```
if(data.get("userAccess")!=null){
req.getSession().setAttribute("userAccess",data.get("userAccess"));
}
```
我的公众号,分享学习资源和讨论咯