权限管理用户组和权限组的多表查询
这次我们体验一下多表的业务逻辑,顺便巩固过滤器的知识。
首先我们要做权限管理系统必须得先思考的是mysql表的建立,因为数据库表的设计是做一个项目的重要部分。
下面我们先对权限管理分析:
权限表及相关内容大体可以用六个表来描述,如下:
1 角色(即用户组)表:包括三个字段,ID,角色名,对该角色的描述;
2 用户表:包括三个或以上字段,ID,用户名,对该用户的描述,其它(如地址、电话等信息);
3 角色-用户对应表:该表记录用户与角色之间的对应关系,一个用户可以隶属于多个角色,一个角色组也可拥有多个用户。包括三个字段,ID,角色ID,用户ID;
4 限制内容列表:该表记录所有需要加以权限区分限制的数据表、功能和字段等内容及其描述,包括三个字段,ID,名称,描述;
5 权限列表:该表记录所有要加以控制的权限,如录入、修改、删除、执行等,也包括三个字段,ID,名称,描述;
6 权限-角色-用户对应表:一般情况下,我们对角色/用户所拥有的权限做如下规定,角色拥有明令允许的权限,其它一律禁止,用户继承所属角色的全部权限,在此范围内的权限除明令禁止外全部允许,范围外权限除明令允许外全部禁止。该表的设计是权限管理的重点,设计的思路也很多,可以说各有千秋,不能生搬硬套说某种方法好。对此,我的看法是就个人情况,找自己觉得合适能解决问题的用。
下面是设计表的建立:(附上链接)
说明下:
权限表 pages ;权限表于权限组的映射表:pg_pages_groups ; 权限组:page_groups
用户表 users ;用户组和权限组的映射表:role_page_group ; 用户组:roles
添加了映射表的就说明该表是属于多对多的关系
其中的关系可以自己再理解理解
有了数据库,接下来就是java代码的编写了:
用户登录的jsp页面(简单的):
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<% String path = request.getContextPath();
String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort()+ path + "/";%>
<!DOCTYPE html>
<html>
<head>
<base href="<%=basePath%>">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<form action="LoginServlet">
用户名:<input type="text" name="name"><br>
密 码:<input type="password" name="pwd"><br>
<input type="submit" value="登录">
</form>
</body>
</html>
登录的Loginservlet:
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.shy.dao.UserDao;
import org.shy.entity.User;
import org.shy.service.UserService;
/**
* Servlet implementation class LoginServlet
*/
@WebServlet("/LoginServlet")
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public LoginServlet() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
//获取页面上的数据
String name = request.getParameter("name");
String pwd = request.getParameter("pwd");
User user = new UserService().get(name, pwd);
if(user!=null) {
//获取数据传入session
HttpSession session = request.getSession();
session.setAttribute("user", user);
response.sendRedirect(request.getContextPath() + "/index.jsp");
}else {
PrintWriter out = response.getWriter();
out.write("账号或密码错误");
}
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
doGet(request, response);
}
}
我们对权限管理的操作少不了filter过滤器的使用:
下面就是我的PermissionFilter:
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.servlet4preview.http.HttpFilter;
import org.apache.catalina.servlet4preview.http.HttpServletRequest;
import org.lg.entity.Role;
import org.lg.entity.User;
import org.lg.service.UserService;
/**
* Servlet Filter implementation class PermissionFilter
*/
@WebFilter("/*")
public class PermissionFilter extends HttpFilter {
@Override
public void destroy() {
}
@Override
protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
User user = (User)request.getSession().getAttribute("user");
//获取访问的路径
String path = request.getServletPath();
if(user==null) {
//未登录
user=new User();
user.setRole(3);
//传入角色和地址,判断能不能访问
boolean flag=new UserService().check((User)user, path);
if(flag==true) {
chain.doFilter(request, response);
}else {
request.setAttribute("msg", "权限不足");
request.getRequestDispatcher("/info.jsp").forward(request, response);
}
}else {
//登录
boolean flag=new UserService().check((User)user, path);
if(flag==true) {
chain.doFilter(request, response);
}else {
request.setAttribute("msg", "权限不足");
request.getRequestDispatcher("/info.jsp").forward(request, response);
}
}
}
}
下面是用户的业务层:
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import org.shy.dao.UserDao;
import org.shy.entity.User;
public class UserService {
//查询所有的用户
public List<User> getAll() {
List<User> all = null;
try {
all = new UserDao().getAll();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return all;
}
//通过id查询一个用户的信息
public User getUser(int id) {
try {
return new UserDao().getUser(id);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return null;
}
//登录方法,通过用户名和密码获取用户信息
public User get(String name,String pwd) {
User user = null;
try {
user = new UserDao().get(name, pwd);
return user;
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return user;
}
//查询用户所属的用户组是否有对应页面的权限
public boolean getPermissions(User user,String path) {
try {
return new UserDao().getPermissions(user,path);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return false;
}
//查询用户所属的用户组id
public int getGroupId(int uid) {
try {
return new UserDao().getGroupId(uid);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return 0;
}
//修改用户所属的用户组
public void updateUserGroup(int userGroupId, int uid) {
// TODO Auto-generated method stub
UserDao ud = new UserDao();
try {
//查询指定id用户是否存在
User user = ud.getUser(uid);
//若存在则修改他所属的用户组
if(user!=null) {
ud.updateUserGroup(userGroupId,user);
}
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public List<User> getUserForUserGroup(int ugid) {
try {
return new UserDao().getUserForUserGroup(ugid);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return new ArrayList<>();
}
public void updateUserGroupTo(String ugid) {
try {
new UserDao().updateUserGroupForUserGroup(Integer.parseInt(ugid));
} catch (NumberFormatException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
//将指定用户的用户组修改为指定用户组
public void updateUserGroupForUserGroup(String ugid, String userid) {
try {
if(userid!=null) {
User user = new UserDao().getUser(Integer.parseInt(userid));
if(user!=null) {
new UserDao().updateUserGroup(Integer.parseInt(ugid), user);
}
}
} catch (NumberFormatException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
用户的Dao层:
import java.lang.reflect.Field;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import org.apache.commons.dbutils.ResultSetHandler;
import org.apache.commons.dbutils.handlers.BeanHandler;
import org.apache.commons.dbutils.handlers.KeyedHandler;
import org.apache.commons.dbutils.handlers.MapListHandler;
import org.apache.commons.dbutils.handlers.ScalarHandler;
import org.shy.entity.User;
import org.shy.util.JdbcUtil;
public class UserDao {
// 通过用户名和密码查询一个用户的信息
public User get(String name, String pwd) throws SQLException {
String sql = "select id,name,age,gender,rode,pwd from user where name=? and pwd=?";
BeanHandler<User> rsh = new BeanHandler<>(User.class);
User u = new JdbcUtil().qr.query(sql, rsh, name, pwd);
return u;
}
// 通过id查询一个用户的信息
public User getUser(int id) throws SQLException {
String sql = "select id,name,age,gender,rode,pwd from user where id=?";
BeanHandler<User> rsh = new BeanHandler<User>(User.class);
User u = new JdbcUtil().qr.query(sql, rsh, id);
return u;
}
// 查询所有账户信息
public List<User> getAll() throws SQLException {
List<User> users = new ArrayList<>();
String sql = "select id,name,pwd,gender,age,rode from user ";
MapListHandler rsh = new MapListHandler();
List<Map<String, Object>> list = JdbcUtil.qr.query(sql, rsh);
for (Map<String, Object> map : list) {
users.add(mapToAccount(map));
}
return users;
}
// 把map转为对象
public User mapToAccount(Map<String, Object> map) {
Class c = User.class;
User account = null;
if (map.size() != 0) {
account = new User();
}
for (Map.Entry<String, Object> entry : map.entrySet()) {
String fieldName = entry.getKey();
Object fieldValue = entry.getValue();
Field field = null;
try {
field = c.getDeclaredField(fieldName);
field.setAccessible(true);
field.set(account, fieldValue);
} catch (Exception e) {
e.printStackTrace();
}
}
return account;
}
//查询用户所属的用户组是否拥有某个页面的权限
public boolean getPermissions(User user, String path) throws SQLException {
String sql = "SELECT p.id "
+ "from page p "
+ "join pageandrode par "
+ "on p.id = par.pageid "
+ "join linkgroup l "
+ "on par.rodeid = l.rodegroupid "
+ "join usergroup ug "
+ "on l.usergroupid = ug.id "
+ "where ug.id = ? and p.path = ?";
Integer query = JdbcUtil.qr.query(sql, new ScalarHandler<Integer>(), user.getRode(), path);
if(query!=null) {
if (query != 0) {
return true;
} else {
return false;
}
}
return false;
}
//查询用户所属的用户组id
public int getGroupId(int uid) throws SQLException {
// TODO Auto-generated method stub
String sql = "select rode from user where id = ?";
Integer query = JdbcUtil.qr.query(sql, new ScalarHandler<Integer>(), uid);
return query;
}
//修改用户的用户组
public void updateUserGroup(int userGroupId, User user) throws SQLException {
// TODO Auto-generated method stub
String sql = "update user set rode=? where id=?";
JdbcUtil.qr.update(sql, userGroupId,user.getId());
}
public List<User> getUserForUserGroup(int ugid) throws SQLException {
List<User> users = new ArrayList<>();
String sql = "select * from user where rode = ?";
MapListHandler rsh = new MapListHandler();
List<Map<String, Object>> list = JdbcUtil.qr.query(sql, rsh,ugid);
for (Map<String, Object> map : list) {
users.add(mapToAccount(map));
}
return users;
}
//将指定的用户权限改为游客
public void updateUserGroupForUserGroup(int ugid) throws SQLException {
String sql = "update user set rode = 3 where rode = ?";
JdbcUtil.qr.update(sql, ugid);
}
}
以上就是通过filter过滤器的操作实现了一个简单的页面的几个权限管理
因为我这个权限管理系统有用户组和权限组,所以就少不了有个管理员,或者说是一个老板,大BOSS,他有权力给某个用户什么权限,然后该用户通过这个权限又可以去管理自己所属的页面,所以就需要有个管理员的界面,或者说是后台管理。这个就只能是管理员能进了。
接下来就提供做后台管理的思路,当管理员进入了后台,就可以看到所有的用户信息,然后就是可以给一些用户添加新的角色,然后可以修改某些权限表对应哪个权限组,这些其实也都是些简单的sql语句的使用,相当于一个一个的增删改查。相信自己理解了自己所建的几张表,理清楚关系,就能很快的上手了。