Day20
01-权限系统设计和分析
做一个权限管理系统说其实不难,当在一个jsp页面中添加分类,删除分类,修改分类,查找分类等超链接时,当某用户点击这些超链接时,拦截器
就会将请求数据拦截下来,然后去查看这个用户是否有对这个操作的访问权限,如果有就让放行让他访问,如果没有权限则不放行,不让其访问。
但是实际上在做这个权限管理系统却很麻烦,因为当一个用户访问某个超链接的时候,涉及到很多对象,这些对象的关系很麻烦
这些对象至少包含:
资源(Resource)
权限(Privilege)
角色(Role)
用户(User)
他们的关系是:
一个权限控制多个资源,也就是一对多的关系。
一个角色(身份)有多个权限,一个权限又可以有多个角色,所以权限和角色是多对多的关系
角色和用户的关系是,一个用户可以拥有多个角色,一个角色可以拥有多个用户,所以也是多对多的关系,(注意这里的角色就是身份的意思)
如果要建立表将数据存入到数据库中的话至少要建立六张表,四个对象的表,再加上两个多对多的关系的表,就是六张表,所以这里麻烦就麻烦在
表与表的关系上(也就是所谓的建立表),还有就是dao建立上也很麻烦,剩下的权限拦截到时很简单
首先我们来建立各个对象的javaBean,在建立各个实例类的时候,要根据需求来建立,要根据人的思维来建立,下面建立的实例如下图
/day20/src/cn/itcast/domain/Privilege.java
package cn.itcast.domain; public class Privilege { private String id; private String name; //添加分类 private String description; //权限的描述 //按照人的思维,这里不应该有集合记录这个权限拥有那些角色,而是应该在角色里面定义一个集合记录某角色拥有那些权限 //还有一点,这里我们也没有定义个集合记录我这个权限拥有那些资源,而是我们在资源中定义一个变量记录我这个资源属于那个权限 @Override public int hashCode() { final int prime = 31; int result = 1; result = prime * result + ((description == null) ? 0 : description.hashCode()); result = prime * result + ((id == null) ? 0 : id.hashCode()); result = prime * result + ((name == null) ? 0 : name.hashCode()); return result; } @Override public boolean equals(Object obj) { if (this == obj) return true; if (obj == null) return false; if (getClass() != obj.getClass()) return false; final Privilege other = (Privilege) obj; if (description == null) { if (other.description != null) return false; } else if (!description.equals(other.description)) return false; if (id == null) { if (other.id != null) return false; } else if (!id.equals(other.id)) return false; if (name == null) { if (other.name != null) return false; } else if (!name.equals(other.name)) return false; return true; } public String getId() { return id; } public void setId(String id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public String getDescription() { return description; } public void setDescription(String description) { this.description = description; } }
/day20/src/cn/itcast/domain/Resource.java
package cn.itcast.domain; public class Resource { private String id; //每个资源都会有一个url地址 private String uri; // /day20/servlet/Servlet1 //每个资源还有一个描述 private String description; //以上是基本属性 //下面定义一个变量记录我这个资源属于那个权限 private Privilege privilege; public String getId() { return id; } public void setId(String id) { this.id = id; } public String getUri() { return uri; } public void setUri(String uri) { this.uri = uri; } public String getDescription() { return description; } public void setDescription(String description) { this.description = description; } public Privilege getPrivilege() { return privilege; } public void setPrivilege(Privilege privilege) { this.privilege = privilege; } }
/day20/src/cn/itcast/domain/Role.java
package cn.itcast.domain; import java.util.HashSet; import java.util.Set; public class Role { //角色的基本属性 private String id; private String name; private String description; //定义一个集合来记住我这个角色拥有那些权限 private Set<Privilege> privileges = new HashSet(); //同样这里按照人的思维,用户和角色是多对多的关系,一般我们说的是,某个用户拥有多少角色,而不说 //某个角色拥有多个用户,所以这里没有定义集合来记录我这个角色拥有多少个用户,而是在用户中定义 //一个集合记录我这个用户拥有多少种角色 public String getId() { return id; } public void setId(String id) { this.id = id; } public String getName() { return name; } public void setName(String name) { this.name = name; } public String getDescription() { return description; } public void setDescription(String description) { this.description = description; } public Set<Privilege> getPrivileges() { return privileges; } public void setPrivileges(Set<Privilege> privileges) { this.privileges = privileges; } }
/day20/src/cn/itcast/domain/User.java
package cn.itcast.domain; import java.util.HashSet; import java.util.Set; public class User { //用户的基本属性 private String id; private String username; private String password; private String description; //定义一个集合记录拥有的角色 private Set<Role> roles = new HashSet(); public String getId() { return id; } public void setId(String id) { this.id = id; } public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } public String getPassword() { return password; } public void setPassword(String password) { this.password = password; } public String getDescription() { return description; } public void setDescription(String description) { this.description = description; } public Set<Role> getRoles() { return roles; } public void setRoles(Set<Role> roles) { this.roles = roles; } }
接下来我们开始创建表
在建立表的时候先将各个对象的表单独建立出来,然后在考虑表与表之间的关系,如果表与表的关系是多对多的关系,则要创建两张表的联合组件,如果表与表的关系是一对多的关系,则在多的一方创建
外键链
创建表的sql语句
create database day20; use day20; create table privilege ( id varchar(40) primary key, name varchar(100) not null unique, description varchar(255) ); create table resource ( id varchar(40) primary key, uri varchar(255) not null unique, description varchar(255), //由于权限和资源是一对多的关系,在设计表的时候要在多的一方设计外键链 //外键链的长度要与一的那方的id长度相同 privilege_id varchar(40), //为外键链加约束 constraint privilege_id_FK foreign key(privilege_id) references privilege(id) ); create table role ( id varchar(40) primary key, name varchar(100) not null unique, description varchar(255) ); create table user ( id varchar(40) primary key, username varchar(40) not null unique, password varchar(40) not null, description varchar(255) ); //角色和权限的联合主键 create table role_privilege ( role_id varchar(40), privilege_id varchar(40), primary key(role_id,privilege_id), constraint role_id_FK foreign key(role_id) references role(id), //注意在定义外键约束的时候,名称不能相同,privilege_id_FK已经定义了,所以这里只能定义privilege_id_FK1 constraint privilege_id_FK1 foreign key(privilege_id) references privilege(id) ); create table user_role ( user_id varchar(40), role_id varchar(40), primary key(user_id,role_id), constraint user_id_FK foreign key(user_id) references user(id), //同样的role_id_FK已经定义了,所以这里必须定义成role_id_FK1 constraint role_id_FK1 foreign key(role_id) references role(id) );
————————————————————————————————————————————————————————————————————————————————————————————
02-权限dao层的编写
下面我们开始写dao了,dao就有些麻烦了
首先我们搭建环境,将需要的包导入,还要将c3p0的配置文件复制过来,还有将工具类复制过来
这里要涉及到多表查询,多表查询要根据外键链查找对应的表
/day20/src/cn/itcast/dao/ResourceDao.java
package cn.itcast.dao; import java.util.List; import org.apache.commons.dbutils.QueryRunner; import org.apache.commons.dbutils.handlers.BeanHandler; import org.apache.commons.dbutils.handlers.BeanListHandler; import cn.itcast.domain.Privilege; import cn.itcast.domain.Resource; import cn.itcast.utils.JdbcUtils; public class ResourceDao { //添加一个资源 public void add(Resource r){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "insert into resource(id,uri,description) values(?,?,?)"; Object params[] = {r.getId(),r.getUri(),r.getDescription()} ; runner.update(sql, params); }catch (Exception e) { throw new RuntimeException(e); } } //要查找一个资源一般都是根据url来查找,而删除,修改资源则通过id public Resource find(String uri){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); //这里根据资源的url查找出资源的信息,资源的信息包括id,url,description,以及权限外键链privailege_id String sql = "select * from resource where uri=?"; Resource r = (Resource) runner.query(sql, uri, new BeanHandler(Resource.class)); if(r==null){ return null; } //此处想要得到控制资源的权限则需要多表查询,需要根据权限外键链privilege_id去查找权限表 //sql = "select * from resource r where r.uri=?"; 这个表示根据资源uri查找到资源的信息 //下面这句sql表示根据url找出资源表中对应的资源的信息,并且还要根据外键链privilege_id找出权限表中id与之对应的权限 //sql = "select * from resource r,privilege p where r.uri=? And p.id=r.privilege_id"; //当然这里我们只需要找到更具外键链找出权限就可以了,所以加上一个p //sql = "select p.* from resource r,privilege p where r.uri=? And p.id=r.privilege_id"; sql = "select p.* from resource r,privilege p where r.uri=? And p.id=r.privilege_id"; //将得到的权限资源保存到权限对象中去 Privilege p = (Privilege) runner.query(sql, uri, new BeanHandler(Privilege.class)); //最后将权限对象加入到资源对象中去在返回资源,就表示找到了这个资源 r.setPrivilege(p); return r; }catch (Exception e) { throw new RuntimeException(e); } } //更具资源id查找资源和通过url查找资源sql语句相同,只是将url改为id就可以 public Resource findById(String id){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from resource where id=?"; Resource r = (Resource) runner.query(sql, id, new BeanHandler(Resource.class)); //得到控制资源的权限 sql = "select p.* from resource r,privilege p where r.id=? And p.id=r.privilege_id"; Privilege p = (Privilege) runner.query(sql,id, new BeanHandler(Privilege.class)); r.setPrivilege(p); return r; }catch (Exception e) { throw new RuntimeException(e); } } //获取到所有的资源先读取资源表,将资源表中所有的资源读取到list集合当中 //然后便利list集合,在根据外键链查找到对应的权限,然后将权限保存到对应的集合中去,最后返回这个集合 public List getAll(){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from resource"; List<Resource> list = (List<Resource>) runner.query(sql,new BeanListHandler(Resource.class)); for(Resource r : list){ //迭代出资源id,在通过id得到控制资源的权限 sql = "select p.* from resource r,privilege p where r.id=? And p.id=r.privilege_id"; Privilege p = (Privilege) runner.query(sql,r.getId(), new BeanHandler(Privilege.class)); r.setPrivilege(p); } return list; }catch (Exception e) { throw new RuntimeException(e); } } //更新一个资源的权限,接受一个资源和一个权限 public void updatePrivilege(Resource r,Privilege p){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); //根据资源id更新资源权限 String sql = "update resource set privilege_id=? where id=?"; Object params[] = {p.getId(),r.getId()}; runner.update(sql, params); }catch (Exception e) { throw new RuntimeException(e); } } }
/day20/src/cn/itcast/dao/PrivilegeDao.java
这个dao层比较简单
package cn.itcast.dao; import java.util.List; import org.apache.commons.dbutils.QueryRunner; import org.apache.commons.dbutils.handlers.BeanHandler; import org.apache.commons.dbutils.handlers.BeanListHandler; import cn.itcast.domain.Privilege; import cn.itcast.utils.JdbcUtils; public class PrivilegeDao { //添加权限 public void add(Privilege p){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "insert into privilege(id,name,description) values(?,?,?)"; Object params[] = {p.getId(),p.getName(),p.getDescription()}; runner.update(sql, params); }catch (Exception e) { throw new RuntimeException(e); } } //查找权限 public Privilege find(String id){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from privilege where id=?"; return (Privilege) runner.query(sql, id, new BeanHandler(Privilege.class)); }catch (Exception e) { throw new RuntimeException(e); } } //查找所有权限 public List getAll(){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from privilege"; return (List) runner.query(sql, new BeanListHandler(Privilege.class)); }catch (Exception e) { throw new RuntimeException(e); } } }
/day20/src/cn/itcast/dao/RoleDao.java
package cn.itcast.dao; import java.util.List; import org.apache.commons.dbutils.QueryRunner; import org.apache.commons.dbutils.handlers.BeanHandler; import org.apache.commons.dbutils.handlers.BeanListHandler; import cn.itcast.domain.Privilege; import cn.itcast.domain.Role; import cn.itcast.utils.JdbcUtils; public class RoleDao { public void add(Role role){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "insert into role(id,name,description) values(?,?,?)"; Object params[] = {role.getId(),role.getName(),role.getDescription()}; runner.update(sql, params); }catch (Exception e) { throw new RuntimeException(e); } } public Role find(String id){ try{ //查找角色的基本信息 QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from role where id=?"; Role role = (Role) runner.query(sql, id, new BeanHandler(Role.class)); //找出角色所有的权限 sql = "select * from role_privilege rp,privilege p where rp.role_id=? and p.id=rp.privilege_id"; List list = (List) runner.query(sql, id, new BeanListHandler(Privilege.class)); role.getPrivileges().addAll(list); return role; }catch (Exception e) { throw new RuntimeException(e); } } //得到所有的角色,需要先将角色表中的角色全部查询出来存入到一个list集合中去 //然后list集合迭代在根据每个角色的id查找出权限表中与之对应的权限集合,然后将这些权限集合添加到角色对象中去 public List getAll(){ try{ //查找角色的基本信息 QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from role"; List<Role> list = (List) runner.query(sql, new BeanListHandler(Role.class)); for(Role r : list){ //找出角色所有的权限 sql = "select * from role_privilege rp,privilege p where rp.role_id=? and p.id=rp.privilege_id"; List list1 = (List) runner.query(sql, r.getId(), new BeanListHandler(Privilege.class)); r.getPrivileges().addAll(list1); } return list; }catch (Exception e) { throw new RuntimeException(e); } } //更新角色的权限是通过如下方式来完成的,首先将角色的所有权限删除(避免原有的权限和要添加的权限重复,也就是说避免了查找权限) //然后在为角色赋予新的权限,注意这些操作都是在中间表role_privilege中执行的
//这样做既可以做删除功能也可以做跟新功能,当传递的权限集合为空时,就表示将角色权限清空 public void updateRolePrivileges(Role role,List<Privilege> privileges){ try{ //删除角色拥有的权限 QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "delete from role_privilege where role_id=?"; runner.update(sql, role.getId()); //为角色赋予新的权限 for(Privilege p : privileges){ sql = "insert into role_privilege(role_id,privilege_id) values(?,?)"; Object params[] = {role.getId(),p.getId()}; runner.update(sql, params); } }catch (Exception e) { throw new RuntimeException(e); } } }
/day20/src/cn/itcast/dao/UserDao.java
package cn.itcast.dao; import java.util.List; import org.apache.commons.dbutils.QueryRunner; import org.apache.commons.dbutils.handlers.BeanHandler; import org.apache.commons.dbutils.handlers.BeanListHandler; import cn.itcast.domain.Role; import cn.itcast.domain.User; import cn.itcast.utils.JdbcUtils; public class UserDao { //添加一个用户 public void add(User user){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "insert into user(id,username,password,description) values(?,?,?,?)"; Object params[] = {user.getId(),user.getUsername(),user.getPassword(),user.getDescription()}; runner.update(sql, params); }catch (Exception e) { throw new RuntimeException(e); } } //通过id查找到用户 public User find(String id){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); //先查找出用户的基本信息 String sql = "select * from user where id=?"; User user = (User) runner.query(sql, id, new BeanHandler(User.class)); if(user==null){ return null; } //在根据用户角色中间表的id查找出用户的角色 sql = "select * from user_role ur,role r where ur.user_id=? and r.id=ur.role_id"; List list = (List) runner.query(sql, id, new BeanListHandler(Role.class)); user.getRoles().addAll(list); return user; }catch (Exception e) { throw new RuntimeException(e); } } //通过用户名和密码查找到用户 public User find(String username,String password){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from user where username=? and password=?"; Object params[] = {username,password}; User user = (User) runner.query(sql,params, new BeanHandler(User.class));
//注意一点要判断,避免抛空指针异常 if(user==null){ return null; } //找出用户的角色 sql = "select * from user_role ur,role r where ur.user_id=? and r.id=ur.role_id";
//将得到的的角色添加到用户对象中去并返回 List list = (List) runner.query(sql, user.getId(), new BeanListHandler(Role.class)); user.getRoles().addAll(list); return user; }catch (Exception e) { throw new RuntimeException(e); } } //跟新用户的角色
//更新用户的角色我们也采用先将用户的所有角色删除,然后在为用户赋予新的角色,注意这些操作都是在中间表中操作的 public void updateUserRoles(User user,List<Role> roles){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); //先删除用户所有的角色 String sql = "delete from user_role where user_id=?"; runner.update(sql, user.getId()); //再为用户赋予新的角色 for(Role role : roles){ sql = "insert into user_role(user_id,role_id) values(?,?)"; Object params[] = {user.getId(),role.getId()}; runner.update(sql, params); } }catch (Exception e) { throw new RuntimeException(e); } } //获取到所有的用户
//这里没有获取用户的角色,因为在开发中显示在显示所有用户的时候没有必要显示用户的角儿,只有当点击这个角色之后才会显示这个用户的所有角色 public List getAll(){ try{ QueryRunner runner = new QueryRunner(JdbcUtils.getDataSource()); String sql = "select * from user"; List<User> list = (List) runner.query(sql, new BeanListHandler(User.class)); return list; }catch (Exception e) { throw new RuntimeException(e); } } }
——————————————————————————————————————————————————————————————————————————————————
03-权限业务层和web层
业务层
/day20/src/cn/itcast/service/SecurityService.java
package cn.itcast.service; import java.util.ArrayList; import java.util.List; import java.util.Set; import cn.itcast.dao.PrivilegeDao; import cn.itcast.dao.ResourceDao; import cn.itcast.dao.RoleDao; import cn.itcast.dao.UserDao; import cn.itcast.domain.Privilege; import cn.itcast.domain.Resource; import cn.itcast.domain.Role; import cn.itcast.domain.User; public class SecurityService { private ResourceDao rdao = new ResourceDao(); private PrivilegeDao pdao = new PrivilegeDao(); private RoleDao roledao = new RoleDao(); private UserDao udao = new UserDao(); /*************************************************************************** * 提供资源相关的服务 **************************************************************************/ public void addResource(Resource r) { rdao.add(r); } public Resource findResource(String uri) { return rdao.find(uri); } public Resource findResourceByID(String id) { return rdao.findById(id); } public List getAllResource() { return rdao.getAll(); } // 更新控制资源的权限 //你始终要记住service层接受的一般都是id,所以我们需要将id转化成dao层需要的类型 public void updateResourcePrivilege(String resourceid, String privilegeid) { Resource r = rdao.findById(resourceid); Privilege p = pdao.find(privilegeid); rdao.updatePrivilege(r, p); } /*************************************************************************** * // 提供权限相关的服务 **************************************************************************/ public void addPrivilege(Privilege p) { pdao.add(p); } public Privilege findPrivilege(String id) { return pdao.find(id); } public List getAllPrivilege() { return pdao.getAll(); } /*************************************************************************** * // 提供角色相关的服务 **************************************************************************/ public void addRole(Role role) { roledao.add(role); } public Role findRole(String id) { return roledao.find(id); } public List getAllRole() { return roledao.getAll(); } //更新角色拥有的权限 //这里同样要记住,在service层一般都是接受的id,我们需要通过id获取到dao层对应的方法需要的参数对象 //才能调用dao层的方法 public void updateRolePrivilege(String roleid, String[] privilege_ids) { Role role = roledao.find(roleid); List list = new ArrayList(); for (int i = 0; privilege_ids != null && i < privilege_ids.length; i++) { Privilege p = pdao.find(privilege_ids[i]); list.add(p); } roledao.updateRolePrivileges(role, list); } /*************************************************************************** * 提供用户相关的服务 /**************************************************************************/ public void addUser(User user) { udao.add(user); } public User findUser(String id) { return udao.find(id); } public User findUser(String username, String password) { return udao.find(username, password); } public List getAllUser() { return udao.getAll(); } //更新用户拥有的角色 public void updateUserRole(String userid, String[] roleids) { User user = udao.find(userid); List list = new ArrayList(); for (int i = 0; roleids != null && i < roleids.length; i++) { Role r = roledao.find(roleids[i]); list.add(r); } udao.updateUserRoles(user, list); } //得到某个用户拥有的所有权限 public List<Privilege> getUserAllPrivilege(String userid) { List allPrivilege = new ArrayList(); User user = udao.find(userid); //这里必须注意哈,在更具id找到的用户中的角色并不包含权限,我们需要根据角色的id去找出角色的所有权限 //这里一定要搞清楚,通过用户id找到的角色里面不包含权限,权限要通过角色id去找 Set<Role> roles = user.getRoles(); for (Role r : roles) { r = roledao.find(r.getId()); Set privileges = r.getPrivileges(); allPrivilege.addAll(privileges); } return allPrivilege; } }
对于web层,我们采用分帧
/day20/WebRoot/manager.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>后台管理页面</title> </head> <frameset rows="22%,*"> <frame name="head" src="${pageContext.request.contextPath}/security/head.jsp"> <frameset cols="15%,*"> <frame name="left" src="${pageContext.request.contextPath}/security/left.jsp"> <frame name="main" src="#"> </frameset> </frameset> </html>
/day20/WebRoot/security/head.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>My JSP 'head.jsp' starting page</title> </head> <body style="text-align: center;"> <h1>XXXXXXX后台管理</h1> </body> </html>
注意,这里为了避免多个管理产生多个servlet,这个我们在servlet传递一个参数关键字,通过参数关键字我们可以实现在同一个servlet处理数据
以前我们是一个请求对应一个servlet,今天这种方式是多个请求用一个servlet
/day20/WebRoot/security/left.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>左侧导航</title> </head> <body> <!-- 这里为了避免产生的多个servlet,我们可以通过传递一个参数,从而在同一个servlet处理数据 --> <a href="${pageContext.request.contextPath }/servlet/PrivilegeServlet?method=getAll" target="main">权限管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/ResourceServlet?method=getAll" target="main">资源管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/RoleServlet?method=getAll" target="main">角色管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/UserServlet?method=getAll" target="main">用户管理</a> <br/><br/> </body> </html>
/day20/src/cn/itcast/web/controller/PrivilegeServlet.java
package cn.itcast.web.controller; import java.io.IOException; import java.util.List; import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import cn.itcast.domain.Privilege; import cn.itcast.service.SecurityService; import cn.itcast.utils.WebUtils; //这个处理所有权限相关的请求 public class PrivilegeServlet extends HttpServlet { private SecurityService service = new SecurityService(); public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String method = request.getParameter("method"); if("getAll".equals(method)){ getAll(request,response); } if("add".equals(method)){ add(request,response); } if("addUI".equals(method)){ addUI(request,response); } } //为添加权限提供添加界面 private void addUI(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { //添加权限的页面跳转到addprivilege.jsp页面处理 request.getRequestDispatcher("/security/addprivilege.jsp").forward(request, response); } private void getAll(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { List list = service.getAllPrivilege(); //将获取到的权限集合存到request域中 request.setAttribute("list", list); //然后转到一个listprivilege.jsp页面,显示权限 request.getRequestDispatcher("/security/listprivilge.jsp").forward(request, response); } private void add(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { //通过工具类WebUtils,将request中的数据写入到对应的bean中去 Privilege p = WebUtils.request2Bean(request, Privilege.class); //同时为添加的权限对象配置一个id p.setId(UUID.randomUUID().toString()); //在将这个权限添加到数据库中去 service.addPrivilege(p); request.setAttribute("message", "添加成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "添加失败"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }
/day20/WebRoot/security/listprivilge.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>权限列表</title> </head> <body style="text-align: center;"> <br/> <br/> <table width="60%"> <tr> <td></td> <td></td> <td align="right"> <!-- 此处添加权限也在PrivilegeServlet页面处理,我们传递一个关键字参数就可以,而不需要单独建立servlet去处理 --> <a href="${pageContext.request.contextPath }/servlet/PrivilegeServlet?method=addUI">添加权限</a> </td> </tr> </table> <table width="60%" frame="border"> <tr> <td>权限名称</td> <td>权限描述</td> <td>操作</td> </tr> <c:forEach var="p" items="${list}"> <tr> <td>${p.name }</td> <td>${p.description }</td> <td> <a href="#">删除</a> <a href="#">修改</a> </td> </tr> </c:forEach> </table> </body> </html>
/day20/WebRoot/security/addprivilege.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>添加权限界面</title> </head> <body> <!-- 这里还是找PrivilegeServlet这个servlet页面处理,通过传递一个add关键字 ,注意要加上传送的方式post--> <form action="${pageContext.request.contextPath }/servlet/PrivilegeServlet?method=add" method="post"> <table> <tr> <td>权限名称</td> <td> <input type="text" name="name"> </td> </tr> <tr> <td>权限描述</td> <td> <textarea rows="5" cols="50" name="description"></textarea> </td> </tr> <tr> <td></td> <td> <input type="submit" value="添加权限"> </td> </tr> </table> </form> </body> </html>
/day20/src/cn/itcast/utils/WebUtils.java
package cn.itcast.utils; import java.util.Map; import javax.servlet.http.HttpServletRequest; import org.apache.commons.beanutils.BeanUtils; public class WebUtils { public static <T> T request2Bean(HttpServletRequest request,Class<T> beanClass){ try{ T t = beanClass.newInstance(); Map map = request.getParameterMap(); //将map中的数据想bean里面填充 BeanUtils.populate(t, map); return t; }catch (Exception e) { throw new RuntimeException(e); } } }
/day20/WebRoot/message.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>My JSP 'message.jsp' starting page</title> </head> <body> ${message } </body> </html>
注意在开发中一定要先用解决全站乱码问题的过滤器将数据乱码问题解决了才向数据库中存,这里也一样需要用到解决全站乱码问题的过滤器
/day20/src/cn/itcast/web/filter/CharacterEncodingFilter.java
package cn.itcast.web.filter; import java.io.IOException; import java.io.UnsupportedEncodingException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletResponse; public class CharacterEncodingFilter implements Filter { public void destroy() { // TODO Auto-generated method stub } public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) resp; request.setCharacterEncoding("UTF-8"); //post get response.setCharacterEncoding("UTF-8"); response.setContentType("text/html;charset=UTF-8"); chain.doFilter(new MyRequest(request), response); //request.getparameter("password"); } class MyRequest extends HttpServletRequestWrapper{ private HttpServletRequest request; public MyRequest(HttpServletRequest request) { super(request); this.request = request; } @Override public String getParameter(String name) { String value = this.request.getParameter(name); if(!request.getMethod().equalsIgnoreCase("get")){ return value; } if(value==null){ return null; } try { return value = new String(value.getBytes("iso8859-1"),request.getCharacterEncoding()); } catch (UnsupportedEncodingException e) { throw new RuntimeException(e); } } } public void init(FilterConfig filterConfig) throws ServletException { // TODO Auto-generated method stub } }
/day20/WebRoot/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <filter> <filter-name>CharacterEncodingFilter</filter-name> <filter-class>cn.itcast.web.filter.CharacterEncodingFilter</filter-class> </filter> <filter-mapping> <filter-name>CharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>SecurityFilter</filter-name> <filter-class>cn.itcast.web.filter.SecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/manager/*</url-pattern> </filter-mapping> <servlet> <servlet-name>PrivilegeServlet</servlet-name> <servlet-class>cn.itcast.web.controller.PrivilegeServlet</servlet-class> </servlet> <servlet> <servlet-name>ResourceServlet</servlet-name> <servlet-class>cn.itcast.web.controller.ResourceServlet</servlet-class> </servlet> <servlet> <servlet-name>RoleServlet</servlet-name> <servlet-class>cn.itcast.web.controller.RoleServlet</servlet-class> </servlet> <servlet> <servlet-name>UserServlet</servlet-name> <servlet-class>cn.itcast.web.controller.UserServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>PrivilegeServlet</servlet-name> <url-pattern>/servlet/PrivilegeServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>ResourceServlet</servlet-name> <url-pattern>/servlet/ResourceServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>RoleServlet</servlet-name> <url-pattern>/servlet/RoleServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>UserServlet</servlet-name> <url-pattern>/servlet/UserServlet</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
我们老大最后说了一句,其实这个网站的权限就是由超链接决定了,你一开始设定了什么权限(超链接),这个网站的权限就确定了
——————————————————————————————————————————————————————————————————————————————————————————————
04-权限web层
然后我们来做资源管理
/day20/WebRoot/security/left.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>左侧导航</title> </head> <body> <!-- 这里为了避免产生的多个servlet,我们可以通过传递一个参数,从而在同一个servlet处理数据 --> <a href="${pageContext.request.contextPath }/servlet/PrivilegeServlet?method=getAll" target="main">权限管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/ResourceServlet?method=getAll" target="main">资源管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/RoleServlet?method=getAll" target="main">角色管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/UserServlet?method=getAll" target="main">用户管理</a> <br/><br/> </body> </html>
/day20/src/cn/itcast/web/controller/ResourceServlet.java
package cn.itcast.web.controller; import java.io.IOException; import java.util.List; import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import cn.itcast.domain.Resource; import cn.itcast.service.SecurityService; import cn.itcast.utils.WebUtils; public class ResourceServlet extends HttpServlet { SecurityService service = new SecurityService(); public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String method = request.getParameter("method"); if("getAll".equals(method)){ getAll(request,response); } if("addUI".equals(method)){ addUI(request,response); } if("add".equals(method)){ add(request,response); } if("forUpdatePrivilegeUI".equals(method)){ forUpdatePrivilegeUI(request,response); } if("updatePrivilege".equals(method)){ updatePrivilege(request,response); } } //更新资源的权限 private void updatePrivilege(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { try { String resourceid = request.getParameter("rid"); String privilegeid = request.getParameter("pid"); service.updateResourcePrivilege(resourceid, privilegeid); request.setAttribute("message", "更新成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "更新失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } //为更新资源权限提供UI界面 private void forUpdatePrivilegeUI(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { String resourceid = request.getParameter("id"); Resource r = service.findResourceByID(resourceid); //得到系统所有权限 List list = service.getAllPrivilege(); request.setAttribute("resource", r); request.setAttribute("list", list); request.getRequestDispatcher("/security/updateResourcePrivilege.jsp").forward(request, response); } private void add(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { Resource r = WebUtils.request2Bean(request, Resource.class); r.setId(UUID.randomUUID().toString()); service.addResource(r); request.setAttribute("message", "添加成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "添加失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } private void addUI(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.getRequestDispatcher("/security/addresource.jsp").forward(request, response); } private void getAll(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { List list = service.getAllResource(); request.setAttribute("list", list); request.getRequestDispatcher("/security/listresource.jsp").forward(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }
/day20/WebRoot/security/listresource.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>资源列表</title> </head> <body style="text-align: center;"> <br/> <br/> <table width="80%"> <tr> <td></td> <td></td> <td align="right"> <a href="${pageContext.request.contextPath }/servlet/ResourceServlet?method=addUI">添加资源</a> </td> </tr> </table> <table width="80%" frame="border"> <tr> <td>资源uri</td> <td>控制资源的权限</td> <td>资源描述</td> <td>操作</td> </tr> <c:forEach var="r" items="${list}"> <tr> <td>${r.uri }</td> <td>${r.privilege.name }</td> <td>${r.description }</td> <td> <a href="${pageContext.request.contextPath }/servlet/ResourceServlet?method=forUpdatePrivilegeUI&id=${r.id }">修改资源的权限</a> <a href="#">删除</a> </td> </tr> </c:forEach> </table> </body> </html>
/day20/WebRoot/security/addresource.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>添加资源界面</title> </head> <body> <form action="${pageContext.request.contextPath }/servlet/ResourceServlet?method=add" method="post"> <table> <tr> <td>资源URI</td> <td> <input type="text" name="uri"> </td> </tr> <tr> <td>资源描述</td> <td> <textarea rows="5" cols="50" name="description"></textarea> </td> </tr> <tr> <td></td> <td> <input type="submit" value="添加资源"> </td> </tr> </table> </form> </body> </html>
/day20/WebRoot/security/updateResourcePrivilege.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>更新资源的权限</title> </head> <body> <table frame="border" width="40%"> <tr> <td>资源URI</td> <td>${resource.uri }</td> </tr> <tr> <td>资源描述</td> <td>${resource.description }</td> </tr> <tr> <td>资源原有权限</td> <td>${resource.privilege.name }</td> </tr> <tr> <td>需授予的权限</td> <td> <!-- 当下面表单提交时,会给服务器带去:资源id和要授予的权限id --> <form action="${pageContext.request.contextPath }/servlet/ResourceServlet?method=updatePrivilege" method="post"> <!-- 通过隐藏域将资源id带过去 --> <input type="hidden" name="rid" value="${resource.id }"> <c:forEach var="p" items="${list}"> <input type="radio" name="pid" value=${p.id }>${p.name }<br/> </c:forEach> <input type="submit" value="更新权限"> </form> </td> </tr> </table> </body> </html>
接下来我们做角色管理
/day20/WebRoot/security/left.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>左侧导航</title> </head> <body> <!-- 这里为了避免产生的多个servlet,我们可以通过传递一个参数,从而在同一个servlet处理数据 --> <a href="${pageContext.request.contextPath }/servlet/PrivilegeServlet?method=getAll" target="main">权限管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/ResourceServlet?method=getAll" target="main">资源管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/RoleServlet?method=getAll" target="main">角色管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/UserServlet?method=getAll" target="main">用户管理</a> <br/><br/> </body> </html>
/day20/src/cn/itcast/web/controller/RoleServlet.java
package cn.itcast.web.controller; import java.io.IOException; import java.util.List; import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import cn.itcast.domain.Role; import cn.itcast.service.SecurityService; import cn.itcast.utils.WebUtils; public class RoleServlet extends HttpServlet { SecurityService service = new SecurityService(); public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String method = request.getParameter("method"); if("getAll".equals(method)){ getAll(request,response); } if("addUI".equals(method)){ addUI(request,response); } if("add".equals(method)){ add(request,response); } if("forUpdateRolePrivilegeUI".equals(method)){ forUpdateRolePrivilegeUI(request,response); } if("updatePrivilege".equals(method)){ updatePrivilege(request,response); } } private void updatePrivilege(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { try { String roleid = request.getParameter("roleid"); String pids[] = request.getParameterValues("pid"); service.updateRolePrivilege(roleid, pids); request.setAttribute("message", "更新成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "更新失败!~!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } //为更新角色的权限提供界面 private void forUpdateRolePrivilegeUI(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String roleid = request.getParameter("id"); Role r = service.findRole(roleid); List list = service.getAllPrivilege(); request.setAttribute("role", r); request.setAttribute("list", list); request.getRequestDispatcher("/security/updateRolePrivilege.jsp").forward(request, response); } private void add(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { Role role = WebUtils.request2Bean(request, Role.class); role.setId(UUID.randomUUID().toString()); service.addRole(role); request.setAttribute("message", "添加成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "添加失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } private void addUI(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.getRequestDispatcher("/security/addrole.jsp").forward(request, response); } private void getAll(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { List list = service.getAllRole(); request.setAttribute("list", list); request.getRequestDispatcher("/security/listrole.jsp").forward(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }
/day20/WebRoot/security/addrole.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>添加角色界面</title> </head> <body> <form action="${pageContext.request.contextPath }/servlet/RoleServlet?method=add" method="post"> <table> <tr> <td>角色名称</td> <td> <input type="text" name="name"> </td> </tr> <tr> <td>角色描述</td> <td> <textarea rows="5" cols="50" name="description"></textarea> </td> </tr> <tr> <td></td> <td> <input type="submit" value="添加角色"> </td> </tr> </table> </form> </body> </html>
/day20/WebRoot/security/listrole.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>角色列表</title> </head> <body style="text-align: center;"> <br/> <br/> <table width="80%"> <tr> <td></td> <td></td> <td align="right"> <a href="${pageContext.request.contextPath }/servlet/RoleServlet?method=addUI">添加角色</a> </td> </tr> </table> <table width="80%" frame="border"> <tr> <td>角色名称</td> <td>角色描述</td> <td>操作</td> </tr> <c:forEach var="role" items="${list}"> <tr> <td>${role.name }</td> <td>${role.description }</td> <td> <a href="${pageContext.request.contextPath }/servlet/RoleServlet?method=forUpdateRolePrivilegeUI&id=${role.id }">为角色授予权限</a> <a href="#">删除</a> <a href="#">修改</a> </td> </tr> </c:forEach> </table> </body> </html>
/day20/WebRoot/security/updateResourcePrivilege.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>更新角色的权限</title> </head> <body> <table frame="border" width="40%"> <tr> <td>角名</td> <td>${role.name }</td> </tr> <tr> <td>角色描述</td> <td>${role.description }</td> </tr> <tr> <td>角色原有权限</td> <td> <c:forEach var="p" items="${role.privileges}"> ${p.name }<br/> </c:forEach> </td> </tr> <tr> <td>需授予的权限</td> <td> <!-- 当下面表单提交时,会给服务器带去:角色id和要授予的权限id --> <form action="${pageContext.request.contextPath }/servlet/RoleServlet?method=updatePrivilege" method="post"> <input type="hidden" name="roleid" value="${role.id }"> <c:forEach var="p" items="${list}"> <input type="checkbox" name="pid" value=${p.id }>${p.name }<br/> </c:forEach> <input type="submit" value="更新权限"> </form> </td> </tr> </table> </body> </html>
接下来我们做用户管理
/day20/WebRoot/security/left.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>左侧导航</title> </head> <body> <!-- 这里为了避免产生的多个servlet,我们可以通过传递一个参数,从而在同一个servlet处理数据 --> <a href="${pageContext.request.contextPath }/servlet/PrivilegeServlet?method=getAll" target="main">权限管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/ResourceServlet?method=getAll" target="main">资源管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/RoleServlet?method=getAll" target="main">角色管理</a> <br/><br/> <a href="${pageContext.request.contextPath }/servlet/UserServlet?method=getAll" target="main">用户管理</a> <br/><br/> </body> </html>
/day20/src/cn/itcast/web/controller/UserServlet.java
package cn.itcast.web.controller; import java.io.IOException; import java.util.List; import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import cn.itcast.domain.User; import cn.itcast.service.SecurityService; import cn.itcast.utils.WebUtils; public class UserServlet extends HttpServlet { SecurityService service = new SecurityService(); public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String method = request.getParameter("method"); if("getAll".equals(method)){ getAll(request,response); } if("addUI".equals(method)){ addUI(request,response); } if("add".equals(method)){ add(request,response); } if("forUpdateUserRoleUI".equals(method)){ forUpdateUserRoleUI(request,response); } if("updateRole".equals(method)){ updateRole(request,response); } if("login".equals(method)){ login(request,response); } if("logout".equals(method)){ logout(request,response); } } private void logout(HttpServletRequest request, HttpServletResponse response) throws IOException { request.getSession().removeAttribute("user"); response.sendRedirect("/day20/index.jsp"); } private void login(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); String password = request.getParameter("password"); User user = service.findUser(username, password); if(user==null){ request.setAttribute("message", "用户名或密码错误!!"); request.getRequestDispatcher("/message.jsp").forward(request, response); return; } request.getSession().setAttribute("user", user); response.sendRedirect("/day20/index.jsp"); } private void updateRole(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { String userid = request.getParameter("userid"); String rids[] = request.getParameterValues("rid"); service.updateUserRole(userid, rids); request.setAttribute("message", "更新成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "更新失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } private void forUpdateUserRoleUI(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { String userid= request.getParameter("id"); User user = service.findUser(userid); List list = service.getAllRole(); request.setAttribute("user", user); request.setAttribute("list", list); request.getRequestDispatcher("/security/updateUserRole.jsp").forward(request, response); } private void add(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { User user = WebUtils.request2Bean(request, User.class); user.setId(UUID.randomUUID().toString()); service.addUser(user); request.setAttribute("message", "添加成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "添加失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } private void addUI(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.getRequestDispatcher("/security/adduser.jsp").forward(request, response); } private void getAll(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { List list = service.getAllUser(); request.setAttribute("list", list); request.getRequestDispatcher("/security/listuser.jsp").forward(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }
/day20/WebRoot/security/listuser.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>用户列表</title> </head> <body style="text-align: center;"> <br/> <br/> <table width="80%"> <tr> <td></td> <td></td> <td align="right"> <a href="${pageContext.request.contextPath }/servlet/UserServlet?method=addUI">添加用户</a> </td> </tr> </table> <table width="80%" frame="border"> <tr> <td>用户名称</td> <td>用户密码</td> <td>用户描述</td> <td>操作</td> </tr> <c:forEach var="user" items="${list}"> <tr> <td>${user.username }</td> <td>${user.password }</td> <td>${user.description }</td> <td> <a href="${pageContext.request.contextPath }/servlet/UserServlet?method=forUpdateUserRoleUI&id=${user.id }">为用户授予角色</a> <a href="#">删除</a> <a href="#">修改</a> </td> </tr> </c:forEach> </table> </body> </html>
/day20/WebRoot/security/adduser.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>添加用户界面</title> </head> <body> <form action="${pageContext.request.contextPath }/servlet/UserServlet?method=add" method="post"> <table> <tr> <td>用户名</td> <td> <input type="text" name="username"> </td> </tr> <tr> <td>用户密码</td> <td> <input type="text" name="password"> </td> </tr> <tr> <td>用户描述</td> <td> <textarea rows="5" cols="50" name="description"></textarea> </td> </tr> <tr> <td></td> <td> <input type="submit" value="添加用户"> </td> </tr> </table> </form> </body> </html>
/day20/WebRoot/security/updateUserRole.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>更新用户的角色</title> </head> <body> <table frame="border" width="40%"> <tr> <td>用户名</td> <td>${user.username }</td> </tr> <tr> <td>用户描述</td> <td>${user.description }</td> </tr> <tr> <td>用户原有角色</td> <td> <c:forEach var="role" items="${user.roles}"> ${role.name }<br/> </c:forEach> </td> </tr> <tr> <td>需授予的角色</td> <td> <!-- 当下面表单提交时,会给服务器带去:用户id和要授予的角色id --> <form action="${pageContext.request.contextPath }/servlet/UserServlet?method=updateRole" method="post"> <input type="hidden" name="userid" value="${user.id }"> <c:forEach var="r" items="${list}"> <input type="checkbox" name="rid" value=${r.id }>${r.name }<br/> </c:forEach> <input type="submit" value="更新角色"> </form> </td> </tr> </table> </body> </html>
下面我们开始做拦截器,实现权限管理
/day20/src/cn/itcast/web/filter/SecurityFilter.java
package cn.itcast.web.filter; import java.io.IOException; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import cn.itcast.domain.Privilege; import cn.itcast.domain.Resource; import cn.itcast.domain.User; import cn.itcast.service.SecurityService; public class SecurityFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse resp,FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) resp; //1.检查用户是否已登陆 User user = (User) request.getSession().getAttribute("user"); //2.没登陆,登陆去 if(user==null){ request.setAttribute("message", "请先登陆"); request.getRequestDispatcher("/message.jsp").forward(request, response); return; } //3.得到用户想访问的资源 String uri = request.getRequestURI(); //4.得到访问该资源需要的权限 SecurityService service = new SecurityService(); Resource r = service.findResource(uri); //这里表示当这个资源不受权限控制,也就是说这个资源任何用户都可以访问,这个资源没有保存到数据库中 if(r==null){ chain.doFilter(request, response); return; } Privilege required_Privilege = r.getPrivilege(); //得到访问资源需要的权限 //5.判断用户是否有相应权限 List<Privilege> list = service.getUserAllPrivilege(user.getId()); //得到用户所有权限 //注意这里在用集合的contains方法时必须重写provilege的hashcode和equase方法 if(!list.contains(required_Privilege)){ //6.没有权限,则提示用户权限不足,联系管理 request.setAttribute("message", "对不起,您没有权限,请联系管理员!!"); request.getRequestDispatcher("/message.jsp").forward(request, response); return; } //7.如果有,则放行 chain.doFilter(request, response); } public void destroy() { // TODO Auto-generated method stub } public void init(FilterConfig filterConfig) throws ServletException { // TODO Auto-generated method stub } }
/day20/WebRoot/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <filter> <filter-name>CharacterEncodingFilter</filter-name> <filter-class>cn.itcast.web.filter.CharacterEncodingFilter</filter-class> </filter> <filter-mapping> <filter-name>CharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>SecurityFilter</filter-name> <filter-class>cn.itcast.web.filter.SecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/manager/*</url-pattern> </filter-mapping> <servlet> <servlet-name>PrivilegeServlet</servlet-name> <servlet-class>cn.itcast.web.controller.PrivilegeServlet</servlet-class> </servlet> <servlet> <servlet-name>ResourceServlet</servlet-name> <servlet-class>cn.itcast.web.controller.ResourceServlet</servlet-class> </servlet> <servlet> <servlet-name>RoleServlet</servlet-name> <servlet-class>cn.itcast.web.controller.RoleServlet</servlet-class> </servlet> <servlet> <servlet-name>UserServlet</servlet-name> <servlet-class>cn.itcast.web.controller.UserServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>PrivilegeServlet</servlet-name> <url-pattern>/servlet/PrivilegeServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>ResourceServlet</servlet-name> <url-pattern>/servlet/ResourceServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>RoleServlet</servlet-name> <url-pattern>/servlet/RoleServlet</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>UserServlet</servlet-name> <url-pattern>/servlet/UserServlet</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app>
然后我们来做登陆界面
/day20/WebRoot/login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>My JSP 'login.jsp' starting page</title> </head> <body> <form action="${pageContext.request.contextPath }/servlet/UserServlet?method=login" method="post"> 用户名:<input type="text" name="username"><br/> 密码:<input type="text" name="password"><br/> <input type="submit" value="登陆"> </form> </body> </html>
/day20/src/cn/itcast/web/controller/UserServlet.java
package cn.itcast.web.controller; import java.io.IOException; import java.util.List; import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import cn.itcast.domain.User; import cn.itcast.service.SecurityService; import cn.itcast.utils.WebUtils; public class UserServlet extends HttpServlet { SecurityService service = new SecurityService(); public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String method = request.getParameter("method"); if("getAll".equals(method)){ getAll(request,response); } if("addUI".equals(method)){ addUI(request,response); } if("add".equals(method)){ add(request,response); } if("forUpdateUserRoleUI".equals(method)){ forUpdateUserRoleUI(request,response); } if("updateRole".equals(method)){ updateRole(request,response); } if("login".equals(method)){ login(request,response); } if("logout".equals(method)){ logout(request,response); } } private void logout(HttpServletRequest request, HttpServletResponse response) throws IOException { //移除用户就表示注销用户 request.getSession().removeAttribute("user"); //注销之后跳到首页上去 response.sendRedirect("/day20/index.jsp"); } private void login(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); String password = request.getParameter("password"); User user = service.findUser(username, password); if(user==null){ request.setAttribute("message", "用户名或密码错误!!"); request.getRequestDispatcher("/message.jsp").forward(request, response); return; } request.getSession().setAttribute("user", user); response.sendRedirect("/day20/index.jsp"); } private void updateRole(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { String userid = request.getParameter("userid"); String rids[] = request.getParameterValues("rid"); service.updateUserRole(userid, rids); request.setAttribute("message", "更新成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "更新失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } private void forUpdateUserRoleUI(HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException { String userid= request.getParameter("id"); User user = service.findUser(userid); List list = service.getAllRole(); request.setAttribute("user", user); request.setAttribute("list", list); request.getRequestDispatcher("/security/updateUserRole.jsp").forward(request, response); } private void add(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { User user = WebUtils.request2Bean(request, User.class); user.setId(UUID.randomUUID().toString()); service.addUser(user); request.setAttribute("message", "添加成功!!"); } catch (Exception e) { e.printStackTrace(); request.setAttribute("message", "添加失败!!"); } request.getRequestDispatcher("/message.jsp").forward(request, response); } private void addUI(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { request.getRequestDispatcher("/security/adduser.jsp").forward(request, response); } private void getAll(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { List list = service.getAllUser(); request.setAttribute("list", list); request.getRequestDispatcher("/security/listuser.jsp").forward(request, response); } public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }
/day20/WebRoot/index.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="/WEB-INF/itcast.tld" prefix="itcast" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>My JSP 'index.jsp' starting page</title> </head> <body> 欢迎您:${user.username } <a href="/day20/servlet/UserServlet?method=logout">注销</a> <br/><br/> <a href="/day20/login.jsp">登陆</a> <br/><br/> <itcast:permission value="添加分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet1">添加分类</a> </itcast:permission> <itcast:permission value="删除分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet2">删除分类</a> </itcast:permission> <itcast:permission value="修改分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet3">修改分类</a> </itcast:permission> <itcast:permission value="查找分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet4">查找分类</a> </itcast:permission> <itcast:permission value="删除商品"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet5">删除商品</a> </itcast:permission> </body> </html>
以上就权限系统,下面就是一些小细节
05-权限细节
这里通过自定义标签实现各个权限下显示不同的权限超链接
/day20/WebRoot/index.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@taglib uri="/WEB-INF/itcast.tld" prefix="itcast" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>My JSP 'index.jsp' starting page</title> </head> <body> 欢迎您:${user.username } <a href="/day20/servlet/UserServlet?method=logout">注销</a> <br/><br/> <a href="/day20/login.jsp">登陆</a> <br/><br/> <itcast:permission value="添加分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet1">添加分类</a> </itcast:permission> <itcast:permission value="删除分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet2">删除分类</a> </itcast:permission> <itcast:permission value="修改分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet3">修改分类</a> </itcast:permission> <itcast:permission value="查找分类"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet4">查找分类</a> </itcast:permission> <itcast:permission value="删除商品"> <!-- 标签控制用户需要有添加分类的权限值,才可以看到超链接 --> <a href="/day20/manager/Servlet5">删除商品</a> </itcast:permission> </body> </html>
/day20/src/cn/itcast/web/tag/PermissionTag.java
package cn.itcast.web.tag; import java.io.IOException; import java.util.List; import javax.servlet.http.HttpSession; import javax.servlet.jsp.JspException; import javax.servlet.jsp.PageContext; import javax.servlet.jsp.tagext.SimpleTagSupport; import cn.itcast.domain.Privilege; import cn.itcast.domain.User; import cn.itcast.service.SecurityService; public class PermissionTag extends SimpleTagSupport { private String value; public void setValue(String value) { this.value = value; } @Override public void doTag() throws JspException, IOException { //关断用户拥有权限值中,是否包含value PageContext pagecontext = (PageContext) this.getJspContext(); HttpSession session = pagecontext.getSession(); User user = (User) session.getAttribute("user"); if(user!=null){ SecurityService service = new SecurityService(); List<Privilege> privileges = service.getUserAllPrivilege(user.getId()); boolean b = false; for(Privilege p : privileges){ if(p.getName().equals(value)){ b = true; break; } } if(b){ this.getJspBody().invoke(null); } } } }
/day20/WebRoot/WEB-INF/itcast.tld
<?xml version="1.0" encoding="UTF-8" ?> <taglib xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd" version="2.0"> <description>JSTL 1.1 core library</description> <display-name>JSTL core</display-name> <tlib-version>1.1</tlib-version> <short-name>c</short-name> <uri>/itcast</uri> <tag> <name>permission</name> <tag-class>cn.itcast.web.tag.PermissionTag</tag-class> <body-content>scriptless</body-content> <attribute> <name>value</name> <required>true</required> <rtexprvalue>true</rtexprvalue> </attribute> </tag> </taglib>
浙公网安备 33010602011771号