用户登录系统后,我想控制访问权限.
I would like to control the access after the user log in my system.
例如:
administrator : can add, delete and give rights to employee employee : fill forms only ...因此,在知道用户拥有哪些权限之后,检入数据库,我想限制该用户可以看到和执行的操作. 有一种简单的方法吗?
So after knowing which right the user has, checking in database, I would like to restrict what this user can see and do. There's a simple way to do that ?
编辑
@WebFilter("/integra/user/*") public class LoginFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException { HttpServletRequest req = (HttpServletRequest) request; Authorization authorization = (Authorization) req.getSession().getAttribute("authorization"); if (authorization != null && authorization.isLoggedIn()) { // User is logged in, so just continue request. chain.doFilter(request, response); } else { // User is not logged in, so redirect to index. HttpServletResponse res = (HttpServletResponse) response; res.sendRedirect(req.getContextPath() + "/integra/login.xhtml"); } } // You need to override init() and destroy() as well, but they can be kept empty. @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { } }推荐答案
嗯,这是一个相当广泛的主题.当您开始使用自定义身份验证时,我将针对自定义授权进行回答.
Well, this is a pretty broad subject. As you're starting off with homebrewed authentication, I'll target the answer on homebrewed authorization.
如果模型设计合理,则Java/JSF中的角色检查本身就相对简单.假设一个用户可以有多个角色(在现实世界中通常是这样),那么您最终将希望拥有类似的东西:
Role checking in Java/JSF is at its own relatively simple if the model is sensibly designed. Assuming that a single user can have multiple roles (as is often the case in real world applications), you'd ultimately like to end up having something like:
public class User { private List<Role> roles; // ... public boolean hasRole(Role role) { return roles.contains(role); } }public enum Role { EMPLOYEE, MANAGER, ADMIN; }
,以便您可以在JSF视图中进行如下检查:
so that you can check it as follows in your JSF views:
<h:selectManyCheckbox value="#{user.roles}" disabled="#{not user.hasRole('ADMIN')}"> <f:selectItems value="#{Role}" /> </h:selectManyCheckbox><h:commandButton value="Delete" rendered="#{user.hasRole('ADMIN')}" />
并在您的过滤器中:
String path = req.getRequestURI().substring(req.getContextPath().length()); if (path.startsWith("/integra/user/admin/") && !user.hasRole(Role.ADMIN)) { res.sendError(HttpServletResponse.SC_UNAUTHORIZED); }
最困难的部分是将此Java模型转换为合理的DB模型.根据具体的业务需求,有几种不同的方法,每种方法都有其自身的(不利)优势.也许您已经有一个数据库模型,必须在该模型上建立Java模型(因此,您需要自下而上地进行设计)?
The hardest part is translating this Java model to a sane DB model. There are several different ways depending on the concrete business requirements, each with its own (dis)advantages. Or perhaps you already have a DB model on which you have to base your Java model (thus, you need to design bottom-up)?
无论如何,假设您使用的是JPA 2.0(您的问题历史记录至少证实了这一点)并且可以自上而下进行设计,最简单的方法之一就是将roles属性映射为 @ElementCollection 相对于user_roles表.由于我们使用的是Role枚举,因此不需要第二个role表.同样,这取决于具体的功能和业务需求.
Anyway, assuming that you're using JPA 2.0 (your question history at least confirms this) and that you can design top-down, one of the easiest ways would be to map the roles property as an @ElementCollection against an user_roles table. As we're using a Role enum, a second role table isn't necessary. Again, that depends on the concrete functional and business requirements.
在通用SQL术语中,user_roles表如下所示:
In generic SQL terms, the user_roles table can look like this:
CREATE TABLE user_roles ( user_id BIGINT REFERENCES user(id), role VARCHAR(16) NOT NULL, PRIMARY KEY(user_id, role) )然后将其映射如下:
@ElementCollection(targetClass=Role.class, fetch=FetchType.EAGER) @Enumerated(EnumType.STRING) @CollectionTable(name="user_roles", joinColumns={@JoinColumn(name="user_id")}) @Column(name="role") private List<Role> roles;基本上,这就是您需要在User实体中进行更改的所有内容.
That's basically all you'd need to change in your User entity.
在自制认证(登录/注销)和授权(角色检查)旁边,还提供了容器托管身份验证,您可以通过它通过j_security_check或HttpServletRequest#login() ,通过web.xml 中的<security-constraint>过滤HTTP请求,通过#{request.remoteUser} 和其作用由#{request.isUserInRole('ADMIN')} 等
Next to homebrewed authentication (login/logout) and authorization (role checking), there is also Java EE provided container managed authentication with which you can login by j_security_check or HttpServletRequest#login(), filter HTTP requests by <security-constraint> in web.xml, check the logged-in user by #{request.remoteUser} and its roles by #{request.isUserInRole('ADMIN')}, etc.
然后有多个第三方框架,例如 PicketLink , Spring Security , Apache Shiro 等等.但这完全是不可能的:)
Then there are several 3rd party frameworks such as PicketLink, Spring Security, Apache Shiro, etc. But this is all out of the question :)
更多推荐
如何在JSF中控制访问和权限?
发布评论