如何隐藏基于用户登录某些功能？ [英] How to hide some feature based on the user login?

问题描述

我们想隐藏根据Tomcat的用户登录某些code的特征。我们正在使用基本身份验证。有什么建议？

We would like to hide some code features based on user login in Tomcat. We are using the basic authentications. Any suggestions?

推荐答案

如果你的意思只是隐藏一些资源依赖于用户是否登录或不那么它仅仅是一个限制对某些页面（见下面的参考资料）。

IF what you meant was just hiding some resources depending on whether the user is logged in or not then it is just a matter of restricting access to some pages (see the references below).

如果要隐藏基于某些功能在谁是登录，然后解决办法之一是检查用户角色右里面的内容JSP和输出因此。

IF you want to hide some feature based on the who is logged in, then one of the solutions is to check the user role right inside JSP and output the content accordingly.

原始例如：结果
的 sample.jsp 的

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html>
<html>
<head>
    <title>Sample Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
    <c:choose>
        <c:when test="${pageContext.request.isUserInRole('admin')}">
            <p>Content for admin.<p>
        </c:when>
        <c:when test=${pageContext.request.isUserInRole('someRole')}">
            <p>Some content here</p>
        <c:when>
        <c:otherwise>
            <p>Another Content</p>
        </c:otherwise>
    </c:choose>
</body>
</html>

NB！结果
为了能够调用方法使用EL您必须使用最小参数的 Servlet的版本3 的。结果
从这里报价： http://stackoverflow.com/tags/el/info

由于EL 2.2，这是保持为3.0的Servlet / JSP 2.2的一部分
  （Tomcat 7的，Glassfish的3，JBoss AS中6，等等），它可能调用
  非getter方法​​，如果有必要的参数。

Since EL 2.2, which is maintained as part of Servlet 3.0 / JSP 2.2 (Tomcat 7, Glassfish 3, JBoss AS 6, etc), it's possible to invoke non-getter methods, if necessary with arguments.

隐藏/限制访问某些根据用户角色页面的另一种方法是使安全配置中的的web.xml 的，或者使用注解（最小的Java EE 5），或者创建自己的过滤器检查用户做出请求的作用。

---

Another way to hide / restrict access to some of your pages depending on the user role is to make security configurations in web.xml, or use annotations (minimum Java EE 5), or create your own Filter that checks the role of the user making request.

要创建自己的过滤器的，创建一个类实现的 javax.servlet.Filter接口和在 doFilter()方法检查用户通过使用HttpServletRequest的方法 <一提出的要求中的作用href=\"http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole%28java.lang.String%29\">isUserInRole().

To create your own Filter, create a class that implements javax.servlet.Filter interface and in the doFilter() method check the role of the user that made a request by using HttpServletRequest method isUserInRole().

下面是实现自定义的过滤器的一个简单的例子：结果
的 RoleCheckFilter.java 的

Here is a simple example of implementing custom Filter:
RoleCheckFilter.java

package com.example.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


/**
 * Servlet Filter implementation class RoleCheckFilter.
 * Its purpose is to check logged-in user's role and
 * and accordingly allow or prevent access to the web resources.
 */
public class RoleCheckFilter implements Filter {

    /**
     * @see Filter#init(FilterConfig)
     */
    public void init(FilterConfig filterConfig) throws ServletException {}

    /**
     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
     */
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (request.isUserInRole("admin")) {
            // user have the appropriate rights, allow the request
            chain.doFilter(request, response);
        } else {
            // user does not have the appropriate rights, do something about it
            request.setAttribute("error", "You don't have enough rights to access this resource");
            response.sendRedirect(request.getContextPath() + "/login.jsp");
            // or you could forward a user request somewhere
        }
    }


    /**
     * @see Filter#destroy()
     */
    public void destroy() {}

}

添加适当的过滤器配置中的的web.xml 的：

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">

    ...

    <filter>
        <filter-name>Role Check Filter</filter-name>
        <filter-class>com.example.filter.RoleCheckFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Role Check Filter</filter-name>
        <url-pattern>/admin/*</url-pattern>
    </filter-mapping>

    ...

</web-app>

---

当然，在你的案件，在考虑到你使用的基本身份验证的，这是很容易做出正确的安全配置的的web.xml （的声明性安全）或使用编程安全

---

Of course in your case, considering the fact that you use Basic Authentication, it is much easier to make security configurations right in web.xml (declarative security) or use programmatic security.

从官方的Java EE文件引用：

Quote from the official Java EE documentation:

Java EE的安全服务可以在Web应用程序中实现
  以下几种方式：

Java EE security services can be implemented for web applications in the following ways:

  

• 元数据批注（或简称为注释）用于指定有关类文件中的安全信息。当应用程序被部署，这些信息可以被使用或应用程序的部署描述符覆盖。

• Metadata annotations (or simply, annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor.

声明性安全前presses应用程序的安全结构，包括安全角色，访问控制，并在部署描述符，这是外部的应用程序的认证要求。结果
  在部署描述符中明确指定的任何值将覆盖注解指定的任何值。

Declarative security expresses an application’s security structure, including security roles, access control, and authentication requirements in a deployment descriptor, which is external to the application.
Any values explicitly specified in the deployment descriptor override any values specified in annotations.

编程安全嵌入在一个应用程序，是用来做安全决策。当单独声明式安全不足以前preSS应用程序的安全模型编程安全是非常有用的。

Programmatic security is embedded in an application and is used to make security decisions. Programmatic security is useful when declarative security alone is not sufficient to express the security model of an application.

检查出相关保护Java EE应用程序（在你的案件要注意的指定授权约束部分）官方的Java EE文档：结果
的Java EE 6：确保Web应用程序 结果
的Java EE 5：确保Web应用程序

---

Check out official Java EE documentation related to securing Java EE applications (in your case pay attention to Specifying an Authorization Constraint part):
Java EE 6: Securing Web Applications
Java EE 5: Securing Web Applications

从官方文档退房还例子：结果
的Java EE 6的例子：确保Web应用程序

的Java EE 5的例子：确保Web应用程序

Check out also examples from the official documentation:
Java EE 6. Examples: Securing Web Applications
Java EE 5. Examples: Securing Web Applications

这篇关于如何隐藏基于用户登录某些功能？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！