Java Servlet 如何按用户角色过滤页面

Question

I'm coding a security web app. And I have a problem. For example, there is a pages called " Manager (JSP) ". I only want admins to see this page.

When user login the website, session create.

if(dao.check(uname, pass)) {
        UserAccount user = new UserAccount();
        user.setUsername(uname);
        HttpSession session = request.getSession();
        session.setAttribute("username", uname);
        response.sendRedirect("welcome.jsp");
    }

Heres the UserAccount Class:

public class UserAccount {
private String username;
private String password;
private List<String> roles;

public String getUsername() {
    return username;
}
public void setUsername(String username) {
    this.username = username;
}
public String getPassword() {
    return password;
}
public void setPassword(String password) {
    this.password = password;
}
public List<String> getRoles() {
    return roles;
}
public void setRoles(List<String> roles) {
    this.roles = roles;
}

}

And i have a Filter class which implements Filter. How program get understand who is admin or not and let to see manager page?

Answer 1

You can use a boolean attribute in your UserAccount class, this attribute will hold a value of true if the use is an admin, and false if he is not

public class UserAccount {
private String username;
private String password;
private List<String> roles;
private boolean is_admin;
...}

The redirection to manager page will see first if the current user is admin or not, so he will be denied if he's not an admin

---

NB: i see that you are using a List of roles, so maybe you're using a Role-Based access control ( like RBAC or RABAC )

In that case maybe you're giving admin permissions through his roles, so here the Filter method will see the user's roles list and check if it contains the role of admin, and if yes it will redirect into the manager page