合规方案:
    建议系统通过全局过滤器来检测用户是否登录、是否对资源具有访问权限。

    1.     public class PrivilegeFilter implements Filter {
    2.         private Properties properties = new Properties();
    4.         @Override
    5.         public void destroy() {
    6.             properties = null;
    7.         }
    9.         @Override
    10.         public void init(FilterConfig config) throws ServletException {
    11. //获取资源访问权限配置
    12.             String fileName = config.getInitParameter("privilegeFile");
    13.             String realPath = config.getServletContext().getRealPath(fileName);
    14.             try {
    15.                 properties.load(new FileInputStream(realPath));
    16.             } catch (Exception e) {
    17.                 config.getServletContext().log("读取权限控制文件失败", e);
    18.             }
    19.         }
    21.         @Override
    22.         public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
    23.                 throws IOException, ServletException {
    24.             HttpServletRequest request = (HttpServletRequest) req;
    25.             HttpServletResponse response = (HttpServletResponse) res;
    27.             String requestUri = request.getRequestURI().replace(request.getContextPath() + "/", "");
    28.             String action = request.getParameter("action");
    29.             action = action == null ? "" : action;
    30.             String uri = requestUri + "?action=" + action;
    31.             String role = (String) request.getSession().getAttribute("role");
    32.             role = role == null ? "guest" : role;
    33.             boolean authen = false;
    34.             for (Object obj : properties.keySet()) {
    35.                 String key = (String) obj;
    36.                 if (uri.matches(key.replace("?", "\\?").replace(".", "\\.").replace("*", ".*"))) {
    37.                     if (role.equals(properties.get(key))) {
    38.                         authen = true;
    39.                         break;
    40.                     }
    41.                 }
    42.             }
    43.             if (!authen) {
    44.                 throw new RuntimeException("您无权访问该页面,请以合适的身份登录后查看。");
    45.             }
    46.             chain.doFilter(request, response);
    47.         }
    48.     }
    1. admin.do?action=*  =  administrator
    2. list.do?action=add  =  admin
    3. list.do?action=view  =  guest
    1. <filter>
    2.   <filter-name>privilegeFilter</filter-name>
    3.   <filter-class>com.filter.privilegeFilter</filter-class>
    4.   <init-param>
    5.     <param-name>privilegeFile</param-name>
    6.     <param-value>/WEB-INF/privilege.properties</param-value>
    7.   </init-param>
    8. </filter>