tomcat服務器:
在應用web的web-inf下面的web.xml中定義用戶角色及其可以訪問的頁面。

?? < security-constraint >
???? < web-resource-collection >
?????? < web-resource-name > admin </ web-resource-name >
?????? < url-pattern > /ch12/admin/* </ url-pattern >
?????? < url-pattern > /ch12/search/delete.jsp </ url-pattern >
???? </ web-resource-collection >
???? < auth-constraint >
?????? < role-name > admin </ role-name >
???? </ auth-constraint >
?? </ security-constraint >

?? < security-constraint >
???? < web-resource-collection >
?????? < web-resource-name > search </ web-resource-name >
?????? < url-pattern > /ch12/search/* </ url-pattern >
???? </ web-resource-collection >
???? < auth-constraint >
?????? < role-name > admin </ role-name >
?????? < role-name > user </ role-name >
???? </ auth-constraint >
?? </ security-constraint >

?? < login-config >
???? < auth-method > BASIC </ auth-method >
???? < realm-name > ORA?Examples </ realm-name >
?? </ login-config >

?? < security-role >
???? < role-name > admin </ role-name >
?? </ security-role >
?? < security-role >
???? < role-name > user </ role-name >
?? </ security-role >

在tomcat-user.xml定義用戶,及其所屬角色。
??<user?username="hans"?password="secret"?roles="user"/>
??<user?username="paula"?password="boss"?roles="admin"/>

在bean中實現用戶的角色取得,同時讓其可以支持EL:
package?com.ora.jsp.tags;

import?javax.servlet.http.*;
import?javax.servlet.jsp.*;
import?javax.servlet.jsp.jstl.core.*;
import?org.apache.taglibs.standard.lang.support.*;

public?class?IfUserInRoleTag?extends?ConditionalTagSupport?{
????private?String?valueEL;

????public?void?setValue(String?value)?{
????????valueEL?=?value;
????}

????public?boolean?condition()?throws?JspTagException?{
????????/*
?????????*?Evaluate?the?EL?expression,?if?any
?????????*/
????????String?role?=?null;
????????try?{
????????????role?=?(String)
?????????????//ExpressionEvaluatorManager.evaluate可以使valueEL用于EL,屬性名為value???????????????
??????????????????ExpressionEvaluatorManager.evaluate("value",?valueEL,?
????????????????????String.class,?this,?pageContext);
????????}
????????catch?(JspException?e)?{
????????????throw?new?JspTagException(e.getMessage());
????????}
????????HttpServletRequest?request?=?
????????????(HttpServletRequest)?pageContext.getRequest();
????????return?request.isUserInRole(role);//取得角色類別
????}
}

在tld文件中定義EL自定義標簽
??<tag>
????<name>ifUserInRole</name>
????<tag-class>com.ora.jsp.tags.IfUserInRoleTag</tag-class>
????<body-content>JSP</body-content>
????<description>
??????Evaluates?its?body?if?the?current,?authenticated,?user?belongs?to
??????the?specified?security?role,?and?optionally?saves?the?result
??????of?the?test?as?a?Boolean?in?a?variable?specified?by?the?var?and?
??????scope?attributes.
????</description>
????<attribute>
??????<name>value</name>
??????<required>true</required>
????</attribute>
????<attribute>
??????<name>var</name>
??????<required>false</required>
????</attribute>
????<attribute>
??????<name>scope</name>
??????<required>false</required>
????</attribute>
??</tag>

在應用程序jsp頁面中調用自定義標簽進行訪問控制
<%@?taglib?prefix="ora"?uri="orataglib"?%>

<ora:ifUserInRole?value="admin"?var="isAdmin"?/>