第一种方式：利用filter、xml文件和用户信息表配合使用来实现权限管理。

1.过滤器filter

package cn.com.aaa.bbb.filter;

import java.io.IOException;
import java.io.InputStream;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dom4j.Document;
import org.dom4j.Element;
import org.dom4j.io.SAXReader;

import cn.com.aaa.bbb.domain.User;
import cn.com.aaa.bbb.util.HttpUtils;

/**
* 过滤：后台管理的模块授权。根据：配置文件xml，根据当前session中用的管理员信息。
* 注：不用再访问数据库。也不需要再使用什么 bean 去判断。直接在这个类里就可以判断。
* @author cuiguangqiang
*
*/

public class ManagerAuthFilter implements Filter {
protected static final Log logger = LogFactory.getLog(ManagerAuthFilter.class);

public static final String MAPPING_FILE = "/WEB-INF/managerauthmapping.xml";

private ServletContext context = null;

private Map actions = new HashMap();

public void init(FilterConfig filterConfig) throws ServletException {
context = filterConfig.getServletContext();
if(context==null){
logger.error("unable to init as servlet context is null");
return;
}
loadConf();
logger.info("ManagerAuthFilter configure success.");
}

private void loadConf() {
InputStream inputStream = context.getResourceAsStream(MAPPING_FILE);
if (inputStream == null) {
logger.info("unable find auth mapping file " + MAPPING_FILE);
} else {
actions = parseConf(inputStream);
}
}

private Map parseConf(InputStream inputStream) {
try {
SAXReader reader = new SAXReader();
Document document = reader.read(inputStream);
return createActionMap(document);

} catch (Exception e) {
logger.info(e.getMessage());
e.printStackTrace();
}
return new HashMap();
}

private Map createActionMap(Document document) {
Map map = new HashMap();
Element root = document.getRootElement();
//处理XML，读入JAVA Object对象中。
List actionList = root.elements();
for (Iterator it = actionList.iterator(); it.hasNext();) {
Element e = (Element) it.next();

String actionName = e.attributeValue("name");

String auth_value = e.element("auth-value").getTextTrim();
map.put(actionName,auth_value);
logger.info(actionName + " is " + auth_value);
}
return map;
}

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
//处理某次提交的Action，是否在权限定义范围内
//权限共有：1:站长；2:编辑；0:Admin ; all 代表所有人都可以。（均需要登录）

HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
//（１）得到此次用户的提交请求

String url = req.getServletPath();
//（２）只有在配置文件中存在的 action 才进行处理
String method = req.getParameter("method");
if(method!=null){
url = url + "?method=" + method;
}
String auth_value = (String)actions.get(url);

if(auth_value==null){
logger.info("action is not in Manager Auth xml.");
chain.doFilter(request, response);
return;
}
//第一，必须要登录
// 取得当前用户；
User manager = (User) HttpUtils.getAdminUserSession(req);
// 检查管理用户是否登录
if (manager == null) {
resp.sendRedirect(req.getContextPath()+"/sessionLost.do");
return;
}

//第二，必须在权限定义范围内
if(auth_value.indexOf("all")>=0){
chain.doFilter(request, response);//必须返回给上一层。
return ;
}
else{
// String currUserAuth = ","+Integer.toString( manager.getLever())+",";
String currUserAuth = Integer.toString( manager.getLever());
if(auth_value.indexOf(currUserAuth)>=0){
chain.doFilter(request, response);//必须返回给上一层。
return ;
}
else{
resp.sendRedirect(req.getContextPath()+"/accessdenied.do");
return ;
}
}
}

public void destroy() {
logger.info("in authfilter destroy");

}

}

奈斯