使用过滤器对权限进行过滤，就是对访问的url地址进行判断

/*
 * To change this license header, choose License Headers in Project Properties.
 * To change this template file, choose Tools | Templates
 * and open the template in the editor.
 */
package cn.toher.filter;

import cn.toher.bean.Group;
import cn.toher.bean.User;
import cn.toher.dao.AuthorityDao;
import cn.toher.dao.GroupDao;
import cn.toher.dao.UserDao;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import static jdk.nashorn.internal.runtime.regexp.joni.constants.AsmConstants.S;

/**
 *
 * @author Administrator
 */
public class AuthorityFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest servletRequest = (HttpServletRequest) request;
        HttpServletResponse servletResponse = (HttpServletResponse) response;

        User user = (User) servletRequest.getSession().getAttribute("Suser");
            //获取请求的Servlet，即url
            if(user.getIsAdmin() != 1){
//　　　　　　　　　　这一段是获取点击的链接的servlet的地址
                String currentURL = servletRequest.getServletPath();
                System.out.println("currentURL:"+currentURL);
                AuthorityDao authorityDao = new AuthorityDao();
                //通过url找到权限编号
                String authorityNo = authorityDao.findAuthorityNo(currentURL);
                List<String> listuser = new ArrayList<String>();//存放个人权限编号集合
                //通过获取Session得到user
                UserDao userDao = new UserDao();
                //调用方法，把User的authorityNo拼接成String集合
                listuser = userDao.splitString(user);
                //判断权限集合是否包含这个权限
//               List 中 contains（）函数的用法？
                if (listuser.contains(authorityNo)) {
                    chain.doFilter(request, response);
                } else {
                    response.getWriter().write("<script type="text/javascript">alert("权限不足")</script>");
                }
            }else{
                chain.doFilter(request, response);
            }
    }

    @Override
    public void destroy() {
    }
}