我们想根据Tomcat中的用户登录隐藏一些代码功能.我们正在使用基本身份验证.有什么建议么？

解决方法:

如果你的意思是隐藏一些资源,这取决于用户是否登录,那么这只是限制访问某些页面的问题(参见下面的参考资料).

如果要根据登录的用户隐藏某些功能,则其中一个解决方案是在JSP中检查用户角色并相应地输出内容.

原始例子：
sample.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<!DOCTYPE html>
<html>
<head>
    <title>Sample Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
    <c:choose>
        <c:when test="${pageContext.request.isUserInRole('admin')}">
            <p>Content for admin.<p>
        </c:when>
        <c:when test=${pageContext.request.isUserInRole('someRole')}">
            <p>Some content here</p>
        <c:when>
        <c:otherwise>
            <p>Another Content</p>
        </c:otherwise>
    </c:choose>
</body>
</html>

NB！
为了能够使用EL调用带参数的方法,必须使用最小的Servlet版本3.
从这里引用：https://*.com/tags/el/info

Since EL 2.2, which is maintained as part of Servlet 3.0 / JSP 2.2
(Tomcat 7, Glassfish 3, JBoss AS 6, etc), it’s possible to invoke
non-getter methods, if necessary with arguments.

根据用户角色隐藏/限制对某些页面的访问的另一种方法是在web.xml中进行安全性配置,或使用注释(最低Java EE 5),或创建自己的过滤器来检查用户的角色请求.

要创建自己的Filter,请创建一个实现javax.servlet.Filter接口的类,并在doFilter()方法中使用HttpServletRequest方法isUserInRole()检查发出请求的用户的角色.

以下是实现自定义过滤器的简单示例：
RoleCheckFilter.java

package com.example.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


/**
 * Servlet Filter implementation class RoleCheckFilter.
 * Its purpose is to check logged-in user's role and
 * and accordingly allow or prevent access to the web resources.
 */
public class RoleCheckFilter implements Filter {

    /**
     * @see Filter#init(FilterConfig)
     */
    public void init(FilterConfig filterConfig) throws ServletException {}

    /**
     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
     */
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
                throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (request.isUserInRole("admin")) {
            // user have the appropriate rights, allow the request
            chain.doFilter(request, response);
        } else {
            // user does not have the appropriate rights, do something about it
            request.setAttribute("error", "You don't have enough rights to access this resource");
            response.sendRedirect(request.getContextPath() + "/login.jsp");
            // or you could forward a user request somewhere
        }
    }


    /**
     * @see Filter#destroy()
     */
    public void destroy() {}

}

在web.xml中添加适当的过滤器配置：

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">

    ...

    <filter>
        <filter-name>Role Check Filter</filter-name>
        <filter-class>com.example.filter.RoleCheckFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Role Check Filter</filter-name>
        <url-pattern>/admin/*</url-pattern>
    </filter-mapping>

    ...

</web-app>

当然,在您的情况下,考虑到您使用基本身份验证的事实,在web.xml(声明性安全性)中使用安全配置或使用编程安全性要容易得多.

从官方Java EE文档中引用：

Java EE security services can be implemented for web applications in
the following ways:

• Metadata annotations (or simply, annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor.

• Declarative security expresses an application’s security structure, including security roles, access control, and authentication requirements in a deployment descriptor, which is external to the application.
  Any values explicitly specified in the deployment descriptor override any values specified in annotations.

• Programmatic security is embedded in an application and is used to make security decisions. Programmatic security is useful when declarative security alone is not sufficient to express the security model of an application.

查看与保护Java EE应用程序相关的官方Java EE文档(在您的情况下请注意指定授权约束部分)：
Java EE 6: Securing Web Applications
Java EE 5: Securing Web Applications

查看官方文档中的示例：
Java EE 6. Examples: Securing Web Applications
Java EE 5. Examples: Securing Web Applications