tomcat服务器:
在应用web的web-inf下面的web.xml中定义用户角色及其可以访问的页面。

   < security-constraint >
     < web-resource-collection >
       < web-resource-name > admin </ web-resource-name >
       < url-pattern > /ch12/admin/* </ url-pattern >
       < url-pattern > /ch12/search/delete.jsp </ url-pattern >
     </ web-resource-collection >
     < auth-constraint >
       < role-name > admin </ role-name >
     </ auth-constraint >
   </ security-constraint >

   < security-constraint >
     < web-resource-collection >
       < web-resource-name > search </ web-resource-name >
       < url-pattern > /ch12/search/* </ url-pattern >
     </ web-resource-collection >
     < auth-constraint >
       < role-name > admin </ role-name >
       < role-name > user </ role-name >
     </ auth-constraint >
   </ security-constraint >

   < login-config >
     < auth-method > BASIC </ auth-method >
     < realm-name > ORA Examples </ realm-name >
   </ login-config >

   < security-role >
     < role-name > admin </ role-name >
   </ security-role >
   < security-role >
     < role-name > user </ role-name >
   </ security-role >

在tomcat-user.xml定义用户,及其所属角色。
  <user username="hans" password="secret" roles="user"/>
  <user username="paula" password="boss" roles="admin"/>

在bean中实现用户的角色取得,同时让其可以支持EL:
package com.ora.jsp.tags;

import javax.servlet.http.*;
import javax.servlet.jsp.*;
import javax.servlet.jsp.jstl.core.*;
import org.apache.taglibs.standard.lang.support.*;

public class IfUserInRoleTag extends ConditionalTagSupport {
    private String valueEL;

    public void setValue(String value) {
        valueEL = value;
    }

    public boolean condition() throws JspTagException {
        /*
         * Evaluate the EL expression, if any
         */
        String role = null;
        try {
            role = (String)
             //ExpressionEvaluatorManager.evaluate可以使valueEL用于EL,属性名为value               
                  ExpressionEvaluatorManager.evaluate("value", valueEL, 
                    String.classthis, pageContext);
        }
        catch (JspException e) {
            throw new JspTagException(e.getMessage());
        }
        HttpServletRequest request = 
            (HttpServletRequest) pageContext.getRequest();
        return request.isUserInRole(role);//取得角色类别
    }
}

在tld文件中定义EL自定义标签
  <tag>
    <name>ifUserInRole</name>
    <tag-class>com.ora.jsp.tags.IfUserInRoleTag</tag-class>
    <body-content>JSP</body-content>
    <description>
      Evaluates its body if the current, authenticated, user belongs to
      the specified security role, and optionally saves the result
      of the test as a Boolean in a variable specified by the var and 
      scope attributes.
    </description>
    <attribute>
      <name>value</name>
      <required>true</required>
    </attribute>
    <attribute>
      <name>var</name>
      <required>false</required>
    </attribute>
    <attribute>
      <name>scope</name>
      <required>false</required>
    </attribute>
  </tag>

在应用程序jsp页面中调用自定义标签进行访问控制
<%@ taglib prefix="ora" uri="orataglib" %>

<ora:ifUserInRole value="admin" var="isAdmin" />