Shiro框架的四种权限控制方式

在自定义的realm中进行权限控制

1. 在shiro-config.xml追加/user/delete = perms["delete"]

    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">                <property name="securityManager" ref="securityManager" />        <!-- 配置登录页 -->        <property name="loginUrl" value="/login.jsp" />        <!-- 配置登录成功后的页面 -->        <property name="successUrl" value="/list.jsp" />        <property name="unauthorizedUrl" value="/unauthorized.jsp" />        <property name="filterChainDefinitions">            <value>                <!-- 静态资源允许访问 -->                <!-- 登录页允许访问 -->                /login.jsp = anon                /test/login = anon                /user/delete = perms["delete"]                /logout = logout                <!-- 其他资源都需要认证 -->                /** = authc            </value>        </property>    </bean>

此时访问/user/delete需要delete权限,在自定义Realm中为用户授权。

@Override    protected AuthorizationInfo doGetAuthorizationInfo(            PrincipalCollection principals) {        String username = (String) principals.getPrimaryPrincipal();        User user = new User();        user.setUsername(username);        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();        //为用户授权,只需将用户的权限添加到info即可        info.addStringPermission("delete");        List roleList = userService.getRole(user);        if(roleList != null){            for (Role role : roleList) {                authorizationInfo.addRole(role.getName());            }            return authorizationInfo;        }        return null;    }

##使用shiro注解为用户授权1. 在shiro-config.xml开启shiro注解(硬编码,不好用)

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"/>      <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">          <property name="securityManager" ref="securityManager"/>  </bean>

2. 在service方法上配置注解@RequiresPermissions(“user:delete”)

    @RequiresPermissions("user:delete")    public void delete(){        //逻辑代码    }

使用shiro标签进行权限控制

1. 在jsp页面引入shiro标签库
   <%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
2. 在页面中使用标签

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%><c:set var="proPath" value="${pageContext.request.contextPath }" /><%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Insert title here</title></head><body><!-- <shiro:principal>代表的是登录的认证名-->${successMsg } Welcome! <shiro:principal></shiro:principal><br><br><!-- 有这个角色则会显示User Page链接--><shiro:hasAnyRoles name="user">    <a href="${proPath }/user.jsp"> User Page</a></shiro:hasAnyRoles><br><br><!-- 有这个角色则会显示Admin Page链接--><shiro:hasAnyRoles name="admin">    <a href="${proPath }/admin.jsp"> Admin Page</a></shiro:hasAnyRoles><!-- 有这个delete权限则会显示删除按钮--><shiro:hasPermission name="delete">    <input type="button" value="删除"></shiro:hasPermission><br><br><a href="${proPath }/test/logout">Logout</a></body></html>

编程方式实现用户权限控制

    Subject subject = SecurityUtils.getSubject();    if(subject.hasRole("admin")){        //有权限    }else{        //无权限    }