shiro多角色访问同一个url

 

shiro如何控制一个url多个角色都可以访问
/admin/** = roles[admin,partner] 这样写必须同时拥有两个角色才能访问

我们可以自定义角色验证标签。
1、首先继承RolesAuthorizationFilter，覆写isAccessAllowed方法

public class AnyRolesAuthorizationFilter extends RolesAuthorizationFilter {    @Override    public boolean isAccessAllowed(ServletRequest request,            ServletResponse response, Object mappedValue) throws IOException {        final Subject subject = getSubject(request, response);        final String[] rolesArray = (String[]) mappedValue;        if (rolesArray == null || rolesArray.length == 0) {            // no roles specified, so nothing to check - allow access.            return true;        }        for (String roleName : rolesArray) {            if (subject.hasRole(roleName)) {                return true;            }        }        return false;       }}

 

2、注册bean
<bean id="anyRolesAuthorizationFilter" class="com.rwy.spider.service.AnyRolesAuthorizationFilter"/>

3、声明自定义标签并使用

 

<!-- Shiro Filter --><bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">    <property name="securityManager" ref="securityManager" />    <property name="loginUrl" value="/login" />    <property name="successUrl" value="/" />    <!-- 声明自定义标签 hasAnyRoles-->    <property name="filters">        <map>            <entry key="hasAnyRoles" value-ref="anyRolesAuthorizationFilter"/>        </map>    </property>    <property name="filterChainDefinitions">        <value>            /login = anon            /logout = logout            /static/** = anon            /admin/** = roles[admin]            /system/** = hasAnyRoles[admin,partner]            /** = authc        </value>    </property></bean>

这样，admin、partner这两个角色就都可以访问/system路径下的url了