使用前請先開啟Shiro的controller層注解,如果已經設置請下滑繞過
要在spring-mvc.xml中寫。
<!--下面的用於開啟shiro的權限注解--> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true"/> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean>
如果在是springboot中
/** * 下面2個支持controller層注解實現權限控制 * * @return */ @Bean(name = "advisorAutoProxyCreator") public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator(); advisorAutoProxyCreator.setProxyTargetClass(true); return advisorAutoProxyCreator; } @Bean(name = "authorizationAttributeSourceAdvisor") public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(@Qualifier("securityManager") SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; }
———————————————————進入正題———————————————————————
@RequiresAuthentication
驗證用戶是否登錄,等同於方法subject.isAuthenticated() 結果為true時。
@RequiresUser
驗證用戶是否被記憶,user有兩種含義:
一種是成功登錄的(subject.isAuthenticated() 結果為true);
另外一種是被記憶的(subject.isRemembered()結果為true)。
@RequiresGuest
驗證是否是一個guest的請求,與@RequiresUser完全相反。
換言之,RequiresUser == !RequiresGuest。
此時subject.getPrincipal() 結果為null.
@RequiresRoles
例如:@RequiresRoles("aRoleName");
void someMethod();
如果subject中有aRoleName角色才可以訪問方法someMethod。如果沒有這個權限則會拋出異常AuthorizationException。
@RequiresPermissions
例如: @RequiresPermissions({"file:read", "write:aFile.txt"} )
void someMethod();
要求subject中必須同時含有file:read和write:aFile.txt的權限才能執行方法someMethod()。否則拋出異常AuthorizationException。
---------------------
原文:https://blog.csdn.net/anmoyyh/article/details/74742772