public class MyShiroRealm extends AuthorizingRealm { //slf4j记录日志,可以不使用 private Logger logger = LoggerFactory.getLogger(MyShiroRealm.class); /** * 设置授权信息 */ @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { logger.info("开始授权(doGetAuthorizationInfo)"); SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); HttpServletRequest request = (HttpServletRequest) ((WebSubject) SecurityUtils .getSubject()).getServletRequest();//这个可以用来获取在登录的时候提交的其他额外的参数信息 String username = (String) principals.getPrimaryPrincipal();//这里是写的demo,后面在实际项目中药通过这个登录的账号去获取用户的角色和权限,这里直接是写死的 //受理权限 //角色 Set<String> roles = new HashSet<String>(); roles.add("role1"); authorizationInfo.setRoles(roles); //权限 Set<String> permissions = new HashSet<String>(); permissions.add("user:list"); //permissions.add("user:add");
----//下面便是对@RequiresPermission授权,这里写死权限为"user:list";也可以是通过查询数据库,匹配相对应的权限。
authorizationInfo.setStringPermissions(permissions);
return authorizationInfo; } /** * 设置认证信息 */ @Override protected AuthenticationInfo doGetAuthenticationInfo( ..... } }
Controller:
Controller @RequestMapping("/user") public class UserController { Logger logger = LoggerFactory.getLogger(UserController.class); @RequiresPermissions("user:list")//这个是配置是否有该权限的,如果是按上面的写法,这个是有权限的 @RequestMapping(value="/list",method=RequestMethod.GET) public String getList(){ logger.info("进入用户列表"); return "user/list"; } @RequiresPermissions(value={"user:add"})//这个是没有权限的 @RequestMapping(value="/add",method=RequestMethod.GET) public String getAdd(){ logger.info("进入新增用户界面"); return "user/add"; } }