github:https://github.com/peterowang/shiro
基于上一篇:springboot集成shiro实现身份认证
1.加入UserController
package com.example.demo.web;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresUser;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
/**
* Created by BFD-593 on 2017/8/9.
*/
@Controller
@RequestMapping("/userinfo")
public class UserController {
/**
* 要查看必须有角色wangjing和有权限userinfo:view
* @return
*/
@RequestMapping("/userList")
@RequiresPermissions({"userinfo:view"})
@RequiresRoles({"wangjing"})
public String userInfo(){
return "userInfo";
}
/**
* 用户添加必须有查看和删除权限;
* @return
*/
@RequestMapping("/userAdd")
@RequiresPermissions({"userinfo:view","userinfo:add"})
public String userInfoAdd(){
return "userAdd";
}
/**
* 要删除必须有查看和删除权限
* @return
*/
@RequiresPermissions({"userinfo:view","userinfo:del"})
@RequestMapping("/userDel")
public String userInfoDel() {
return "userDel";
}
}
2.在ShiroConfiguration中加入spring aop 对shiro注解的支持
/**
* 权限认证
* 需要开启Shiro AOP注解支持
* @RequiresPermissions({"userinfo:view"})
* @RequiresRoles({"wangjing"})等注解的支持
* @param securityManager
* @return
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}
这时候,我们再登录之后访问http://localhost:8080/userInfo/userDel就会报org.apache.shiro.authz.UnauthorizedException异常了。同时后台会打印权限验证的信息。
3.如果想让用户没权限时,进入无权限提示的指定页面可以这么设置在ShiroConfiguration中加入
/**
* 当用户无权限访问403页面而不抛异常,默认shiro会报UnauthorizedException异常
* @return
*/
@Bean
public SimpleMappingExceptionResolver resolver() {
SimpleMappingExceptionResolver resolver = new SimpleMappingExceptionResolver();
Properties properties = new Properties();
properties.setProperty("org.apache.shiro.authz.UnauthorizedException", "/403");
resolver.setExceptionMappings(properties);
return resolver;
}
4.我们也可以设置统一异常处理 添加package:exceptionResolver,添加类MyExceptionResolver
/**同时将该实现类以bean的方式,放到启动类中
* Created by BFD-593 on 2017/8/9.
*/
public class MyExceptionResolver implements HandlerExceptionResolver{
/**
* 统一异常处理,当出现runtimeException时,跳转到500页面。
* @param httpServletRequest
* @param httpServletResponse
* @param o
* @param e
* @return
*/
@Override
public ModelAndView resolveException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) {
if(e instanceof RuntimeException){
ModelAndView mv = new ModelAndView("/500");
return mv;
}
return null;
}
}
然后在启动类中添加:
/**
* 统一异常处理
* @return
*/
@Bean
public MyExceptionResolver myExceptionResolver(){
return new MyExceptionResolver();
}
这时,当用户没权限时会跳转到403.html,当抛出runtimeexception时跳转到500.html(异常没有被捕获的时候哦...)
以上就是实现当用户访问请求时,验证用户是否拥有该请求的权限,但是,如果我们想页面上的某些标签,用户没有该权限时让他不展示,那该怎么办呢。这里由于用到的是thymeleaf模板,所以我们需要特殊处理:
1.在pom中添加
<!--thymeleaf中使用shiro标签-->
<dependency>
<groupId>com.github.theborakompanioni</groupId>
<artifactId>thymeleaf-extras-shiro</artifactId>
<version>1.2.1</version>
</dependency>
2.在ShiroConfiguration中添加
/**
* 整合thymeleaf中可以使用shiro标签
* @return
*/
@Bean
public ShiroDialect shiroDialect() {
return new ShiroDialect();
}
3.在html中修改
<html lang="zh_CN" xmlns:th="http://www.thymeleaf.org"
xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
添加:
<shiro:hasPermission name="userinfo:view">
<shiro:hasRole name="wangjing">
<span>这里是shiro权限 </span>
</shiro:hasRole>
</shiro:hasPermission>
表示当前用户拥有userinfo:view权限并且所属角色是wangjing时,可以看到此<span>标签中的内容。
至此,shiro权限介绍完毕