Java-Shiro（八）：Shiro集成SpringMvc、Themeleaf，如何实现Themeleaf视图引擎下解析*.html中shiro权限验证

声明：本证项目基于《Java-Shiro（六）：Shiro Realm讲解（三）Realm的自定义及应用》构建项目为基础。

我们知道如果是采用jsp视图引擎，直接在jsp中加入shiro的tag就可以，然而在thymeleaf视图引擎下，并未有shiro的tag lib。实际上目前shiro+Thymeleaf的html页面中shiro标签方式验证已经有人实现了并将代码用法放到了github上，具体请参考：《thymeleaf-extras-shiro》。

下边将结合《thymeleaf-extras-shiro》与springmvc集成实现thymeleaf中html中加验证shiro验证标签的用法进行讲解，具体内容分为以下几部分：

1）引入依赖

2）需要修改哪些配置？

3）如何使用？

1）引入依赖

引入thymeleaf-extras-shiro依赖到pom中

<dependency>
    <groupId>com.github.theborakompanioni</groupId>
    <artifactId>thymeleaf-extras-shiro</artifactId>
    <version>${thymeleaf-shiro.version}</version>
</dependency>

上边${thymeleaf-shiro.version}是thymelef-extras-shiro的版本，目前最新版本是2.0.0。

更多版本请参考：《https://github.com/theborakompanioni/thymeleaf-extras-shiro/releases》

2）修改配置

2.1）xml方式配置

需要在springmvc-servlet.xml配置文件中引入thymeleaf依赖外，需要在templateEngine bean下设置additionalDialects属性：

<bean id="templateEngine" class="org.thymeleaf.spring5.SpringTemplateEngine">
  <property name="templateResolver" ref="templateResolver" />
  <property name="additionalDialects">
    <set>
      <bean class="at.pollux.thymeleaf.shiro.dialect.ShiroDialect"/>
    </set>
  </property>
</bean>

注意：这个dialect是核心配置，缺少这个thymeleaf页面中的标签将无法解析。

2.2）SpringMVC或者SpringBoot注解方式配置

@Bean
public SpringTemplateEngine templateEngine() {
        SpringTemplateEngine templateEngine = new SpringTemplateEngine();

        templateEngine.setTemplateResolver(templateResolver());
         
        Set<IDialect> additionalDialects = new HashSet<IDialect>();
        additionalDialects.add(new ShiroDialect());
        templateEngine.setAdditionalDialects(additionalDialects);
        
        return templateEngine;
    }

3）在thymeleaf的html页面中使用shiro验证标签

3.1）在html文件头的<html>标签做修改

<!DOCTYPE html>
<html xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">

Example

<!DOCTYPE html>
<html xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">

  <head>
    <title>thymeleaf-extras-shiro</title>
  </head>

  <body>
    <p shiro:guest="">Please <a href="login.html">login</a></p>
    <p shiro:authenticated="">
      Hello, <span shiro:principal=""></span>, how are you today?
    </p>
  </body>

</html>

3.2）html标签（例如：a/tr/td/p等） shiro:hasPermission="article:query" 标签使用

具体参考官网：《https://github.com/theborakompanioni/thymeleaf-extras-shiro》

The guest tag

<p shiro:guest="">
  Please <a href="login.html">Login</a>
</p>

The user tag

<p shiro:user="">
  Welcome back John! Not John? Click <a href="login.html">here<a> to login.
</p>

The authenticated tag

<a shiro:authenticated="" href="updateAccount.html">Update your contact information</a>

The notAuthenticated tag

<p shiro:notAuthenticated="">
  Please <a href="login.html">login</a> in order to update your credit card information.
</p>

The principal tag

<p>Hello, <span shiro:principal=""></span>, how are you today?</p>

or

<p>Hello, <shiro:principal/>, how are you today?</p>

Typed principal and principal property are also supported.

The hasRole tag

<a shiro:hasRole="administrator" href="admin.html">Administer the system</a>

The lacksRole tag

<p shiro:lacksRole="administrator">
  Sorry, you are not allowed to administer the system.
</p>

The hasAllRoles tag

<p shiro:hasAllRoles="developer, project manager">
  You are a developer and a project manager.
</p>

The hasAnyRoles tag

<p shiro:hasAnyRoles="developer, project manager, administrator">
  You are a developer, project manager, or administrator.
</p>

The hasPermission tag

<a shiro:hasPermission="user:create" href="createUser.html">Create a new User</a>

The lacksPermission tag

<p shiro:lacksPermission="user:delete">
  Sorry, you are not allowed to delete user accounts.
</p>

The hasAllPermissions tag

<p shiro:hasAllPermissions="user:create, user:delete">
  You can create and delete users.
</p>

The hasAnyPermissions tag

<p shiro:hasAnyPermissions="user:create, user:delete">
  You can create or delete users.
</p>

3.3）和jsp页面一样的shiro:hasPermission标签使用

实际上和Jsp页面中的验证标签一致，而且与上边基本一致，去掉html标签改写为：

<shiro:hasPermission name="user:create">
    <p>test</p>
</shiro:hasPermission>

具体参考shiro官网：《http://shiro.apache.org/web.html#jsp-gsp-tag-library》 

3.4）javascript中使用hasPermission标签

需要自定义@Component，例如：

package com.dx.test.shiro;

import org.apache.shiro.SecurityUtils;
import org.springframework.stereotype.Component;

/**
 * js调用 thymeleaf 实现按钮权限
 */
@Component("perms")
public class PermsService
{
    public boolean hasPerm(String permission)
    {
        return SecurityUtils.getSubject().isPermitted(permission);
    }
}

其需要在applicationContext-*.xml中，添加扫描包组件确保能扫描到该包：

    <context:component-scan base-package="com.dx.test.shiro"></context:component-scan>

Js中使用示例：

<script>
    var editFlag = "[[${@perms.hasPerm('user:edit')}]]";
    var deleteFlag = "[[${@perms.hasPerm('user:delete')}]]";
    var assignRoleFlag="[[${@perms.hasPerm('user:assignRole')}]]";
    // 其他业务
</script>