Shiro Authorizer授权器
If Else授权
角色检查
Subject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole("administrator")) { //show the admin button } else { //don't show the button? Grey it out? }
角色断言
Subject currentUser = SecurityUtils.getSubject(); //guarantee that the current user is a bank teller and //therefore allowed to open the account: currentUser.checkRole("bankTeller"); openBankAccount();
权限检查
基于Permission对象的权限检查
Subject subject = SecurityUtils.getSubject(); Permission permission = new DomainPermission("hello/world.action", "hello:world"); if (subject.isPermitted(permission)) { //show the some button } else { //don't show anything }
基于字符串的权限检查
Subject subject = SecurityUtils.getSubject(); if (subject.isPermitted("hello:world")) { //show the some button } else { //don't show anything }
Shiro的默认org.apache.shiro.authz.permission.WildcardPermission实现定义的特殊冒号分隔格式
Subject subject = SecurityUtils.getSubject(); Permission permission = new WildcardPermission("hello:world"); if (subject.isPermitted(permission)) { //show the some button } else { //don't show anything }
权限断言
Subject subject = SecurityUtils.getSubject(); subject.checkPermission(new WildcardPermission("hello:world"));
注解授权
@RequiresAuthentication注解
当前Subject必须是认证通过了的才能访问该方法
@RequiresAuthentication public void updateGood(Good good) { //this method will only be invoked by a //Subject that is guaranteed authenticated }
相当于
public void updateGood(Good good) { if (!SecurityUtils.getSubject().isAuthenticated()) throw new AuthenticationException(); }
@RequiresGuest注解
当前Subject只能是未注册的仅是一个客人
@RequiresGuest public void updateGood(Good good) { //this method will only be invoked by a //Subject that is unknown/anonymous }
相当于
@RequiresGuest public void updateGood(Good good) { Subject subject = SecurityUtils.getSubject(); PrincipalCollection principalCollection = subject.getPrincipals(); if (principalCollection != null && !principalCollection.isEmpty()) throw new AuthenticationException(); }
@RequiresPermissions注解
当前Subject必须有指定的权限
@RequiresPermissions("hello:world") public void updateGood(Good good) { }
@RequiresRoles注解
当前Subject必须是指定的角色
@RequiresRoles("admin") public void updateGood(Good good) { }
@RequiresUser注解
当前Subject必须是注册过的
@RequiresUser public void updateGood(Good good) { }
相当于
public void updateGood(Good good) { Subject subject = SecurityUtils.getSubject(); PrincipalCollection principalCollection = subject.getPrincipals(); if (principalCollection == null || principalCollection.isEmpty()) throw new AuthenticationException(); }
授权过程
权限
多个值
hello:world,shiro
通配符
hello:*