shiro使用注解(@RequiresPermissions等)不无效及异常处理
1、注解不生效
在shiro配置类中加上如下代码:
/** * Shiro生命周期处理器 */ @Bean(name = "lifecycleBeanPostProcessor") public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() { return new LifecycleBeanPostProcessor(); } /** * 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证 */ @Bean @DependsOn("lifecycleBeanPostProcessor") public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() { DefaultAdvisorAutoProxyCreator creator = new DefaultAdvisorAutoProxyCreator(); creator.setProxyTargetClass(true); return creator; } /** * 开启shiro aop注解支持. * 使用代理方式;所以需要开启代码支持; */ @Bean public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) { AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor(); authorizationAttributeSourceAdvisor.setSecurityManager(securityManager); return authorizationAttributeSourceAdvisor; }
2、异常处理
过滤器必须要是AuthorizationFilter
过滤器才能生效,即只有perms,roles,ssl,rest,port才是属于AuthorizationFilter,而anon,authcBasic,auchc,user是AuthenticationFilter,所以unauthorizedUrl设置后页面不跳转。此处使用springmvc同意异常处理来解决:
package com.example.springbootshiro.controller; import com.example.springbootshiro.constants.CommonConstants; import com.example.springbootshiro.domain.vo.ResponseVO; import com.example.springbootshiro.enums.ResponseStatusEnum; import com.example.springbootshiro.utils.ResultUtil; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.UnauthorizedException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.bind.annotation.ControllerAdvice; import org.springframework.web.bind.annotation.ExceptionHandler; import org.springframework.web.bind.annotation.ResponseBody; import java.lang.reflect.UndeclaredThrowableException; /** * 统一异常处理类<br> * 捕获程序所有异常,针对不同异常,采取不同的处理方式 * */ @ControllerAdvice public class ExceptionHandleController { private static final Logger LOGGER = LoggerFactory.getLogger(ExceptionHandleController.class); // @ResponseBody @ExceptionHandler(UnauthorizedException.class) public String handleShiroException(Exception ex) { return "redirect:/error/403"; } // @ResponseBody @ExceptionHandler(AuthorizationException.class) public String AuthorizationException(Exception ex) { return "redirect:/error/401"; } }
具体处理逻辑自己控制