shiro概述(四)注解式授权校验

1)注解式授权拦截只能用于方法,用在类头上无效;

2)项目支持拦截式注解的前提是开启了aop:

 
        
            org.springframework.boot
            spring-boot-starter-aop
        
 
 
 //以下为注解支持配置
    /**
     * Shiro生命周期处理器
     */
    @Bean(name = "lifecycleBeanPostProcessor")
    public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }
 
    /**
     * 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证
     */
    @Bean
    @DependsOn("lifecycleBeanPostProcessor")
    public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
        advisorAutoProxyCreator.setProxyTargetClass(true);
        return advisorAutoProxyCreator;
    }
 
    /**
     * 开启Shiro-aop注解支持
     */
    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
        authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
        return authorizationAttributeSourceAdvisor;
    }

一、@RequiresAuthentication:

  1、作用:要求当前Subject已经在session中验证通过(验证当前用户是否登录:  subject.isAuthenticated() 结果为true)

二、@RequiresUser:验证用户是否被记忆

三、@RequiresGuest:用户没有登录认证或被记住过,验证是否是一个guest的请求,与@RequiresUser完全相反。换言之,RequiresUser == !RequiresGuest。此时subject.getPrincipal() 结果为null.

四、@RequiresRoles:验证当前用户是否具有某角色,与验证权限类似

五、@RequiresPermissions:验证用户是否具有一个或多个权限,该注解经常在项目中使用,如果不满足条件则抛出AuthorizationException异常。

  1、单权限:

@RequiresPermissions("school_manage")

2、多权限:权限值value用数组代替,再设置logical

(1)符合一个即可:logical = Logical.OR,如

@RequiresPermissions(value = { "menu_1", "mneu_2" }, logical = Logical.OR)

(2)必须全部符合:logical = Logical.AND,如

@RequiresPermissions(value = { "menu_1", "mneu_2" }, logical = Logical.AND)

你可能感兴趣的:(java,前端,spring)