第一步:在spring配置文件中开启shiro注解支持
<!-- 开启shiro的注解支持 -->
<bean id="defaultAdvisorAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
<!-- 必须改为true,即使用cglib方式为Action创建代理对象。默认值为false,使用JDK创建代理对象,会造成问题 -->
<property name="proxyTargetClass" value="true"></property>
</bean>
<!-- 使用shiro框架提供的切面类,用于创建代理对象 -->
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"></bean>第二步:在Action的方法上使用shiro注解
@RequiresPermissions("staff-delete") //执行这个方法,需要 当前用户有staff-delete的这个权限
public String deleteBatch(){
staffService.deleteBatch(ids);
return LIST;
}这时使用删除这个功能时,就会抛出一个异常,显示没有这个权限异常,这时需要配置异常处理页面
HTTP Status 500 - Subject does not have permission [staff-delete]
type Exception report
message Subject does not have permission [staff-delete]
description The server encountered an internal error that prevented it from fulfilling this request.
exception
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [staff-delete]
org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323)
org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137)
org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205)
org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74)
org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(AuthorizingAnnotationMethodInterceptor.java:84)
org.apache.shiro.authz.aop.AnnotationsAuthorizingMethodInterceptor.assertAuthorized(AnnotationsAuthorizingMethodInterceptor.java:100)
org.apache.shiro.authz.aop.AuthorizingMethodInterceptor.invoke(AuthorizingMethodInterceptor.java:38)
org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor.invoke(AopAllianceAnnotationsAuthorizingMethodInterceptor.java:115)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
com.itheima.bos.web.action.StaffAction$$EnhancerBySpringCGLIB$$fb175177.deleteBatch(<generated>)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:891)
ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1293)第三步:在struts.xml中配置全局异常捕获,当shiro框架抛出权限不足异常时,跳转到权限不足提示页面
<global-results>
<result name="login">/login.jsp</result>
<result name="unauthorizedException">/unauthorized.jsp</result>
</global-results>
<!-- 配置全局异常映射 -->
<global-exception-mappings>
<!-- 配置没有权限异常的返回值 -->
<exception-mapping result="unauthorizedException" exception="org.apache.shiro.authz.UnauthorizedException"></exception-mapping>
</global-exception-mappings>
这里说一下第一步中为什么proxyTargetClass使用默认的false会出问题。因为使用默认值false,它会使用jdk的代理对象的方式,利用反射生成一个实现代理接口的匿名类,接口中并没有子类的特有方法,会导致抛出“没有这个方法”的异常。将proxyTargetClass设置为true,使用cglib就不会报错,因为cglib是对代理对象类的class文件加载进来,通过修改其字节码生成子类来处理。
1216
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
