Shiro授权实战

一 授权流程图

二 实战

1 新建pom

<dependencies>
    <dependency>
        <groupId>org.apache.shiro</groupId>
        <artifactId>shiro-core</artifactId>
        <version>1.4.0</version>
    </dependency>
    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>RELEASE</version>
    </dependency>
</dependencies>

2 授权测试

package com.liuyanzhao.test;

import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.mgt.DefaultSecurityManager;
import org.apache.shiro.realm.SimpleAccountRealm;
import org.apache.shiro.subject.Subject;
import org.junit.Before;
import org.junit.Test;


public class AuthenticationTest {

    SimpleAccountRealm simpleAccountRealm = new SimpleAccountRealm();

    @Before
    public void addUser() {
        simpleAccountRealm.addAccount("Tom","1234567","admin");
    }

    @Test
    public void testAuthentication() {
        //1、构建SecurityManager环境
        DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
        defaultSecurityManager.setRealm(simpleAccountRealm);
        //2、主体提交认证请求
        SecurityUtils.setSecurityManager(defaultSecurityManager);
        Subject subject = SecurityUtils.getSubject();

        UsernamePasswordToken token = new UsernamePasswordToken("Tom","1234567");
        subject.login(token);
        System.out.println("isAuthenticated："+subject.isAuthenticated());
        subject.checkRole("admin");   //登录用户是否具有admin权限
    }
}

三 测试结果

isAuthenticated：true

四 源码研究

subject.checkRoles("admin", "user");
        
public class DelegatingSubject implements Subject {
    public void checkRoles(String... roleIdentifiers) throws AuthorizationException {
        securityManager.checkRoles(getPrincipals(), roleIdentifiers);

public abstract class AuthorizingSecurityManager extends AuthenticatingSecurityManager {
    public void checkRoles(PrincipalCollection principals, String... roles) throws AuthorizationException {
        this.authorizer.checkRoles(principals, roles);

public class ModularRealmAuthorizer implements Authorizer, PermissionResolverAware, RolePermissionResolverAware {
    public void checkRoles(PrincipalCollection principals, String... roles) throws AuthorizationException {
                checkRole(principals, role);
    public void checkRole(PrincipalCollection principals, String role) throws AuthorizationException {
        if (!hasRole(principals, role)) {
    public boolean hasRole(PrincipalCollection principals, String roleIdentifier) {
            if (((Authorizer) realm).hasRole(principals, roleIdentifier)) {

public abstract class AuthorizingRealm extends AuthenticatingRealm
    public boolean hasRole(PrincipalCollection principal, String roleIdentifier) {
        AuthorizationInfo info = getAuthorizationInfo(principal);
    protected boolean hasRole(String roleIdentifier, AuthorizationInfo info) {
        return info != null && info.getRoles() != null && info.getRoles().contains(roleIdentifier);