shiro配置权限管理:
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<!--登录界面-->
<property name="loginUrl" value="login.html"/>
<!--无权限界面-->
<property name="unauthorizedUrl" value="403.html"/>
<property name="filterChainDefinitions">
<value>
/login.html = anon
/test = anon
/test.do = anon
/testRole = roles["admin","admin1"]
/testRole1 = rolesOr["admin","admin1"]
/subLogin = anon
/logout = anon
/*= authc
</value>
</property>
<property name="filters">
<map>
<entry key="rolesOr" value-ref="rolesOrFilter" />
</map>
</property>
</bean>
<!-- 自定义filter -->
<bean id="rolesOrFilter" class="com.shiroTest.filter.RolesOrFilter" />
自定义filter:
public class RolesOrFilter extends AuthorizationFilter {
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception {
org.apache.shiro.subject.Subject subject = getSubject(request,response);
String[] roles = (String[]) obj;
if(roles == null || roles.length==0){
return true;
}
for (String role:roles){
if (subject.hasRole(role)){
return true;
}
}
return false;
}
}