一、注解解释
@RequiresAuthentication
表示subject已经通过登录验证,才可使用
@RequiresUser
表示subject已经身份验证或者通过记住我登录,才可使用
@RequiresGuest
表示subject没有身份验证或通过记住我登录过,即是游客身份,才可使用
@RequiresRoles(value={“admin”, “user”}, logical=Logical.AND)
表示subject需要xx(value)角色,才可使用
@RequiresPermissions (value={“user:a”, “user:b”},logical= Logical.OR)
表示subject需要xxx(value)权限,才可使用
二、示例
1、代码
注:连接均是可被匿名访问,控制器均是直接调用服务方法
服务
@Service
public class ShiroService {
/**
* 表示subject已经通过登录验证
*/
@RequiresAuthentication
public void testRequiresAuthentication(){
System.out.println("testRequiresAuthentication");
}
/**
* 表示subject已经身份验证或者通过记住我登录
*/
@RequiresUser
public void testRequiresUser(){
System.out.println("testRequiresUser");
}
/**
* 表示subject没有身份验证或通过记住我登录过,即是游客身份
*/
@RequiresGuest
public void testRequiresGuest(){
System.out.println("testRequiresGuest");
}
/**
* 表示subject需要admin角色
*/
@RequiresRoles(value = {"admin"},logical = Logical.AND)
public void testRequiresRoles(){
System.out.println("testRequiresRoles");
}
/**
* 表示subject需要权限user:create
*/
@RequiresPermissions(value = {"user:create"},logical = Logical.AND)
public void testRequiresPermissions(){
System.out.println("testRequiresPermissions");
}
}
2、不同情况下访问效果
1)未登录状态下访问
testRequiresAuthentication
异常
org.apache.shiro.authz.UnauthenticatedException: The current Subject is not authenticated. Access denied.
testRequiresUser
异常
org.apache.shiro.authz.UnauthenticatedException: Attempting to perform a user-only operation. The current Subject is not a user (they haven't been authenticated or remembered from a previous login). Access denied.
testRequiresGuest
通过
testRequiresRoles
异常
org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.
testRequiresPermissions
异常
org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager. This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again. Because an identity is currently not known due to any of these conditions, authorization is denied.
2)登录user用户(user角色)状态下访问
testRequiresAuthentication
通过
testRequiresUser
通过
testRequiresGuest
异常
org.apache.shiro.authz.UnauthenticatedException: Attempting to perform a guest-only operation. The current Subject is not a guest (they have been authenticated or remembered from a previous login). Access denied.
testRequiresRoles
异常
org.apache.shiro.authz.UnauthorizedException: Subject does not have role [admin]
testRequiresPermissions
异常
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [user:create]
3)登录admin用户(user、admin角色)状态下访问
testRequiresAuthentication
通过
testRequiresUser
通过
testRequiresGuest
异常
org.apache.shiro.authz.UnauthenticatedException: Attempting to perform a guest-only operation. The current Subject is not a guest (they have been authenticated or remembered from a previous login). Access denied.
testRequiresRoles
通过
testRequiresPermissions
异常
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [user:create]