1.设置具有某些权限才显示对应标签
只能用于前后端未分离项目。且只是不显示对应标签,用户如果在浏览器直接输入路径,还是能访问的,所以要配合第二三种使用
<shiro:hasPermission name="order-add"><li><a href="/dingdan/add">添加订单</a> </li></shiro:hasPermission>
<shiro:hasRole name="seller"><a href="saler">销售人员</a></shiro:hasRole>
2.过滤器授权
@Bean
public ShiroFilterFactoryBean shiroFilter(DefaultSecurityManager defaultSecurityManager) {
ShiroFilterFactoryBean filter = new ShiroFilterFactoryBean();
filter.setSecurityManager(defaultSecurityManager);
Map<String, String> filtermap = new HashMap<>();
filtermap.put("/", "anon");
filtermap.put("/login", "anon");
filtermap.put("/login.html", "anon");
filtermap.put("/user/login", "anon");
filtermap.put("/index.html", "anon");
filtermap.put("/user/regist", "anon");
filtermap.put("/regist", "anon");
filtermap.put("/static/**", "anon");
filtermap.put("/norenzheng", "anon");
filtermap.put("/norenzheng.html", "anon");
filtermap.put("/**", "authc");
filtermap.put("/exit","logout");
filter.setFilterChainDefinitionMap(filtermap);
filter.setLoginUrl("/norenzheng.html");
filter.setUnauthorizedUrl("/norenzheng.html");
return filter;
}
filtermap.put("/dingdan/add","perms[sys:x:save]");
在fuiltermap添加上面一句,则请求/dingdan/add路径,必须要有sys:x:save权限
当权限不足时,跳转到如下页面
//这里有点问题,当我未登录就访问需要权限的页面时,按理说应该访问到nologin.html,但是实际上未登录和权限不足都会跳转到noquanxian.html
filter.setLoginUrl("/nologin.html");
filter.setUnauthorizedUrl("/noquanxian.html");
3.注解授权
1...,在shiroconfig中 添加两个类,如下,没必要理解,到时候能查就行
//配置注解管理权限 ,记住就好
@Bean
public AuthorizationAttributeSourceAdvisor getAuthorizationAttributeSourceAdvisor() {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(getdefaultWebSecurityManager());
return authorizationAttributeSourceAdvisor;
}
@Bean
public DefaultAdvisorAutoProxyCreator getDefaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator autoproxycreator = new DefaultAdvisorAutoProxyCreator();
autoproxycreator.setProxyTargetClass(true);
return autoproxycreator;
}
2..在控制器类 添加需要的权限
@RequiresPermissions("sys:x:delete")
@ResponseBody
@RequestMapping("/dingdan/del")
public String deldingdan() {
return "具有删除订单权限";
}
@RequiresRoles("cmanager")
@ResponseBody
@RequestMapping("/cmanager")
public String cmanager() {
return "具有cmanager角色";
}
3..如果用户不具有某种权限,则会抛出AuthorizationException 异常,如图
使用springboot的异常捕获器处理异常,会捕获所有在controller层发生的异常,返回值直接返回给用户,不需要controller层添加 对应的@RequestMapping,也不需要shiro过滤器开启对应页面的filertmap放行
utils.GlobalExeception.java文件
import jdk.nashorn.internal.ir.ReturnNode;
import org.apache.ibatis.javassist.expr.Instanceof;
import org.apache.shiro.authz.AuthorizationException;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ResponseBody;
@ControllerAdvice
public class GlobalExeception {
// 可以加responsebody注解,在发生相应异常后,直接返回数据
// @ResponseBody
@ExceptionHandler
public String doexection(Exception e) {
System.out.println(e);
if (e instanceof AuthorizationException) {
// 返回的是html的文件名,不需要controller写映射 shiro开放权限 等,直接就能访问
return "norenzheng2";
} else if (e instanceof ArithmeticException) {
return "发生了除0异常";
}
return null;
}
}
4.手动授权,
不同于前两种,必须要拦截一个路径,这种方法不需要拦截路径,所以可以用在service层,用户必须具有某个权
@Service
public class UserService {
public String c_update(Subject subject){
if(subject.isPermitted("sys:c:update"))
{
System.out.println("更新客户信息");
return "c_update";
}
else
{
System.out.println("权限不足,不能更新");
return "error1";
}
}
}
限才可以进行操作