1、shiro的验证权限的机制是模糊匹配而不是equals
比如需要校验的权限是 @RequiresPermissions("system:user:add"),但是在自定义的shiroReam中addStringPermission时 添加了 "system"或者"system:user"
都会导致权限校验通过。个人建议直接添加最底层的权限校验即可。
2、shiro 的配置文件有问题添加以下代码,这种情况@RequiresPermissions 和@RequiresRoles都无效
/**
* 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证
* 配置以下两个bean(DefaultAdvisorAutoProxyCreator和AuthorizationAttributeSourceAdvisor)即可实现此功能
* @return
*/
@Bean
public
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator(){
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator =
new
DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(
true
);
return
advisorAutoProxyCreator;
}
/**
* 开启aop注解支持
* @param securityManager
* @return
*/
@Bean
public
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor =
new
AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return
authorizationAttributeSourceAdvisor;
}