shiro-支持授权的方式有个两三种,之前没有说,但是还是需要懂点涩!

最新推荐文章于 2024-04-08 11:31:39 发布
最新推荐文章于 2024-04-08 11:31:39 发布
阅读量957 收藏
点赞数
分类专栏: 权限管理
本文链接:https://blog.csdn.net/u012881904/article/details/53844418
版权

Performing authorization in Shiro can be done in 3 ways:

Programmatically - You can perform authorization checks in your java code with structures like if and else blocks.
if ~else
JDK annotations - You can attach an authorization annotation to your Java methods
注解
JSP/GSP TagLibs - You can control JSP or GSP page output based on roles and permissions
JSP标签好像挺实用的

http://shiro.apache.org/authorization.html#Authorization-PermissionGranularity 网址
权限检查基于资源更加的细粒度

使用if_else:这种肯定不是太推荐实用

ubject currentUser = SecurityUtils.getSubject();

if (currentUser.hasRole("administrator")) {
    //show the admin button 
} else {
    //don't show the button?  Grey it out? 
}
为假的情况下会抛出UnauthorizedException异常。
Subject currentUser = SecurityUtils.getSubject();
//guarantee that the current user is a bank teller and 
//therefore allowed to open the account: 
currentUser.checkRole("bankTeller");
openBankAccount();

Annotation-based Authorization使用注解
In addition to the Subject API calls, Shiro provides a collection of Java 5+ annotations if you prefer meta-based authorization control.

Before you can use Java annotations, you’ll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.
因为注解需要对应的拦截器去处理哦~AOP 基于切面的方法去处理注解!

下面看看几个注解

@RequiresAuthentication
public void updateAccount(Account userAccount) {
    //this method will only be invoked by a
    //Subject that is guaranteed authenticated
    ...
}
public void updateAccount(Account userAccount) {
    if (!SecurityUtils.getSubject().isAuthenticated()) {
        throw new AuthorizationException(...);
    }

    //Subject is guaranteed authenticated here
    ...
}

The RequiresGuest annotation
The RequiresGuest annotation requires the current Subject to be a “guest”, that is, they are not authenticated or remembered from a previous session for the annotated class/instance/method to be accessed or invoked.

@RequiresGuest
public void signUp(User newUser) {
    //this method will only be invoked by a
    //Subject that is unknown/anonymous
    ...
}

public void signUp(User newUser) {
    Subject currentUser = SecurityUtils.getSubject();
    PrincipalCollection principals = currentUser.getPrincipals();
    if (principals != null && !principals.isEmpty()) {
        //known identity - not a guest:
        throw new AuthorizationException(...);
    }

    //Subject is guaranteed to be a 'guest' here
    ...
}

RequiresPermissions

@RequiresPermissions("account:create")
public void createAccount(Account account) {
    //this method will only be invoked by a Subject
    //that is permitted to create an account
    ...
}
public void createAccount(Account account) {
    Subject currentUser = SecurityUtils.getSubject();
    if (!subject.isPermitted("account:create")) {
        throw new AuthorizationException(...);
    }

    //Subject is guaranteed to be permitted here
    ...
}

RequiresRoles

@RequiresRoles("administrator")
public void deleteUser(User user) {
    //this method will only be invoked by an administrator
    ...
}
public void deleteUser(User user) {
    Subject currentUser = SecurityUtils.getSubject();
    if (!subject.hasRole("administrator")) {
        throw new AuthorizationException(...);
    }

    //Subject is guaranteed to be an 'administrator' here
    ...
}

RequiresUser

@RequiresUser
public void updateAccount(Account account) {
    //this method will only be invoked by a 'user'
    //i.e. a Subject with a known identity
    ...
}
public void updateAccount(Account account) {
    Subject currentUser = SecurityUtils.getSubject();
    PrincipalCollection principals = currentUser.getPrincipals();
    if (principals == null || principals.isEmpty()) {
        //no identity - they're anonymous, not allowed:
        throw new AuthorizationException(...);
    }

    //Subject is guaranteed to have a known identity here
    ...
}

JSP 标签 http://shiro.apache.org/web.html#Web-taglibrary
哪天在仔细看看

汪小哥
关注
专栏目录
关于shiro授权 This subject is anonymous - it does not have any identifying principals and authorization
m0_49359842的博客
01-17 4644
在进行shiro前后分离授权时,报错如下。 This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals automatically after a successful
shiro-core-1.7.1 jar
07-12
shiro shiro-core-1.7.1 jar shiro漏洞
This subject is anonymous - it does not have any identifying principals and authorization operations
烤鸭的世界我们不懂的博客
04-17 1万+
大家好,我是烤鸭: 最近使用shiro,遇到如下问题: 严重: Servlet.service() for servlet [dispatcherServlet] in context with path [/etc] threw exception [Request processing failed; nested exception is org.apache.shiro.aut...
解决Shiro 加权限注解失效 或者报错 This subject is anonymous
程序圆的博客
09-12 1万+
报错堆栈 org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against. A Subject instance will acquire these identifying principals a
redis-shiro session 共享subject中principal 为空
goodtimeflying的博客
11-25 1846
redis-shiro session共享,登陆后subject中principal 为空 看过我的上一篇文章 redis-shiro session共享,序列化大坑的人,你可能遇到一个新的问题,就是登陆后再去请求的时候,报错This subject is anonymous 具体的错误信息如下: This subject is anonymous - it does not have any identifying principals and authorization operations requi
shiro 开放接口后 调用报错: This subject is anonymous
最新发布
John的博客
04-08 477
shiro 开放接口后 调用报错: This subject is anonymous
shiro-attack-4.7.0-SNAPSHOT-all.zip
10-24
Apache Shiro是一个强大的Java安全框架,它提供了身份验证(Authentication)、授权(Authorization)以及会话管理(Session Management)等功能,广泛应用于各种类型的Java应用程序中。标题提到的"shiro-attack-...
shiro-core 低版本漏洞检测
01-31
shiro-core 低版本漏洞检测工具
shiro-core-1.6.0.jar
08-20
该资源是目前最新的shiro-core核心包,暂时魏安全性较高的版本,没有发现漏洞版本。提供登录安全性的校验,该资源来自官网,仅供学习参考,请前往官网下载
shiro-root-1.2.3-source-release zipa包 和相关jar包
04-20
Apache Shiro是一个强大且易用的Java安全框架,它提供了认证、授权、加密和会话管理功能,可以简化开发人员处理安全的复杂性。在"shiro-root-1.2.3-source-release zipa包"中,包含了Shiro框架的核心源代码,允许...
org.apache.shiro.authz.UnauthenticatedException: The current Subject is not authenticated. Access d
guyu96的博客
09-12 1万+
属于shiro安全框架的限制问题,我在这里写的是新用户注册的功能,但是shiro框架要求必须登录时候才能操作,为了解决这个矛盾的问题,只能给注册这个功能开放一个非安全的口 在Handler文件中,在1处添加全路径名,注意2处的“/”是默认值,不能删掉...
Shiro原理一】shiro:hasPermission 隐藏页面无权访问的资源
朱赤墨黑
09-03 5631
shiro:hasPermission 隐藏页面无权访问的资源,因为层层调用方法,下面可能有点儿乱,注意上下结合看方法名。 jsp: organ_list.jsp <shiro:hasPermission name="jigouxinxi-xinzeng"> <button class="layui-btn layui-btn-primary" onclick="a...
Shiro 注解的使用
u013858179的专栏
04-03 1万+
今天研究了下shiro注解的使用,碰到了一些问题,
springboot最正确的集成websocket并使用shiro用户信息
tanleijin的博客
09-17 1万+
        最近在springboot项目中用到了websocket实现待办事项的实时提醒,在集成websocket中踩了好几个坑,还好通过我的聪明才智解决了,特此记录一下。 1.引入依赖,在pom文件中加依赖。由于springboot提供了websocket的starter     所以在pom中直接加依赖 <!--websocket--> ...
shiro框架的三种授权方式
java初级学习
03-28 630
Shiro 支持三种方式授权: 编程式:通过写if/else 授权代码块完成: Subject subject = SecurityUtils.getSubject(); if(subject.hasRole(“admin”)) { //有权限 } else { //无权限 } 注解式:通过在执行的Java方法上放置相应的注解完成:...
Spring Boot持续集成测试 There are no tests to run
蓝天的博客
06-12 1896
今天给PHP做的分布式跟踪代码做了个代码覆盖率持续集成,每次执行到mvn test都会提示: There are no tests to run 实际src/test是存在的…… 有两个测试用例…… 但是mvn test在命令行下就是找不到 后来问了同事,尝试多次才知道 原来要放到src/test/java/里面……
xml文件下载报This XML file does not appear to have any style information associated with it. The document
热门推荐
白猿的博客
06-19 15万+
xml文件下载报This XML file does not appear to have any style information associated with it. The document 可能是原文件缺失了文件声明 正常的xml文件 <?xml version='1.0' encoding='UTF-8'?> <definitions xmlns="http://w...
Spring WebSocket+SockJS+Stomp实现一对一、一对多通信
隔壁老王的专栏
11-27 5万+
最近项目上要做扫码登录,所以研究了一下Spring WebSocket。网上找了很多资料 springmvc(18)使用WebSocket 和 STOMP 实现消息功能、spring websocket + stomp 实现广播通信和一对一通信,要么就是不是自己想要的,要么就是只有中间一部分。所以特别写了这篇文章,一方面怕自己遗忘,另一方面是希望可以给大家一些参考。 先放代码,在文章的最后我
shiro-550和shiro-721漏洞的异同点
06-06
Shiro-550和Shiro-721漏洞都是Apache Shiro框架的安全漏洞,但它们的漏洞类型和漏洞影响不同。 Shiro-550漏洞是Apache Shiro框架中的一种远程代码执行漏洞,攻击者可以通过构造恶意的序列化数据包,触发远程代码...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值