- 注解式授权 (shiro官网地址:http://shiro.apache.org/authorization.html#Authorization-AnnotationbasedAuthorization)
@RequiresAuthentication 要求当前Subject已经在当前的session中被验证通过才能被访问或调用
@RequiresAuthentication public void updateAccount(Account userAccount) { //this method will only be invoked by a //Subject that is guaranteed authenticated ... }
public void updateAccount(Account userAccount) { if (!SecurityUtils.getSubject().isAuthenticated()) { throw new AuthorizationException(...); } //Subject is guaranteed authenticated here ... }
由上述例子可知,@RequiresAuthentication必须被验证通过后才能被访问或调用
2.RequiresGuest注解
@RequiresGuest要求当前的Subject是一个“guest”(访客的意思),也就是说,他们必须是在之前的session中没有被验证或被记住才能被访问或调用,
@RequiresGuest public void signUp(User newUser) { //this method will only be invoked by a //Subject that is unknown/anonymous ... } public void signUp(User newUser) { Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection principals = currentUser.getPrincipals(); if (principals != null && !principals.isEmpty()) { //known identity - not a guest: throw new AuthorizationException(...); } //Subject is guaranteed to be a 'guest' here ... } //以上两个方法的功能是一样的
3.RequiresPermissions["account:create"]注解
@RequiresPermissions["account:create"]要求当前的subject被允许一个或多个权限,以便执行注解的方法。
@RequiresPermissions("account:create") public void createAccount(Account account) { //this method will only be invoked by a Subject //that is permitted to create an account ... } public void createAccount(Account account) { Subject currentUser = SecurityUtils.getSubject(); if (!subject.isPermitted("account:create")) { throw new AuthorizationException(...); } //Subject is guaranteed to be permitted here ... } //以上两个方法的功能是一样的
4.@RequiresRoles注解
@RequiresRoles["administrator"]要求当前的subject拥有所有指定的角色,如果他们没有,则该方法将不会被执行,而且AuthorizationException异常将会被抛出
@RequiresRoles["administrator"]要求当前的subject拥有所有指定的角色,如果他们没有,则该方法将不会被执行,而且AuthorizationException异常将会被抛出
@RequiresRoles("administrator") public void deleteUser(User user) { //this method will only be invoked by an administrator ... } public void deleteUser(User user) { Subject currentUser = SecurityUtils.getSubject(); if (!subject.hasRole("administrator")) { throw new AuthorizationException(...); } //Subject is guaranteed to be an 'administrator' here ... } //以上两个方法是一样的功能
5.RequireUser注解
@RequiresUser注解需要当前的Subject是一个应用程序用户才能被注解的类/实例方法访问或调用
@RequiresUser public void updateAccount(Account account) { //this method will only be invoked by a 'user' //i.e. a Subject with a known identity ... } public void updateAccount(Account account) { Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection principals = currentUser.getPrincipals(); if (principals == null || principals.isEmpty()) { //no identity - they're anonymous, not allowed: throw new AuthorizationException(...); } //Subject is guaranteed to have a known identity here ... } //以上两种方法的功能是一样的
6.JSP标签授权(官网地址见:http://shiro.apache.org/web.html#web-taglibrary)
tag库配置,web页面需加上该行:
<%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %>
并要引入jar包:
<dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-web</artifactId> <version>1.3.2</version> </dependency>
guest标签:用户没有身份验证时显示的信息,即游客访问信息;
<shiro:guest> Hi there! Please <a href="login.jsp">Login</a> or <a href="signup.jsp">Signup</a> today! </shiro:guest>
user标签:用户已经身份验证/记住我登录后显示的信息;
<shiro:user> Welcome back John! Not John? Click <a href="login.jsp">here<a> to login. </shiro:user>
authenticated标签:用户已经身份验证通过,即subject login登录成功,不是记住我登录的。
<shiro:authenticated> <a href="updateAccount.jsp">Update your contact information</a>. </shiro:authenticated>
notAuthenticated标签:用户没有身份验证通过,即没有调用subject login进行登录,包括记住我的也属于未进行身份验证
<shiro:notAuthenticated> Please <a href="login.jsp">login</a> in order to update your credit card information. </shiro:notAuthenticated>
principal标签:显示用户身份信息,默认调用subject getPrincipal()获取,即primary principal
Hello, <shiro:principal/>, how are you today? Hello, <%= SecurityUtils.getSubject().getPrincipal().toString() %>, how are you today?
hasRole标签:如果当前subject有角色将显示body体内容
<shiro:hasRole name="administrator"> <a href="admin.jsp">Administer the system</a> </shiro:hasRole>
lacksRole标签:如果当前subject没有角色将显示body体内容
<shiro:lacksRole name="administrator"> Sorry, you are not allowed to administer the system. </shiro:lacksRole>
hasAnyRoles标签:如果当前subject有任意一个角色(或的关系)将显示body体的内容
<shiro:hasAnyRoles name="developer, project manager, administrator"> You are either a developer, project manager, or administrator. </shiro:hasAnyRoles>
hasPermission标签:如果当前subject有权限将显示body体内容
<shiro:hasPermission name="user:create"> <a href="createUser.jsp">Create a new User</a> </shiro:hasPermission>
lacksPermissions标签:如果当前subject没有权限将显示body体内容
<shiro:lacksPermission name="user:delete"> Sorry, you are not allowed to delete user accounts. </shiro:lacksPermission>