注解式授权 (shiro官网地址:http://shiro.apache.org/authorization.html#Authorization-AnnotationbasedAuthorization)
@RequiresAuthentication 要求当前Subject已经在当前的session中被验证通过才能被访问或调用
@RequiresAuthentication
public void updateAccount(Account userAccount) {
//this method will only be invoked by a
//Subject that is guaranteed authenticated
...
}
public void updateAccount(Account userAccount) {
if (!SecurityUtils.getSubject().isAuthenticated()) {
throw new AuthorizationException(...);
}
//Subject is guaranteed authenticated here
...
}
由上述例子可知,@RequiresAuthentication必须被验证通过后才能被访问或调用
2.RequiresGuest注解
@RequiresGuest要求当前的Subject是一个“guest”(访客的意思),也就是说,他们必须是在之前的session中没有被验证或被记住才能被访问或调用,
@RequiresGuest
public void signUp(User newUser) {
//this method will only be invoked by a
//Subject that is unknown/anonymous
...
}
public void signUp(User newUser) {
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = currentUser.getPrincipals();
if (principals != null && !principals.isEmpty()) {
//known identity - not a guest:
throw new AuthorizationException(...);
}
//Subject is guaranteed to be a 'guest' here
...
}
//以上两个方法的功能是一样的
3.RequiresPermissions["account:create"]注解
@RequiresPermissions["account:create"]要求当前的subject被允许一个或多个权限,以便执行注解的方法。
@RequiresPermissions("account:create")
public void createAccount(Account account) {
//this method will only be invoked by a Subject
//that is permitted to create an account
...
}
public void createAccount(Account account) {
Subject currentUser = SecurityUtils.getSubject();
if (!subject.isPermitted("account:create")) {
throw new AuthorizationException(...);
}
//Subject is guaranteed to be permitted here
...
}
//以上两个方法的功能是一样的
4.@RequiresRoles注解
@RequiresRoles["administrator"]要求当前的subject拥有所有指定的角色,如果他们没有,则该方法将不会被执行,而且AuthorizationException异常将会被抛出
@RequiresRoles["administrator"]要求当前的subject拥有所有指定的角色,如果他们没有,则该方法将不会被执行,而且AuthorizationException异常将会被抛出
@RequiresRoles("administrator")
public void deleteUser(User user) {
//this method will only be invoked by an administrator
...
}
public void deleteUser(User user) {
Subject currentUser = SecurityUtils.getSubject();
if (!subject.hasRole("administrator")) {
throw new AuthorizationException(...);
}
//Subject is guaranteed to be an 'administrator' here
...
}
//以上两个方法是一样的功能
5.RequireUser注解
@RequiresUser注解需要当前的Subject是一个应用程序用户才能被注解的类/实例方法访问或调用
@RequiresUser
public void updateAccount(Account account) {
//this method will only be invoked by a 'user'
//i.e. a Subject with a known identity
...
}
public void updateAccount(Account account) {
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = currentUser.getPrincipals();
if (principals == null || principals.isEmpty()) {
//no identity - they're anonymous, not allowed:
throw new AuthorizationException(...);
}
//Subject is guaranteed to have a known identity here
...
}
//以上两种方法的功能是一样的
6.JSP标签授权(官网地址见:http://shiro.apache.org/web.html#web-taglibrary)
tag库配置,web页面需加上该行:
并要引入jar包:
org.apache.shiro
shiro-web
1.3.2
guest标签:用户没有身份验证时显示的信息,即游客访问信息;
Hi there! Please Login or Signup today!
user标签:用户已经身份验证/记住我登录后显示的信息;
Welcome back John! Not John? Click here to login.
authenticated标签:用户已经身份验证通过,即subject login登录成功,不是记住我登录的。
Update your contact information.
notAuthenticated标签:用户没有身份验证通过,即没有调用subject login进行登录,包括记住我的也属于未进行身份验证
Please login in order to update your credit card information.
principal标签:显示用户身份信息,默认调用subject getPrincipal()获取,即primary principal
Hello, , how are you today?
Hello, , how are you today?
hasRole标签:如果当前subject有角色将显示body体内容
lacksRole标签:如果当前subject没有角色将显示body体内容
Sorry, you are not allowed to administer the system.
hasAnyRoles标签:如果当前subject有任意一个角色(或的关系)将显示body体的内容
You are either a developer, project manager, or administrator.
hasPermission标签:如果当前subject有权限将显示body体内容
lacksPermissions标签:如果当前subject没有权限将显示body体内容
Sorry, you are not allowed to delete user accounts.