一、在配置类的getShiroFilterFactoryBean 方法中为接口添加权限:
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(@Qualifier("getDefaultWebSecurityManager") DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 设置安全管理器
shiroFilterFactoryBean.setSecurityManager(defaultWebSecurityManager);
// 设置shiro内置过滤器
Map<String,String> filterMap = new LinkedHashMap<>();
/*
map 中value 的意义:
* anon: 无需认证就可以访问资源;
* authc:必须认证后才能访问资源;
* user:必须拥有“记住我”功能才能访问资源;
* perms:拥有对某个资源的权限才能访问资源;
* role:拥有某个角色权限才能访问资源
* **/
// 设置资源权限
filterMap.put("/user/add","perms[user:add]");
filterMap.put("/user/update","perms[user:update]");
// filterMap.put("/user/*","authc");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterMap);
// 设置登录页面url
shiroFilterFactoryBean.setLoginUrl("/toLogin");
// 设置未授权页面url
shiroFilterFactoryBean.setUnauthorizedUrl("/unauthorized");
return shiroFilterFactoryBean;
}
filterMap.put("/user/add","perms[user:add]");
filterMap.put("/user/update","perms[user:update]");
这两行代码中括号内的值,就是对应接口的权限。为接口设置了权限,也就默认必须先进行认证。
二、AuthorizingRealm 中的授权方法:
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
System.out.println("执行了授权doGetAuthorizationInfo方法");
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
// 获取当前用户信息
Subject subject = SecurityUtils.getSubject();
UserInf currentUser = (UserInf) subject.getPrincipal();
// 添加当前用户所拥有权限信息到鉴权对象中
info.addStringPermission(currentUser.getPerms());
return info;
}