1)注解式授权拦截只能用于方法,用在类头上无效;
2)项目支持拦截式注解的前提是开启了aop:
<!-- AOP依赖,必须,否则shiro权限拦截验证不生效 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
//以下为注解支持配置
/**
* Shiro生命周期处理器
*/
@Bean(name = "lifecycleBeanPostProcessor")
public static LifecycleBeanPostProcessor getLifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
/**
* 开启Shiro的注解(如@RequiresRoles,@RequiresPermissions),需借助SpringAOP扫描使用Shiro注解的类,并在必要时进行安全逻辑验证
*/
@Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator advisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
advisorAutoProxyCreator.setProxyTargetClass(true);
return advisorAutoProxyCreator;
}
/**
* 开启Shiro-aop注解支持
*/
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
return authorizationAttributeSourceAdvisor;
}一、@RequiresAuthentication:
? 1、作用:要求当前Subject已经在session中验证通过(验证当前用户是否登录:? subject.isAuthenticated() 结果为true)
二、@RequiresUser:验证用户是否被记忆
三、@RequiresGuest:用户没有登录认证或被记住过,验证是否是一个guest的请求,与@RequiresUser完全相反。换言之,RequiresUser == !RequiresGuest。此时subject.getPrincipal() 结果为null.
四、@RequiresRoles:验证当前用户是否具有某角色,与验证权限类似
五、@RequiresPermissions:验证用户是否具有一个或多个权限,该注解经常在项目中使用,如果不满足条件则抛出AuthorizationException异常。
? 1、单权限:
@RequiresPermissions("school_manage")2、多权限:权限值value用数组代替,再设置logical
(1)符合一个即可:logical = Logical.OR,如
@RequiresPermissions(value = { "menu_1", "mneu_2" }, logical = Logical.OR)(2)必须全部符合:logical = Logical.AND,如
@RequiresPermissions(value = { "menu_1", "mneu_2" }, logical = Logical.AND)