shiro多角色访问同一个url

 

shiro如何控制一个url多个角色都可以访问

/admin/** = roles[admin,partner] 这样写必须同时拥有两个角色才能访问

我们可以自定义角色验证标签。

1、首先继承RolesAuthorizationFilter，覆写isAccessAllowed方法

public class AnyRolesAuthorizationFilter extends RolesAuthorizationFilter {

@Override
public boolean isAccessAllowed(ServletRequest request,
ServletResponse response, Object mappedValue) throws IOException {

final Subject subject = getSubject(request, response);
final String[] rolesArray = (String[]) mappedValue;

if (rolesArray == null || rolesArray.length == 0) {
// no roles specified, so nothing to check - allow access.
return true;
}

for (String roleName : rolesArray) {
if (subject.hasRole(roleName)) {
return true;
}
}

return false;
}
}

 

2、注册bean

<bean
id="anyRolesAuthorizationFilter" class="com.rwy.spider.service.AnyRolesAuthorizationFilter"/>

3、声明自定义标签并使用

 

<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/" />
<!-- 声明自定义标签 hasAnyRoles-->
<property name="filters">
<map>
<entry key="hasAnyRoles" value-ref="anyRolesAuthorizationFilter"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/login = anon
/logout = logout
/static/** = anon
/admin/** = roles[admin]
/system/** = hasAnyRoles[admin,partner]
/** = authc
</value>
</property>
</bean>

这样，admin、partner这两个角色就都可以访问/system路径下的url了