shiro-支持授权的方式有个两三种,之前没有说,但是还是需要懂点涩!
2016-12-23 22:11
351 查看
Performing authorization in Shiro can be done in 3 ways:
Programmatically - You can perform authorization checks in your java code with structures like if and else blocks.
if ~else
JDK annotations - You can attach an authorization annotation to your Java methods
注解
JSP/GSP TagLibs - You can control JSP or GSP page output based on roles and permissions
JSP标签好像挺实用的
http://shiro.apache.org/authorization.html#Authorization-PermissionGranularity 网址
权限检查基于资源更加的细粒度
使用if_else:这种肯定不是太推荐实用
Annotation-based Authorization使用注解
In addition to the Subject API calls, Shiro provides a collection of Java 5+ annotations if you prefer meta-based authorization control.
Before you can use Java annotations, you’ll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.
因为注解需要对应的拦截器去处理哦~AOP 基于切面的方法去处理注解!
下面看看几个注解
The RequiresGuest annotation
The RequiresGuest annotation requires the current Subject to be a “guest”, that is, they are not authenticated or remembered from a previous session for the annotated class/instance/method to be accessed or invoked.
RequiresPermissions
RequiresRoles
RequiresUser
JSP 标签 http://shiro.apache.org/web.html#Web-taglibrary
哪天在仔细看看
Programmatically - You can perform authorization checks in your java code with structures like if and else blocks.
if ~else
JDK annotations - You can attach an authorization annotation to your Java methods
注解
JSP/GSP TagLibs - You can control JSP or GSP page output based on roles and permissions
JSP标签好像挺实用的
http://shiro.apache.org/authorization.html#Authorization-PermissionGranularity 网址
权限检查基于资源更加的细粒度
使用if_else:这种肯定不是太推荐实用
ubject currentUser = SecurityUtils.getSubject(); if (currentUser.hasRole("administrator")) { //show the admin button } else { //don't show the button? Grey it out? }
为假的情况下会抛出UnauthorizedException异常。 Subject currentUser = SecurityUtils.getSubject(); //guarantee that the current user is a bank teller and //therefore allowed to open the account: currentUser.checkRole("bankTeller"); openBankAccount();
Annotation-based Authorization使用注解
In addition to the Subject API calls, Shiro provides a collection of Java 5+ annotations if you prefer meta-based authorization control.
Before you can use Java annotations, you’ll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.
因为注解需要对应的拦截器去处理哦~AOP 基于切面的方法去处理注解!
下面看看几个注解
@RequiresAuthentication public void updateAccount(Account userAccount) { //this method will only be invoked by a //Subject that is guaranteed authenticated ... } public void updateAccount(Account userAccount) { if (!SecurityUtils.getSubject().isAuthenticated()) { throw new AuthorizationException(...); } //Subject is guaranteed authenticated here ... }
The RequiresGuest annotation
The RequiresGuest annotation requires the current Subject to be a “guest”, that is, they are not authenticated or remembered from a previous session for the annotated class/instance/method to be accessed or invoked.
@RequiresGuest public void signUp(User newUser) { //this method will only be invoked by a //Subject that is unknown/anonymous ... } public void signUp(User newUser) { Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection principals = currentUser.getPrincipals(); if (principals != null && !principals.isEmpty()) { //known identity - not a guest: throw new AuthorizationException(...); } //Subject is guaranteed to be a 'guest' here ... }
RequiresPermissions
@RequiresPermissions("account:create") public void createAccount(Account account) { //this method will only be invoked by a Subject //that is permitted to create an account ... } public void createAccount(Account account) { Subject currentUser = SecurityUtils.getSubject(); if (!subject.isPermitted("account:create")) { throw new AuthorizationException(...); } //Subject is guaranteed to be permitted here ... }
RequiresRoles
@RequiresRoles("administrator") public void deleteUser(User user) { //this method will only be invoked by an administrator ... } public void deleteUser(User user) { Subject currentUser = SecurityUtils.getSubject(); if (!subject.hasRole("administrator")) { throw new AuthorizationException(...); } //Subject is guaranteed to be an 'administrator' here ... }
RequiresUser
@RequiresUser public void updateAccount(Account account) { //this method will only be invoked by a 'user' //i.e. a Subject with a known identity ... } public void updateAccount(Account account) { Subject currentUser = SecurityUtils.getSubject(); PrincipalCollection principals = currentUser.getPrincipals(); if (principals == null || principals.isEmpty()) { //no identity - they're anonymous, not allowed: throw new AuthorizationException(...); } //Subject is guaranteed to have a known identity here ... }
JSP 标签 http://shiro.apache.org/web.html#Web-taglibrary
哪天在仔细看看
相关文章推荐
- 注册表修改之后,是不会生效的,需要重启,或者执行如下操作(但是有些按这样操作也还是不能立即生效,最保险的方式还是通过重启电脑来实现)
- web项目发布到服务器上,但是修改的css和js文件没有起作用,显示的还是之前没有修改的代码
- 谁都会写代码 ,但是以最有效率的方式编码就需要下更多的功夫
- 我需要添加一个“别名”,可是我找了半天还是没有找到如何添加别名
- Apache Shiro 编程方式授权
- u-boot1.1.6源码,没有对S3C2440支持,需要打上补丁文件100ask24x0
- 协定需要会话,但是绑定“BasicHttpBinding”不支持它或者因配置不正确而无法支持它
- 完成了WF工作流持久化和对持久化介质数据的加载, 但是仅仅用持久化,不能够保存工作流当前的执行状态,需要跟踪服务支持,怎样使用Tracing 服务呢?
- 这个动作需要从没有授权的软件源来安装软件包“解决办法:
- 计算器程序,支持+-*/和(),以#号结尾,有词法分析,和运算,没有语法分析是否正确,但是只要输入正确就能运行
- 如果程序代码没有任何问题,但是工程还是显示错误,首先调整3步
- 使用Homebrew安装苹果系统没有但是您需要的东西
- 使用了继承、多态还有工厂模式和反射,但是还是没有OO的感觉。[已经增加了实现的代码]
- 客户端在浏览网站时收到“HTTP 403.4 - 禁止访问:需要使用 SSL 查看该资源”错误,但是网站没有配置为使用 SSL
- (java)进程 线程 还是不太清楚,需要汇编语言和分页等概念支持...
- 为什么安装sql server2000时出现提示先前有安装的文件挂起,需要重新启动计算机,但是重起还是不行
- 当没有数据时,girdview不显示任何东西,但是需要显示列名.
- 在统计每月信息的时候,有时候该月没有信息,但是还是显示出来
- 即便无法选择工作,但是工作的方式还是可以选择的
- Apache Shiro 标签方式授权