shiro-支持授权的方式有个两三种，之前没有说，但是还是需要懂点涩！

Performing authorization in Shiro can be done in 3 ways:

Programmatically - You can perform authorization checks in your java code with structures like if and else blocks.

if ~else

JDK annotations - You can attach an authorization annotation to your Java methods

注解

JSP/GSP TagLibs - You can control JSP or GSP page output based on roles and permissions

JSP标签好像挺实用的

http://shiro.apache.org/authorization.html#Authorization-PermissionGranularity 网址

权限检查基于资源更加的细粒度

使用if_else：这种肯定不是太推荐实用

ubject currentUser = SecurityUtils.getSubject();

if (currentUser.hasRole("administrator")) {
//show the admin button
} else {
//don't show the button?  Grey it out?
}

为假的情况下会抛出UnauthorizedException异常。
Subject currentUser = SecurityUtils.getSubject();
//guarantee that the current user is a bank teller and
//therefore allowed to open the account:
currentUser.checkRole("bankTeller");
openBankAccount();

Annotation-based Authorization使用注解

In addition to the Subject API calls, Shiro provides a collection of Java 5+ annotations if you prefer meta-based authorization control.

Before you can use Java annotations, you’ll need to enable AOP support in your application. There are a number of different AOP frameworks so, unfortunately, there is no standard way to enable AOP in an application.

因为注解需要对应的拦截器去处理哦~AOP 基于切面的方法去处理注解！

下面看看几个注解

@RequiresAuthentication
public void updateAccount(Account userAccount) {
//this method will only be invoked by a
//Subject that is guaranteed authenticated
...
}
public void updateAccount(Account userAccount) {
if (!SecurityUtils.getSubject().isAuthenticated()) {
throw new AuthorizationException(...);
}

//Subject is guaranteed authenticated here
...
}

The RequiresGuest annotation

The RequiresGuest annotation requires the current Subject to be a “guest”, that is, they are not authenticated or remembered from a previous session for the annotated class/instance/method to be accessed or invoked.

@RequiresGuest
public void signUp(User newUser) {
//this method will only be invoked by a
//Subject that is unknown/anonymous
...
}

public void signUp(User newUser) {
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = currentUser.getPrincipals();
if (principals != null && !principals.isEmpty()) {
//known identity - not a guest:
throw new AuthorizationException(...);
}

//Subject is guaranteed to be a 'guest' here
...
}

RequiresPermissions

@RequiresPermissions("account:create")
public void createAccount(Account account) {
//this method will only be invoked by a Subject
//that is permitted to create an account
...
}
public void createAccount(Account account) {
Subject currentUser = SecurityUtils.getSubject();
if (!subject.isPermitted("account:create")) {
throw new AuthorizationException(...);
}

//Subject is guaranteed to be permitted here
...
}

RequiresRoles

@RequiresRoles("administrator")
public void deleteUser(User user) {
//this method will only be invoked by an administrator
...
}
public void deleteUser(User user) {
Subject currentUser = SecurityUtils.getSubject();
if (!subject.hasRole("administrator")) {
throw new AuthorizationException(...);
}

//Subject is guaranteed to be an 'administrator' here
...
}

RequiresUser

@RequiresUser
public void updateAccount(Account account) {
//this method will only be invoked by a 'user'
//i.e. a Subject with a known identity
...
}
public void updateAccount(Account account) {
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = currentUser.getPrincipals();
if (principals == null || principals.isEmpty()) {
//no identity - they're anonymous, not allowed:
throw new AuthorizationException(...);
}

//Subject is guaranteed to have a known identity here
...
}

JSP 标签 http://shiro.apache.org/web.html#Web-taglibrary

哪天在仔细看看