public class roleOrFilter extends AuthorizationFilter { /** * * @param servletRequest * @param servletResponse * @param o 传过来的权限或者角色 * @return * @throws Exception */ @Override protected boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object o) throws Exception { //获取主体 Subject subject = getSubject(servletRequest,servletResponse); String[] roles = (String[]) o; if(roles == null)return true;//为空说明都可以访问 for (String role : roles) { if(subject.hasRole(role)){ return true; } } return false; } }
spring主 配置文件中,因为shiro自带的roles["user","admin"] 授权filter需要同时满足所有的角色,是&&的关系,所以需要定制filter,使得满足其中一个角色就可以访问。
红色字体是需要添加的部分
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd "> <import resource="spring-dao.xml"/> <context:component-scan base-package="com.imooc"/> <!--配置SQLSessionFactory,执行dao的操作--> <bean id="sqlSessionFactory" class="org.mybatis.spring.SqlSessionFactoryBean"> <property name="dataSource" ref="dataSource"/> <!--扫描pojo对象所在的包,给 pojo包下的对象起别名--><!--扫描pojo包,给包下的pojo对象起别名--> <property name="typeAliasesPackage" value="com.heng.domain"/> </bean> <!--扫描接口所在的包路径,创建接口的代理对象,并且交给IOC容器管理--> <bean id="mapperScanner" class="org.mybatis.spring.mapper.MapperScannerConfigurer"> <property name="basePackage" value="com.imooc.dao"/> </bean>
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="login.html"/> <property name="unauthorizedUrl" value="403.html"/> <property name="filterChainDefinitions"> <value> /login.html = anon /login.jsp = anon /subLogin.do = anon /bbb.do = roles["admin","admin1"] /ccc.do = roleOr["admin","admin1"] /pages/* = anon /* = authc </value> </property> <property name="filters"> <map> <entry key="roleOr" value-ref="roleOrFilter"/> </map> </property> </bean>
//配置自定义的filter <bean id="roleOrFilter" class="com.imooc.filter.roleOrFilter"></bean> <!--创建SecurityManager对象--> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="realm"/> </bean> <!--自定义realm--> <bean id="realm" class="com.imooc.realm.CustomRealm"> <property name="credentialsMatcher" ref="credentialsMatcher"/> </bean>
// 加密 <bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="md5"/> <property name="hashIterations" value="1"/> </bean> </beans>