How Shiro @RequiresPermissions works

Others 2021-03-29 13:20:56 views: null

Refer to the blog post: https://blog.csdn.net/medelia/article/details/86692521

Recently, the SpringBoot project security strategy is to use the more popular shiro framework. It is the first springBoot project I have done, and it is also the first time to use shiro.

Not much nonsense, the framework was designed by the company's boss:

Insert picture description here

 Added RequiresPermissions to the view log method. Then only when the user has the sys:log:content string can access this method.
So how do you know that the user owns this string? ? ? ? ?

I must define a method myself

Insert picture description here

 

Inherit the abstract method org.apache.shiro.realm.AuthorizingRealm to implement its abstract class doGetAuthorizationInfo method; in this way, the framework will get the list of user permissions. . .

After that org.apache.shiro.realm.AuthorizingRealm

Insert picture description here

Finding this method implies is the core of shiro permission verification: pay attention to the learning and use of containsAll, refer to: https://blog.csdn.net/baidu_15113429/article/details/53198625

 Insert picture description here

 

This code feels that thinking is really not what I can think of. . . Although it seems very simple, if you are interested, you can debug and follow along.

In addition, shiro generally uses its login authentication (Authentication) and authorization verification (Authorization) 2 words are very similar. . . Login authentication is abbreviated as authc and authorization verification is abbreviated as authz.

Supplement: Since the source code will split the permissions in the @RequiresPermissions("") annotation on the method, the ones that include: will be split to generate a set<String> collection, so when carrying out containsAll(), if the user has a permission There is no a:b permission, but @RequiresPermissions("a:b") above the called method will call this method; and we want to call this method only if we have a:b permission. Therefore, instead of:, use the form of. To write the unique code value of the permission.

 if (!part.contains(WILDCARD_TOKEN) && !part.containsAll(otherPart)) {
                    return false;
                }

Two: In addition, add the use of or and and:

//Meet the index:hello permission requirements
@ RequiresPermissions ("index:hello")
 
//You must check the index:hello and index:world permission requirements at the same time
@ RequiresPermissions ({"index:hello","index:world"})
 
// Meet the index:hello or index:world permission requirements
@RequiresPermissions(value={"index:hello","index:world"},logical=Logical.OR)

 

Guess you like

Origin blog.csdn.net/zhangleiyes123/article/details/109044198
Recommended
Ranking
Opencv header files and Tips
Should you be afraid of artificial intelligence?
Getting Started with RabbitMQ
Banana Pi BPI-PicoW-S3 development board adopts Espressif ESP32-S3 design, compatible with Raspberry Pi Pico. Support ardduino and microPython development environment
Insert image in GitHub README.md
leetcode-database-175. Combine two tables-use left join to solve.
Problems caused by different Content-types in HTTP.
クラウド ネイティブ アプリケーションのリスクの概要
netty essay
A, Linux the hard disk partition: root partition (/) swap (/ the swap) and / boot partition
Daily
More
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)
2024-04-15(5)
2024-04-14(0)
2024-04-13(18)
2024-04-12(5)
2024-04-11(0)
2024-04-10(1)
2024-04-09(0)

Code World

© 2018 codetd.com