How Shiro @RequiresPermissions works

Refer to the blog post:

Recently, the SpringBoot project security strategy is to use the more popular shiro framework. It is the first springBoot project I have done, and it is also the first time to use shiro.

Not much nonsense, the framework was designed by the company's boss:

Insert picture description here

 Added RequiresPermissions to the view log method. Then only when the user has the sys:log:content string can access this method.
So how do you know that the user owns this string? ? ? ? ?

I must define a method myself

Insert picture description here


Inherit the abstract method org.apache.shiro.realm.AuthorizingRealm to implement its abstract class doGetAuthorizationInfo method; in this way, the framework will get the list of user permissions. . .

After that org.apache.shiro.realm.AuthorizingRealm

Insert picture description here

Finding this method implies is the core of shiro permission verification: pay attention to the learning and use of containsAll, refer to:

 Insert picture description here


This code feels that thinking is really not what I can think of. . . Although it seems very simple, if you are interested, you can debug and follow along.

In addition, shiro generally uses its login authentication (Authentication) and authorization verification (Authorization) 2 words are very similar. . . Login authentication is abbreviated as authc and authorization verification is abbreviated as authz.

Supplement: Since the source code will split the permissions in the @RequiresPermissions("") annotation on the method, the ones that include: will be split to generate a set<String> collection, so when carrying out containsAll(), if the user has a permission There is no a:b permission, but @RequiresPermissions("a:b") above the called method will call this method; and we want to call this method only if we have a:b permission. Therefore, instead of:, use the form of. To write the unique code value of the permission.

 if (!part.contains(WILDCARD_TOKEN) && !part.containsAll(otherPart)) {
                    return false;

Two: In addition, add the use of or and and:

//Meet the index:hello permission requirements
@ RequiresPermissions ("index:hello")
//You must check the index:hello and index:world permission requirements at the same time
@ RequiresPermissions ({"index:hello","index:world"})
// Meet the index:hello or index:world permission requirements


Guess you like