Access control is the core of things shiro
Shiro permission notice usually use a colon-separated expressions. A rights expression can clearly specify the type of resource, allowing the operation to access the data. Meanwhile, Shiro rights expression supports simple wildcards can be more flexible permission settings.
The following example to illustrate the rights to expression.
Can query the user data
User: view
can query or edit the user data
User: view, edit
can perform all the operations of the user data
User: * or a user
may edit the user data 123 id
User: edit: 123
@ RequiresAuthentication
be user classes / properties / methods for indicating the current user is a certified user needs.
Before using this annotation, the spring-mvc.xml need a piece of code (the first must be written xml loaded, the write back loaded xml also ineffective)
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
1
2
3
4
5
lifecycleBeanPostProcessor和securityManager是在shiro配置文件中定义好的:
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"></bean>
<-! Shiro Security Manager ->
<bean the above mentioned id = "securityManager" class = "org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<Property name = "realm" ref = "JDBCRealm"> </ Property >
<Property name = "CacheManager" REF = "CacheManager"> </ Property>
</ the bean>
write permission rights management at the front end of the string
on the inside method contraller write annotations, the front end of the corresponding brackets permission character string is
so that it can control the authenticated user permissions