本文共 6118 字，大约阅读时间需要 20 分钟。

一.shiro授权

1.1.概念

1.2.角色访问控制

控制那些角色可以进行访问，.ini文件配置如下:

[users]hly = 123,role1,role2abc = 123,role1

用户hly拥有角色role1,role2，所验证的代码如下

@Test    public  void testHasRole(){        iniConfig("classpath:shiro/authorization/shiro-role.ini","hly","123");        Assert.assertTrue(subject().hasRole("role1"));        Assert.assertTrue(subject().hasAllRoles(Arrays.asList("role1", "role2")));        boolean [] result = subject().hasRoles(Arrays.asList("role1","role2","role3"));        Assert.assertEquals(true,result[0]);        Assert.assertEquals(true,result[1]);        Assert.assertEquals(false,result[2]);    }

根据hasRole,hasAllRoles等方法可以判断用户是否拥有相关的权限。

1.3.资源访问控制

控制用户可以进行的相关操作，如CRUD等.

.ini文件配置主体和角色所拥有的权限，如下，具体配置方法如思维导图所示.

[users]hly = 123,role1,role2abc = 123,role1[roles]role1 = user:create,user:updaterole2 = user:create,user:delete

接下来，我们可以用isPermitted,isPermittedAll等方法对主体所拥有的权限进行测试，如下:

@Test    public void testPermission(){        iniConfig("classpath:shiro/authorization/shiro-permission.ini","hly","123");        Assert.assertTrue(subject().isPermitted("user:create"));        Assert.assertTrue(subject().isPermittedAll("user:create","user:delete"));        Assert.assertFalse(subject().isPermitted("user:view"));    }

1.4.自定义授权规则

自定义授权.ini文件配置

[main]#自定义authorizerauthorizer=org.apache.shiro.authz.ModularRealmAuthorizer#自定义permissionResolver#permissionResolver=org.apache.shiro.authz.permission.WildcardPermissionResolverpermissionResolver=com.hly.shiro.authorization.BitAndWildPermissionResolver#解析权限字符串到 Permission 实例authorizer.permissionResolver=$permissionResolver#自定义rolePermissionResolverrolePermissionResolver=com.hly.shiro.authorization.MyRolePermissionResolver#根据角色解析相应的权限集合authorizer.rolePermissionResolver=$rolePermissionResolver#进行授权控制securityManager.authorizer=$authorizer#自定义realm 一定要放在securityManager.authorizer赋值之后（因为调用setRealms会将realms设置给authorizer，并给各个Realm设置permissionResolver和rolePermissionResolver）realm=com.hly.shiro.realm.MyRealmsecurityManager.realms=$realm

1.解析权限字符串到 Permission 实例,得到相应配置规则的字符串。

permissionResolver=com.hly.shiro.authorization.BitAndWildPermissionResolver#解析权限字符串到 Permission 实例authorizer.permissionResolver=$permissionResolver

如配置中的BitAndWildPermissionResolver，BitPermission为自定义匹配方法，WildcardPermission为默认通配符匹配。

public class BitAndWildPermissionResolver implements PermissionResolver {    @Override    //“+” 开头来解析权限字符串为 BitPermission 或 WildcardPermission。    public Permission resolvePermission(String permissionString) {        if(permissionString.startsWith("+")){            return new BitPermission(permissionString);        }        return new WildcardPermission(permissionString);    }}

2.根据角色解析相应的权限集合，判断角色是否拥有相应的权限，在自定义realm中，如果添加了role1角色，则可匹配memu:*。

#自定义rolePermissionResolverrolePermissionResolver=com.hly.shiro.authorization.MyRolePermissionResolver#根据角色解析相应的权限集合authorizer.rolePermissionResolver=$rolePermissionResolver

public class MyRolePermissionResolver implements RolePermissionResolver {    @Override    public Collection
   
     resolvePermissionsInRole(String roleString) {      if("role1".equals(roleString)){          return Arrays.asList((Permission) new WildcardPermission("menu:*"));      }        return null;    }}
   

3.自定义realm,AuthorizationInfo进行授权和添加角色，AuthenticationInfo进行身份验证.

package com.hly.shiro.realm;import com.hly.shiro.authorization.BitPermission;import org.apache.shiro.authc.*;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.authz.permission.WildcardPermission;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;/** * @author :hly * @github :github.com/SiriusHly * @blog :blog.csdn.net/Sirius_hly * @date :2018/9/3 *//** * 自定义Realm */public class MyRealm extends AuthorizingRealm {    @Override    //表示根据用户身份获取授权信息    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {        SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();        //添加角色        authorizationInfo.addRole("role1");        authorizationInfo.addRole("role2");        //添加权限        authorizationInfo.addObjectPermission(new BitPermission("+user1+10+1+1"));        authorizationInfo.addObjectPermission(new BitPermission("+user1+4"));        authorizationInfo.addObjectPermission(new BitPermission("+user1+2"));        authorizationInfo.addObjectPermission(new BitPermission("+user1+8"));        authorizationInfo.addObjectPermission(new WildcardPermission("user1:*"));        authorizationInfo.addStringPermission("+user2+10");        authorizationInfo.addStringPermission("user2:*");        return authorizationInfo;    }    @Override    //表示获取身份验证信息    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {        String username = (String)authenticationToken.getPrincipal();//用户名        String password = new String((char[])authenticationToken.getCredentials());//密码        if(!"hly".equals(username)) {            throw new UnknownAccountException(); //如果用户名错误        }        if(!"123".equals(password)) {            throw new IncorrectCredentialsException(); //如果密码错误        }        //如果身份认证验证成功，返回一个AuthenticationInfo实现；        return new SimpleAuthenticationInfo(username, password, getName());            }}

4.进行权限测试

@Test    public void testAuthorizerTest(){        iniConfig("classpath:shiro/authorization/shiro-authorizer.ini","hly","123");        //判断拥有权限        Assert.assertTrue(subject().hasRole("role1"));        Assert.assertTrue(subject().hasRole("role2"));        Assert.assertTrue(subject().isPermitted("user1:delete"));        Assert.assertTrue(subject().isPermitted("user2:view"));        Assert.assertTrue(subject().isPermitted("+user1+2"));        Assert.assertTrue(subject().isPermitted("+user1+8"));        Assert.assertTrue(subject().isPermitted("+user2+10"));        Assert.assertTrue(subject().isPermitted("+user1+10+1+1"));        Assert.assertTrue(subject().isPermitted("+user1+4"));        Assert.assertTrue(subject().isPermitted("menu:view"));    }

以上完整代码可在笔者中找到，参考。