@RequiresPermissions 生效

最新推荐文章于 2023-04-24 17:13:12 发布

原创最新推荐文章于 2023-04-24 17:13:12 发布 · 297 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#shiro

工作问题专栏收录该内容

18 篇文章

订阅专栏

本文深入探讨了Apache Shiro框架中@RequiresPermissions注解的工作原理。通过源码解析，展示了该注解如何实现不同逻辑（AND、OR）下的权限验证过程。针对单一权限和多个权限的不同场景，提供了详细的实现步骤。

@RequiresPermissions 生效

org.apache.shiro.authz.aopPermissionAnnotationHandler


    public void assertAuthorized(Annotation a) throws AuthorizationException {
        if (!(a instanceof RequiresPermissions)) return;

        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
        String[] perms = getAnnotationValue(a);
        Subject subject = getSubject();

        if (perms.length == 1) {
            subject.checkPermission(perms[0]);
            return;
        }
        if (Logical.AND.equals(rpAnnotation.logical())) {
            getSubject().checkPermissions(perms);
            return;
        }
        if (Logical.OR.equals(rpAnnotation.logical())) {
            // Avoid processing exceptions unnecessarily - "delay" throwing the exception by calling hasRole first
            boolean hasAtLeastOnePermission = false;
            for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission = true;
            // Cause the exception if none of the role match, note that the exception message will be a bit misleading
            if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);
            
        }
    }

    protected String[] getAnnotationValue(Annotation a) {
        RequiresPermissions rpAnnotation = (RequiresPermissions) a;
        return rpAnnotation.value();
    }