Shiro授权实践与注解式开发解析-优快云博客

本文链接：https://blog.youkuaiyun.com/qq_65345936/article/details/126550327

本文详细介绍了Shiro的授权过程，包括在Mapper和服务层的实现，以及授权方法的设置。通过示例代码展示了如何进行角色和权限查询。接着，文章转向注解式开发，讲解了Shiro的授权注解如@RequiresAuthentication、@RequiresUser、@RequiresRoles和@RequiresPermissions的使用，并给出了SpringMVC中添加拦截器的配置说明。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一、shiro授权角色、权限

1.1、Shiro授权步骤

1.1.1Mapper层、service层

一、shiro授权角色、权限

授角色：用户具备哪些角色

SELECT roleid from t_shiro_user u,t_shiro_user_role ur
where u.userid = ur.userid and u.username = 'zs'

授权限：用户具备哪些权限:

SELECT rp.perid from t_shiro_user u, t_shiro_user_role ur,t_shiro_role_permission rp
where u.userid = ur.userid and ur.roleid= rp.roleid and u.username = 'ls'

1.1、Shiro授权步骤

1.1.1Mapper层、service层

UserMapper.xml

<select id="selelctRoleIdsByUserName" resultType="java.lang.String" parameterType="java.lang.String">
  select roleid from t_shiro_user u,t_shiro_user_role ur
    where u.userid = ur.userid and  u.username = #{userName}
</select>

  <select id="selelctPerIdsByUserName" resultType="java.lang.String" parameterType="java.lang.String">
  select rp.perid from t_shiro_user u,t_shiro_user_role ur,t_shiro_role_permission rp
  where u.userid = ur.userid and ur.roleid = rp.roleid and u.username = #{userName}
</select>

UserMapper

package com.zwc.ssm.mapper;

import com.zwc.ssm.model.User;
import org.apache.ibatis.annotations.Param;
import org.springframework.stereotype.Repository;

import java.util.Set;

@Repository
public interface UserMapper {
    int deleteByPrimaryKey(Integer userid);

    int insert(User record);

    int insertSelective(User record);

    User selectByPrimaryKey(Integer userid);
    //通过 账户名 查询用户信息
    User queryUserByUserName(@Param("userName") String userName);

    //通过 账户名 查询对应的角色信息
     Set<String> selelctRoleIdsByUserName(@Param("userName") String userName);

     //通过 账户名 查询对应的权限信息
     Set<String> selelctPerIdsByUserName(@Param("userName") String userName);

    int updateByPrimaryKeySelective(User record);

    int updateByPrimaryKey(User record);
}

UserBiz：

package com.zwc.ssm.biz;

import com.zwc.ssm.model.User;

import java.util.Set;

public interface UserBiz {
    int deleteByPrimaryKey(Integer userid);

    int insert(User record);

    int insertSelective(User record);

    User selectByPrimaryKey(Integer userid);

    User queryUserByUserName(String userName);

    int updateByPrimaryKeySelective(User record);

    int updateByPrimaryKey(User record);

    //通过 账户名 查询对应的角色信息
    Set<String> selelctRoleIdsByUserName(String userName);

    //通过 账户名 查询对应的权限信息
    Set<String> selelctPerIdsByUserName(String userName);
}

UserBizImpl:

package com.zwc.ssm.biz.impl;

import com.zwc.ssm.biz.UserBiz;
import com.zwc.ssm.mapper.UserMapper;
import com.zwc.ssm.model.User;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import java.util.Set;

/**
 * @authorzwc
 * @site www.javazwc.com
 * @company xxx公司
 * @create  2022-08-25 15:57
 */
@Service("userBiz")
public class UserBizImpl implements UserBiz {
    @Autowired
    private UserMapper userMapper;

    @Override
    public int deleteByPrimaryKey(Integer userid) {
        return userMapper.deleteByPrimaryKey(userid);
    }

    @Override
    public int insert(User record) {
        return userMapper.insert(record);
    }

    @Override
    public int insertSelective(User record) {
        return userMapper.insertSelective(record);
    }

    @Override
    public User selectByPrimaryKey(Integer userid) {
        return userMapper.selectByPrimaryKey(userid);
    }

    @Override
    public User queryUserByUserName(String userName) {
        return userMapper.queryUserByUserName(userName);
    }

    @Override
    public int updateByPrimaryKeySelective(User record) {
        return userMapper.updateByPrimaryKeySelective(record);
    }

    @Override
    public int updateByPrimaryKey(User record) {
        return userMapper.updateByPrimaryKey(record);
    }

    @Override
    public Set<String> selelctRoleIdsByUserName(String userName) {
        return userMapper.selelctRoleIdsByUserName(userName);
    }

    @Override
    public Set<String> selelctPerIdsByUserName(String userName) {
        return userMapper.selelctPerIdsByUserName(userName);
    }
}

1.1.2、shiro的授权的方法

/**
     * 授权
     * @param principals
     * @return
     * 这个方法替代了shiro-web.ini
     * 菜单
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//       获取账户名
        String userName = principals.getPrimaryPrincipal().toString();
//        查询对应的角色
        Set<String> role = userBiz.selelctRoleIdsByUserName(userName);
//        查询用户对应的权限
        Set<String> per = userBiz.selelctPerIdsByUserName(userName);
//       拿到授权器
        SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
//         将当前的登录的权限交给shiro授权器
        info.setStringPermissions(per);
//        将当前的登录的角色交给shiro授权器
        info.setRoles(role);
        return info;
    }

applicationContext-shiro.xml配置文件中，对我们角色进行修改因为我们sql查询出来的是id

如下图所示

1.1.3、测试

输入zs和123

点击用户增加，没有该权限

输入账号zdm、123

二、注解式开发

常用注解介绍：

@RequiresAuthenthentication:表示当前Subject已经通过login进行身份验证;即 Subject.isAuthenticated()返回 true
@RequiresUser:表示当前Subject已经身份验证或者通过记住我登录的
@RequiresGuest:表示当前Subject没有身份验证或者通过记住我登录过，即是游客身份
@RequiresRoles(value = {"admin","user"},logical = Logical.AND):表示当前Subject需要角色admin和user
@RequiresPermissions(value = {"user:delete","user:b"},logical = Logical.OR):表示当前Subject需要权限user:delete或者user:b

今天只用如下两个注解

@RequiresRoles(value = {"admin","user"},logical = Logical.AND):表示当前Subject需要角色admin和user
@RequiresPermissions(value = {"user:delete","user:b"},logical = Logical.OR):表示当前Subject需要权限user:delete或者user:b

Springmvc-servlet.xml

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
      depends-on="lifecycleBeanPostProcessor">
    <property name="proxyTargetClass" value="true"></property>
</bean>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager"/>
</bean>

<bean id="exceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
    <property name="exceptionMappings">
        <props>
            <prop key="org.apache.shiro.authz.UnauthorizedException">
                unauthorized
            </prop>
        </props>
    </property>
    <property name="defaultErrorView" value="unauthorized"/>
</bean>

ShiroController:

将对应注解添加到制定需要权限控制的方法上
身份认证：RequiresUser
角色认证：RequiresRoles
权限认证：RequiresPermissions

package com.zwc.ssm.controller;

import org.apache.shiro.authz.annotation.Logical;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresUser;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

import javax.servlet.http.HttpServletRequest;

/**
 * @authorzwc
 * @site www.javazwc.com
 * @company xxx公司
 * @create  2022-08-26 20:30
 */
@RequestMapping("/shiro")
@Controller
public class ShiroController {

//    RequiresUser代表当前方法只有登录后才能访问
    @RequiresUser
    @RequestMapping("/passUser")
    public String passUser(HttpServletRequest request){
        System.out.println("身份认证通过....");
        return "admin/addUser";
    }

    @RequiresRoles(value = {"1","4"},logical = Logical.AND)
    @RequestMapping("/passRole")
    public String passRole(HttpServletRequest request){
        System.out.println("角色认证通过....");
        return "admin/listUser";
    }

    @RequiresPermissions(value = {"2"},logical = Logical.AND)
    @RequestMapping("/passPer")
    public String passPer(HttpServletRequest request){
        System.out.println("权限认证通过....");
        return "admin/resetPwd";
    }

  

}