轉載,原博文的地址在:https://ailongni.iteye.com/blog/2086022web
因爲Shiro filterChainDefinitions中 roles默認是and,
/** = user,roles[system,general]
好比:roles[system,general] ,表示同時須要「system」和「general」 2個角色才經過認證
因此須要自定義 繼承 AuthorizationFilterspring
public class RolesAuthorizationFilter extends AuthorizationFilter{ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { Subject subject = getSubject(request, response); String[] rolesArray = (String[]) mappedValue; if (rolesArray == null || rolesArray.length == 0) { //no roles specified, so nothing to check - allow access. return true; } for(int i=0;i<rolesArray.length;i++){ if(subject.hasRole(rolesArray[i])){ return true; } } return false; } }
shiro過濾器xml配置:apache
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/success" />
<property name="filters">
<map>
<entry key="anyRoles" value-ref="anyRoles"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/login = authc /login/logout = anon / = anon /XXX/** = user,anyRoles[system,general] /TTT = role[system] /** = user </value> </property> </bean> <!--自定義的Roles Filter--> <bean id="anyRoles" class="com.jianfei.p.web.common.RolesAuthorizationFilter" />
注意:/XXX/** = user,anyRoles[system,general], 注意紅色的"anyRoles"必定要和 app
<entry key="anyRoles" value-ref="anyRoles"/> key同樣就行,不然過濾器不起做用ide