Shiro如何实现业务层注解实现权限认证
1、控制层和业务层实现的Annotation的注解权限认证从使用上来讲是没有任何区别的,和控制层使用的注解一样。1、建立一个业务的接口和它的子类:package com.gwolf.service;public interface IEmpService { public void add(); public void remove(); public void edit(); public void list();}package com.gwolf.service.impl;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import com.gwolf.service.IEmpService;@Servicepublic class EmpServiceImpl implements IEmpService { private Logger log = LoggerFactory.getLogger(EmpServiceImpl.class); @Override public void add() { log.info("--------------add()----------"); } @Override public void remove() { log.info("--------------remove()----------"); } @Override public void edit() { log.info("--------------edit()----------"); } @Override public void list() { log.info("--------------list()----------"); }}
2、修改控制层,注入业务对象,并且模拟调用:package com.gwolf.action;import javax.annotation.Resource;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.stereotype.Controller;import org.springframework.web.bind.annotation.RequestMapping;import org.springframework.web.servlet.ModelAndView;import com.gwolf.service.IEmpService;@Controller@RequestMapping("/pages/emp/*")public class EmpAction { private Logger log = LoggerFactory.getLogger(EmpAction.class); @Resource private IEmpService empService; @RequestMapping("add") public ModelAndView add() { this.empService.add(); return null; } @RequestMapping("edit") public ModelAndView edit() { this.empService.edit(); return null; } @RequestMapping("remove") public ModelAndView remove() { this.empService.remove(); return null; } @RequestMapping("list") public ModelAndView list() { this.empService.list(); return null; }}
3、在各个方法上追加有相应的注解:package com.gwolf.service.impl;import org.apache.shiro.authz.annotation.RequiresAuthentication;import org.apache.shiro.authz.annotation.RequiresGuest;import org.apache.shiro.authz.annotation.RequiresPermissions;import org.apache.shiro.authz.annotation.RequiresRoles;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import com.gwolf.service.IEmpService;public class EmpServiceImpl implements IEmpService { private Logger log = LoggerFactory.getLogger(EmpServiceImpl.class); @RequiresAuthentication @Override public void add() { log.info("--------------add()----------"); } @RequiresRoles(value= {"member","dept"}) @Override public void remove() { log.info("--------------remove()----------"); } @RequiresGuest @Override public void edit() { log.info("--------------edit()----------"); } @RequiresPermissions(value= {"emp:list","member:list"}) @Override public void list() { log.info("--------------list()----------"); }}
4、如果现在希望业务层上的注解有效,则需要修改applicationContext.xml文件追加页面相关配置:<!-- 启动在shiro里面进行Annotation的相关验证处理操作 --><bean id="serviceDefaultAdvisorAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true"></property> </bean> <!-- 针对于安全管理实现的aop操作 --><bean id="serviceAuthorizationAttributeSourceAdvisor" class=" org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"></property> </bean>
5、利用注解实现的配置都属于与的关系,因为从正常的开发来讲,一个操作方法只会对应有一种权限或一种角色。
6、在注解配置之中角色和权限可以混合搭配使用:@RequiresRoles(value= "member") @RequiresPermissions("member:list") @Override public void remove() { log.info("--------------remove()----------"); }
7、shiro针对于这种权限的检测机制为各种需求考虑的都很到位。