//用於授權
//Authorization 授權的意思
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//從 principals獲取主身份信息
//將getPrimaryPrincipal方法返回值轉爲真實身份類型(在上邊的doGetAuthenticationInfo認證通過填充到SimpleAuthenticationInfo中身份類型),
ActiveUser activeUser = (ActiveUser) principals.getPrimaryPrincipal();
// 根據身份信息獲取權限信息
// 從數據庫獲取到權限數據
List<SysPermission> permissionList = null;
try {
permissionList = sysService.findPermissionListByUserId(activeUser.getUserid());
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// 單獨定一個集合對象
List<String> permissions = new ArrayList<String>();
if (permissionList != null) {
for (SysPermission sysPermission : permissionList) {
// 將數據庫中的權限標籤 符放入集合
permissions.add(sysPermission.getPercode());
}
}
// 查到權限數據,返回授權信息(要包括 上邊的permissions)
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
// 將上邊查詢到授權信息填充到simpleAuthorizationInfo對象中
simpleAuthorizationInfo.addStringPermissions(permissions);
return simpleAuthorizationInfo;
}
三、使用註解方式進行授權<!-- 開啓aop,對類代理 -->
<aop:config proxy-target-class="true"></aop:config>
<!-- 開啓shiro註解支持 -->
<bean
class="
org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
3.2創建一個Controller
@Controller
@RequestMapping("items")
public class ItemController {
@Resource
private ItemsService itemServiceImpl;
@RequestMapping("queryItems.do")
@RequiresPermissions("item:query")
public ModelAndView queryItems(HttpServletRequest request) throws Exception{
//String id = request.getParameter("id");
List<ItemsCustom> itemList = itemServiceImpl.findItemsList(null);
ModelAndView mv = new ModelAndView();
mv.addObject("itemList", itemList);
// 指定邏輯視圖名
mv.setViewName("itemsList");
return mv;
}
}
沒有權限,不能跳轉到指定頁面問題:<!-- 通過unauthorizedUrl指定沒有權限操作時的權限頁面 -->
<property name="unauthorizedUrl" value="/refuse.jsp" />
但是,我們會發現,如果我們沒有權限的時候,不會跳轉到refuse.jsp中if(ex instanceof CustomException){
customException = (CustomException)ex;
}else if(ex instanceof UnauthorizedException){
customException = new CustomException("沒有權限");
}else{
//針對非CustomException異常,對這類重新構造成一個CustomException,異常信息爲“未知錯誤”
customException = new CustomException("未知錯誤");
}