學習shiro——註解式授權和JSP標籤授權

NO IMAGE

註解式授權 (shiro官網地址:http://shiro.apache.org/authorization.html#Authorization-AnnotationbasedAuthorization)

@RequiresAuthentication 要求當前Subject已經在當前的session中被驗證通過才能被訪問或呼叫      

@RequiresAuthentication
public void updateAccount(Account userAccount) {
//this method will only be invoked by a
//Subject that is guaranteed authenticated
...
}

public void updateAccount(Account userAccount) {
if (!SecurityUtils.getSubject().isAuthenticated()) {
throw new AuthorizationException(...);
}
//Subject is guaranteed authenticated here
...
}

由上述例子可知,@RequiresAuthentication必須被驗證通過後才能被訪問或呼叫

2.RequiresGuest註解

@RequiresGuest要求當前的Subject是一個“guest”(訪客的意思),也就是說,他們必須是在之前的session中沒有被驗證或被記住才能被訪問或呼叫,

@RequiresGuest
public void signUp(User newUser) {
//this method will only be invoked by a
//Subject that is unknown/anonymous
...
}
public void signUp(User newUser) {
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = currentUser.getPrincipals();
if (principals != null && !principals.isEmpty()) {
//known identity - not a guest:
throw new AuthorizationException(...);
}
//Subject is guaranteed to be a 'guest' here
...
}
//以上兩個方法的功能是一樣的

 

3.RequiresPermissions[“account:create”]註解

@RequiresPermissions[“account:create”]要求當前的subject被允許一個或多個許可權,以便執行註解的方法。

@RequiresPermissions("account:create")
public void createAccount(Account account) {
//this method will only be invoked by a Subject
//that is permitted to create an account
...
}
public void createAccount(Account account) {
Subject currentUser = SecurityUtils.getSubject();
if (!subject.isPermitted("account:create")) {
throw new AuthorizationException(...);
}
//Subject is guaranteed to be permitted here
...
}
//以上兩個方法的功能是一樣的

 

[email protected]註解

@RequiresRoles[“administrator”]要求當前的subject擁有所有指定的角色,如果他們沒有,則該方法將不會被執行,而且AuthorizationException異常將會被丟擲

@RequiresRoles[“administrator”]要求當前的subject擁有所有指定的角色,如果他們沒有,則該方法將不會被執行,而且AuthorizationException異常將會被丟擲

@RequiresRoles("administrator")
public void deleteUser(User user) {
//this method will only be invoked by an administrator
...
}
public void deleteUser(User user) {
Subject currentUser = SecurityUtils.getSubject();
if (!subject.hasRole("administrator")) {
throw new AuthorizationException(...);
}
//Subject is guaranteed to be an 'administrator' here
...
}
//以上兩個方法是一樣的功能

5.RequireUser註解

@RequiresUser註解需要當前的Subject是一個應用程式使用者才能被註解的類/例項方法訪問或呼叫

@RequiresUser
public void updateAccount(Account account) {
//this method will only be invoked by a 'user'
//i.e. a Subject with a known identity
...
}
public void updateAccount(Account account) {
Subject currentUser = SecurityUtils.getSubject();
PrincipalCollection principals = currentUser.getPrincipals();
if (principals == null || principals.isEmpty()) {
//no identity - they're anonymous, not allowed:
throw new AuthorizationException(...);
}
//Subject is guaranteed to have a known identity here
...
}
//以上兩種方法的功能是一樣的

 

6.JSP標籤授權(官網地址見:http://shiro.apache.org/web.html#web-taglibrary)

tag庫配置,web頁面需加上該行:

<%@ taglib prefix=”shiro” uri=”http://shiro.apache.org/tags” %>

 並要引入jar包:

<shiro:guest>
Hi there!  Please <a href="login.jsp">Login</a> or <a href="signup.jsp">Signup</a> today!
</shiro:guest>

user標籤:使用者已經身份驗證/記住我登入後顯示的資訊;

<shiro:user>
Welcome back John!  Not John? Click <a href="login.jsp">here<a> to login.
</shiro:user>

authenticated標籤:使用者已經身份驗證通過,即subject login登入成功,不是記住我登入的。

<shiro:authenticated>
<a href="updateAccount.jsp">Update your contact information</a>.
</shiro:authenticated>

notAuthenticated標籤:使用者沒有身份驗證通過,即沒有呼叫subject login進行登入,包括記住我的也屬於未進行身份驗證

<shiro:notAuthenticated>
Please <a href="login.jsp">login</a> in order to update your credit card information.
</shiro:notAuthenticated>

principal標籤:顯示使用者身份資訊,預設呼叫subject getPrincipal()獲取,即primary principal

Hello, <shiro:principal/>, how are you today?
Hello, <%= SecurityUtils.getSubject().getPrincipal().toString() %>, how are you today?

hasRole標籤:如果當前subject有角色將顯示body體內容

<shiro:hasRole name="administrator">
<a href="admin.jsp">Administer the system</a>
</shiro:hasRole>

lacksRole標籤:如果當前subject沒有角色將顯示body體內容

<shiro:lacksRole name="administrator">
Sorry, you are not allowed to administer the system.
</shiro:lacksRole>

hasAnyRoles標籤:如果當前subject有任意一個角色(或的關係)將顯示body體的內容

<shiro:hasAnyRoles name="developer, project manager, administrator">
You are either a developer, project manager, or administrator.
</shiro:hasAnyRoles>

hasPermission標籤:如果當前subject有許可權將顯示body體內容

<shiro:hasPermission name="user:create">
<a href="createUser.jsp">Create a new User</a>
</shiro:hasPermission>

lacksPermissions標籤:如果當前subject沒有許可權將顯示body體內容

<shiro:lacksPermission name="user:delete">
Sorry, you are not allowed to delete user accounts.
</shiro:lacksPermission>