springboot集成shiro实现权限认证

github:https://github.com/peterowang/shiro

基于上一篇:springboot集成shiro实现身份认证

1.加入UserController

package com.example.demo.web;

import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.authz.annotation.RequiresUser;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

/**
 * Created by BFD-593 on 2017/8/9.
 */
@Controller
@RequestMapping("/userinfo")
public class UserController {
    /**
     * 要查看必须有角色wangjing和有权限userinfo:view
     * @return
     */
    @RequestMapping("/userList")
    @RequiresPermissions({"userinfo:view"})
    @RequiresRoles({"wangjing"})
    public String userInfo(){
        return "userInfo";
    }

    /**
     * 用户添加必须有查看和删除权限;
     * @return
     */
    @RequestMapping("/userAdd")
    @RequiresPermissions({"userinfo:view","userinfo:add"})
    public String userInfoAdd(){
        return "userAdd";
    }

    /**
     * 要删除必须有查看和删除权限
     * @return
     */
    @RequiresPermissions({"userinfo:view","userinfo:del"})
    @RequestMapping("/userDel")
    public String userInfoDel() {
        return "userDel";
    }

}
2.在ShiroConfiguration中加入spring aop 对shiro注解的支持

/**
 * 权限认证
 * 需要开启Shiro AOP注解支持
 * @RequiresPermissions({"userinfo:view"})
 * @RequiresRoles({"wangjing"})等注解的支持
 * @param securityManager
 * @return
 */
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(SecurityManager securityManager){
    AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor = new AuthorizationAttributeSourceAdvisor();
    authorizationAttributeSourceAdvisor.setSecurityManager(securityManager);
    return authorizationAttributeSourceAdvisor;
}
这时候，我们再登录之后访问http://localhost:8080/userInfo/userDel就会报org.apache.shiro.authz.UnauthorizedException异常了。同时后台会打印权限验证的信息。

3.如果想让用户没权限时，进入无权限提示的指定页面可以这么设置在ShiroConfiguration中加入

/**
 * 当用户无权限访问403页面而不抛异常，默认shiro会报UnauthorizedException异常
 * @return
 */
@Bean
public SimpleMappingExceptionResolver resolver() {
    SimpleMappingExceptionResolver resolver = new SimpleMappingExceptionResolver();
    Properties properties = new Properties();
    properties.setProperty("org.apache.shiro.authz.UnauthorizedException", "/403");
    resolver.setExceptionMappings(properties);
    return resolver;
}
4.我们也可以设置统一异常处理 添加package:exceptionResolver,添加类MyExceptionResolver

/**同时将该实现类以bean的方式，放到启动类中
 * Created by BFD-593 on 2017/8/9.
 */
public class MyExceptionResolver implements HandlerExceptionResolver{
    /**
     * 统一异常处理，当出现runtimeException时，跳转到500页面。
     * @param httpServletRequest
     * @param httpServletResponse
     * @param o
     * @param e
     * @return
     */
    @Override
    public ModelAndView resolveException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) {
        if(e instanceof RuntimeException){
            ModelAndView mv = new ModelAndView("/500");
            return mv;
        }
        return null;
    }
}
然后在启动类中添加:

/**
 * 统一异常处理
 * @return
 */
@Bean
public MyExceptionResolver myExceptionResolver(){
   return new MyExceptionResolver();
}
这时，当用户没权限时会跳转到403.html,当抛出runtimeexception时跳转到500.html(异常没有被捕获的时候哦...)
以上就是实现当用户访问请求时，验证用户是否拥有该请求的权限，但是，如果我们想页面上的某些标签，用户没有该权限时让他不展示，那该怎么办呢。这里由于用到的是thymeleaf模板，所以我们需要特殊处理：
1.在pom中添加

<!--thymeleaf中使用shiro标签-->
<dependency>
   <groupId>com.github.theborakompanioni</groupId>
   <artifactId>thymeleaf-extras-shiro</artifactId>
   <version>1.2.1</version>
</dependency>
2.在ShiroConfiguration中添加

/**
 * 整合thymeleaf中可以使用shiro标签
 * @return
 */
@Bean
public ShiroDialect shiroDialect() {
    return new ShiroDialect();
}
3.在html中修改

<html lang="zh_CN" xmlns:th="http://www.thymeleaf.org"
      xmlns:shiro="http://www.pollix.at/thymeleaf/shiro">
添加:

<shiro:hasPermission name="userinfo:view">
<shiro:hasRole name="wangjing">
    <span>这里是shiro权限 </span>
</shiro:hasRole>
</shiro:hasPermission>
表示当前用户拥有userinfo:view权限并且所属角色是wangjing时，可以看到此<span>标签中的内容。
至此，shiro权限介绍完毕