转载,原博文的地址在:https://ailongni.iteye.com/blog/2086022web
因为Shiro filterChainDefinitions中 roles默认是and,
/** = user,roles[system,general]
好比:roles[system,general] ,表示同时须要“system”和“general” 2个角色才经过认证
因此须要自定义 继承 AuthorizationFilterspring
public class RolesAuthorizationFilter extends AuthorizationFilter{ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { Subject subject = getSubject(request, response); String[] rolesArray = (String[]) mappedValue; if (rolesArray == null || rolesArray.length == 0) { //no roles specified, so nothing to check - allow access. return true; } for(int i=0;i<rolesArray.length;i++){ if(subject.hasRole(rolesArray[i])){ return true; } } return false; } }
shiro过滤器xml配置:apache
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/success" />
<property name="filters">
<map>
<entry key="anyRoles" value-ref="anyRoles"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/login = authc /login/logout = anon / = anon /XXX/** = user,anyRoles[system,general] /TTT = role[system] /** = user </value> </property> </bean> <!--自定义的Roles Filter--> <bean id="anyRoles" class="com.jianfei.p.web.common.RolesAuthorizationFilter" />
注意:/XXX/** = user,anyRoles[system,general], 注意红色的"anyRoles"必定要和 app
<entry key="anyRoles" value-ref="anyRoles"/> key同样就行,不然过滤器不起做用ide