spring整合shiro使用注解方式配置

时间:2021-06-20 23:16:20

第一步:在spring配置文件中开启shiro注解支持

        <!-- 开启shiro的注解支持 -->
	<bean id="defaultAdvisorAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
		<!-- 必须改为true,即使用cglib方式为Action创建代理对象。默认值为false,使用JDK创建代理对象,会造成问题 -->
		<property name="proxyTargetClass" value="true"></property>
	</bean>

	<!-- 使用shiro框架提供的切面类,用于创建代理对象 -->
	<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"></bean>

第二步:在Action的方法上使用shiro注解

@RequiresPermissions("staff-delete")  //执行这个方法,需要 当前用户有staff-delete的这个权限
	public String deleteBatch(){
		staffService.deleteBatch(ids);
		return LIST;
	}

这时使用删除这个功能时,就会抛出一个异常,显示没有这个权限异常,这时需要配置异常处理页面 
HTTP Status 500 - Subject does not have permission [staff-delete]

type Exception report

message Subject does not have permission [staff-delete]

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [staff-delete]
	org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323)
	org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137)
	org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205)
	org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74)
	org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(AuthorizingAnnotationMethodInterceptor.java:84)
	org.apache.shiro.authz.aop.AnnotationsAuthorizingMethodInterceptor.assertAuthorized(AnnotationsAuthorizingMethodInterceptor.java:100)
	org.apache.shiro.authz.aop.AuthorizingMethodInterceptor.invoke(AuthorizingMethodInterceptor.java:38)
	org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor.invoke(AopAllianceAnnotationsAuthorizingMethodInterceptor.java:115)
	org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
	org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
	com.itheima.bos.web.action.StaffAction$$EnhancerBySpringCGLIB$$fb175177.deleteBatch(<generated>)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:891)
	ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1293)

第三步:在struts.xml中配置全局异常捕获,当shiro框架抛出权限不足异常时,跳转到权限不足提示页面

                <global-results>
			<result name="login">/login.jsp</result>
			<result name="unauthorizedException">/unauthorized.jsp</result>
		</global-results>
		<!-- 配置全局异常映射 -->
		<global-exception-mappings>
			<!-- 配置没有权限异常的返回值 -->
			<exception-mapping result="unauthorizedException" exception="org.apache.shiro.authz.UnauthorizedException"></exception-mapping>
		</global-exception-mappings>



这里说一下第一步中为什么proxyTargetClass使用默认的false会出问题。因为使用默认值false,它会使用jdk的代理对象的方式,利用反射生成一个实现代理接口的匿名类,接口中并没有子类的特有方法,会导致抛出“没有这个方法”的异常。将proxyTargetClass设置为true,使用cglib就不会报错,因为cglib是对代理对象类的class文件加载进来,通过修改其字节码生成子类来处理。

标签:

相关文章