转载,原博文的地址在:https://ailongni.iteye.com/blog/2086022
由于Shiro filterChainDefinitions中 roles默认是and,
/** = user,roles[system,general]
比如:roles[system,general] ,表示同时需要“system”和“general” 2个角色才通过认证
所以需要自定义 继承 AuthorizationFilter
public class RolesAuthorizationFilter extends AuthorizationFilter{ @Override protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { Subject subject = getSubject(request, response); String[] rolesArray = (String[]) mappedValue; if (rolesArray == null || rolesArray.length == 0) { //no roles specified, so nothing to check - allow access. return true; } for(int i=0;i<rolesArray.length;i++){ if(subject.hasRole(rolesArray[i])){ return true; } } return false; } }
shiro过滤器xml配置:
<!-- Shiro Filter -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/login" />
<property name="successUrl" value="/success" />
<property name="filters">
<map>
<entry key="anyRoles" value-ref="anyRoles"/>
</map>
</property>
<property name="filterChainDefinitions">
<value>
/login = authc
/login/logout = anon
/ = anon
/XXX/** = user,anyRoles[system,general]
/TTT = role[system]
/** = user
</value>
</property>
</bean>
<!--自定义的Roles Filter-->
<bean id="anyRoles" class="com.jianfei.p.web.common.RolesAuthorizationFilter" />
注意:/XXX/** = user,anyRoles[system,general], 注意红色的"anyRoles"一定要和
<entry key="anyRoles" value-ref="anyRoles"/> key一样就行,否则过滤器不起作用